WIPO Arbitration and Mediation Center

ADMINISTRATIVE PANEL DECISION

Aetna Inc. v. On behalf of help-aetna.com owner / Whois Privacy Service / Manager / Knowbe4

Case No. D2021-1565

1. The Parties

Complainant is Aetna Inc., United States, represented by The GigaLaw, Douglas M. Isenberg, Attorney at Law, LLC, United States.

Respondent is On behalf of help-aetna.com owner / Whois Privacy Service / Manager Knowbe4, United States, represented by Wilson Sonsini Goodrich & Rosati, United States.

2. The Domain Name and Registrar

The disputed domain name <help-aetna.com> (the “Domain Name”) is registered with Amazon Registrar, Inc. (the “Registrar”).

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on May 19, 2021. On May 20, 2021, the Center transmitted by email to the Registrar a request for registrar verification in connection with the Domain Name. On May 24, 2021, the Registrar transmitted by email to the Center its verification response disclosing registrant and contact information for the Domain Name, which differed from the named Respondent and contact information in the Complaint. The Center sent an email communication to Complainant on May 26, 2021, providing the registrant and contact information disclosed by the Registrar, and inviting Complainant to submit an amendment to the Complaint. Complainant filed an amendment to the Complaint on May 26, 2021.

The Center verified that the Complaint together with the amendment to the Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified Respondent of the Complaint, and the proceedings commenced on June 1, 2021. In accordance with the Rules, paragraph 5, the due date for Response was June 21, 2021. The Response was filed with the Center June 18, 2021.

On June 22, 2021, Complainant submitted a request to submit a Supplemental Filing along with the Supplemental Filing. Complainant indicated in relevant part that while it was hesitant to submit the filing, it needed to do so in light of “significantly different facts” in Respondent’s Response than those that were known to Complainant (or could have been known) when it filed the Complaint, and to ensure that “an egregious abuse of the domain name system” is not tolerated. Also on June 22, 2021, Respondent submitted an email stating that in accordance with Rule 12 of the Rules, only “the Panel may request, in its sole discretion, further statements or documents from either of the Parties”, that the Panel had not made such a request, and that the Panel should therefore either disregard the Supplemental Filing or provide Respondent with leave to file a further response.

The Center appointed Christopher S. Gibson, Brian J. Winterfeldt, and Martin Schwimmer as panelists in this matter on July 9, 2021. The Panel finds that it was properly constituted. Each member of the Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

4. Factual Background

Complainant provides individuals, employers, health care professionals, producers, and others with insurance benefits, products, and services. Complainant was founded in 1853 and was acquired in 2018 by CVS. CVS is a publicly traded health care company in the United States, with annual revenue in 2020 of USD 268.7 billion and approximately 300,000 workers in more than 9,900 retail locations and approximately 1,100 walk-in medical clinics in 49 states, the District of Columbia, and Puerto Rico, serving 4.5 million customers daily. CVS ranks as number 5 on the “Fortune 500” list of America’s largest corporations.

Complainant serves approximately 22.1 million medical members, approximately 12.7 million dental members, and approximately 13.1 million pharmacy benefit management services members. Complainant’s health care network includes about 1.2 million health care professionals, more than 700,000 primary care doctors and specialists, and more than 5,700 hospitals. Complainant, via Aetna Life Insurance Company, is the registrant of and uses the domain name <aetna.com>, which was registered on November 2, 1993.

Complainant (directly or via CVS or CVS Pharmacy, Inc., the principal operating company of CVS) is the owner of at least 158 trademark registrations in at least 42 jurisdictions worldwide for marks that consist of or contain AETNA. Complainant’s registrations for the AETNA mark include the following in the United States, the oldest of which asserts a first use date in commerce of more than 115 years ago:

- Reg. No. 1,939,424, first used in commerce December 31, 1905; registered December 5, 1995
- Reg. No. 1,939,423, first used in commerce February 1, 1982; registered December 5, 1995

The AETNA trademark registrations contain a stylized version of the word AETNA in purple, along with an image of a heart. The AETNA logo appears prominently throughout Complainant’s website using the domain name <aetna.com>, as well as elsewhere. Previous UDRP panels have found that Complainant has rights in the AETNA trademark. See, e.g., Aetna Inc. and CVS Pharmacy, Inc. v. James, WIPO Case No. D2018-0796; and Aetna Inc., CVS Pharmacy, Inc. v. Chang Jiang Li, Li Chang Jiang, WIPO Case No. D2018-0795.

Respondent was founded in 2010, employs over 1000 people, and is a public company whose stock is traded on the NASDAQ exchange. The company has over 37,000 corporate customers, including Fortune 500 companies, well-known banks, credit unions and other financial institutions, as well as state and municipal governments. Respondent and its programs have won honors from Gartner, Forrester, Microsoft Intelligent Security Association, Deloitte, Fortune, and Inc. magazine. Respondent has developed a platform enabling organizations to assess, monitor, and minimize the threat of social engineering computer attacks. The platform reflects an integrated approach to security awareness using cloud-based software, artificial intelligence, advanced analytics, and employee training. As part of the platform, Respondent employs a library of content for use by its corporate customers in simulated phishing attacks. This library is continuously refreshed to ensure that Respondent’s educational offerings reflect the latest range of social engineering threats.

Respondent registered the Domain Name on October 28, 2020. The Domain Name is used in connection with Respondent’s computer security training programs.

5. Parties’ Contentions

A. Complainant

(i) Identical or confusingly similar

Complainant contends the Domain Name is identical or confusingly similar to a trademark or service mark in which Complainant has rights. Complainant states that the Domain Name contains the AETNA trademark in its entirety, plus a hyphen (“ - ”) and the word “help”. Complainant submits that the inclusion of a hyphen in the Domain Name is irrelevant for purposes of the Policy. Complainant further contends that the fact the Domain Name includes the word “help” is irrelevant for purposes of confusing similarity under the Policy: so long as the trademark is recognizable within the domain name, the addition of other terms (whether descriptive, geographical, pejorative, meaningless, or otherwise) will not prevent a finding of confusing similarity. Finally, Complainant asserts that the overall impression of the Domain Name is one of being connected to Complainant’s trademark. Accordingly, Complainant concludes the Domain Name is identical or confusingly similar to the AETNA mark.

(ii) Rights or legitimate interests

Complainant contends Respondent has no rights or legitimate interests in the Domain Name. Complainant has never assigned, granted, licensed, sold, transferred, or authorized Respondent to register or use the AETNA trademark in any manner. Complainant contends that this fact, on its own, can be sufficient to prove the second criterion of the Policy.

Further, Complainant asserts that Respondent is using the Domain Name in connection with a phishing scam that imitates and falsely purports to be from Complainant. Complainant has submitted a copy of an email allegedly sent from the address “[…]@help-aetna.com” that contains the subject line, “Patient Care Refund.” Complainant contends that the body of this email contains Complainant’s AETNA logo, used without authorization or permission; falsely informs the recipient that, “Due to the current epidemic, you are eligible for your Health Care Overpayment Refund to help get by during this time”; and invites the recipient to click on a link “to Get Started on your Health Refund.” Complainant argues that by using the Domain Name in connection with a phishing scam imitating Complainant, Respondent has failed to create a bona fide offering of goods or services under the Policy – and, therefore, Respondent cannot demonstrate rights or legitimate interests. Complainant submits that UDRP panels have categorically held that the use of a domain name for illegal activity (e.g., the sale of counterfeit goods or illegal pharmaceuticals, phishing, distributing malware, unauthorized account access/hacking, impersonation/ passing off, or other types of fraud) can never confer rights or legitimate interests on a respondent.

To Complaint’s knowledge, Respondent has never been commonly known by the Domain Name and has never acquired any trademark or service mark rights in the Domain Name. Therefore, Complainant asserts that Respondent cannot establish rights or legitimate interests under the Policy. Further, given Complainant’s use of the AETNA mark for more than 115 years, it is impossible that Respondent is commonly known by this mark.

(iii) Registered and used in bad faith

Complainant submits that the Domain Name should be considered as having been registered and used in bad faith by Respondent. Complainant states that Respondent is using the Domain Name in connection with a phishing scam that imitates and falsely purports to be from Complainant. Such behavior is manifestly considered evidence of bad faith.

Further, Complainant argues that the mere registration of a domain name that is identical or confusingly similar to a famous or widely-known trademark by an unaffiliated entity can by itself create a presumption of bad faith. Complainant submits that the AETNA mark is famous and/or widely known, given that it is protected by at least 158 trademark registrations in at least 42 jurisdictions worldwide, the oldest of which was used 115 years ago and registered more than 25 years ago, and further, given that a previous panel has referred to the AETNA mark as a famous mark.

Complainant states it is implausible that Respondent was unaware of Complainant when registering the Domain Name given the fame of the mark. The only explanation is that Respondent’s motive in registering and using the Domain Name seems to be to disrupt Complainant’s relationship with its customers or potential customers or attempt to attract Internet users for potential gain. These both constitute evidence of registration and use in bad faith. Similarly, given the global reach and popularity of Complainant’s services under the AETNA mark, as well as the Domain Name’s similarity to Complainant’s own domain name <aetna.com>, it is inconceivable that Respondent chose the Domain Name without knowledge of Complainant’s activities, as well as the name and trademark under which Complainant is doing business. Complainant contends that because the Domain Name is so obviously connected with Complainant, Respondent’s actions suggest opportunistic bad faith in violation of the Policy. In addition, by using the Domain Name in connection with phishing emails that include Complainant’s AETNA logo, Respondent is clearly creating a likelihood of confusion with the AETNA trademark, constituting bad faith pursuant to paragraph 4(b)(iv) of the Policy.

Finally, although the Domain Name is not associated with an active website, Complainant contends that bad faith exists pursuant to the passive-holding doctrine, where the following factors are considered when evaluating whether passive holding amounts to bad faith: whether (a) the complainant’s trademark has a strong reputation and is widely known, as evidenced by its substantial use; (b) the respondent has provided no evidence whatsoever of any actual or contemplated good faith use of the domain name; (c) the respondent has taken active steps to conceal its identity, by operating under a name that is not a registered business name; and (d) taking into account all of the above, it is not possible to conceive of any plausible actual or contemplated active use of the domain name by the respondent that would not be illegitimate, such as by being a passing off, an infringement of consumer protection legislation, or an infringement of the complainant’s rights under trademark law.

Here, Complainant asserts that the AETNA mark has a strong reputation and is widely known; Respondent has taken active steps to conceal its identity by identifying itself in the WhoIs record as “On behalf of help-aetna.com owner / Whois Privacy Service”; Respondent has provided no evidence of any actual or contemplated good faith use of the Domain Name; and given the strength of the AETNA mark, it is not possible to conceive of any plausible actual or contemplated active use of the Domain Name by Respondent that would not be illegitimate. Therefore, Complainant contends that bad faith also exists under the passive holding doctrine.

(iv) Complainant’s Supplemental Filing

Complainant states that its Supplemental Filing is intended to address only the most relevant factual and legal issues in the Response that were not – and could not have been – known to Complainant when it filed the Complaint. Complainant contends that Respondent repeatedly misleads the Panel into believing that, because Complainant and Respondent had communicated with each other prior to the filing of the Complaint, Complainant knew that Respondent was the registrant of the Domain Name and did not act in violation of the Policy. Complainant contends this is wrong for at least two reasons: (a) when the Complaint was filed on May 19, 2021, the registrant of the Domain Name was identified in the WhoIs record and known to Complainant only as “On behalf of help-aetna.com owner / Whois Privacy Service”; and (b) in its prior communications with Respondent, Complainant made clear that it disapproved of (and believed to be illegal) Respondent’s registration and use of any domain names that contained Complainant’s trademarks, and Complainant demanded that Respondent cease this practice.

Complainant asserts that while Respondent claims it “identified itself and explained to the Complainant, in writing and otherwise, the nature of its Security Awareness program,” Respondent nevertheless fails to make clear that this identification was prior to registration of the Domain Name on October 28, 2020. As a result, Complainant states it was impossible for Complainant to know that Respondent was the registrant of the Domain Name when it filed the Complaint. Had Respondent wanted to make this known to Complainant, it could have done so at any time.

Complainant has submitted in evidence a letter that Complainant sent to Respondent on October 22, 2020, informing Respondent that its previous registration and use of domain names containing the AETNA trademark in connection with apparent phishing emails “have in fact been causing confusion.” Complainant states that not only did Respondent disregard Complainant’s concerns, but Respondent engaged further in confusing activity by registering the Domain Name on October 28, 2020 – six days after Complainant’s letter.

Complainant states that it did not include the October 22, 2020, letter to Respondent with the filing of the Complaint because Complainant was unaware (when it filed the Complaint) that Respondent was the registrant of the Domain Name. However, now that this information has been disclosed, Complainant refers to statements in the October 22nd letter, including the following:

- Respondent’s apparent phishing emails using Complainant’s AETNA trademark “have in fact been causing confusion,” and Complainant informed Respondent of this in the letter: “‘[Aetna] continue[s] to receive questions and complaints to Aetna’s service center from members who receive and are confused and upset by these emails, believing them to be possible communications from Aetna…’”

- “The companies that retain [Respondent’s] services may know that the emails are not genuine, but the email recipients do not…. Aetna’s experience shows that many of the recipients do mistakenly believe that Aetna is the source.”

- “Aetna has already notified [Respondent] that confusion has actually occurred. Aetna has received numerous calls and complaints from worried customers who received [Respondent’s] fake emails ‘from Aetna’ and subsequently called Aetna’s customer service line, sales team, or other Aetna representatives, concerned about the contents of the emails. Indeed, Aetna has learned that even key personnel within some Aetna plan sponsor organizations (including individuals in IT and HR) are not fully knowledgeable of the origin of the [Respondent’s] emails, and therefore are unable to resolve the confusion among their fellow employees.”

- “Not only does this confusion damage the AETNA brand in the minds of consumers, but it also ties up the Aetna employees who must respond to the unnecessary worry sparked by [Respondent’s] phony emails.”

- “[M]any customers targeted by [Respondent’s] emails may never fully understand Aetna’s lack of involvement, resulting in clear confusion regarding the source of [Respondent’s] phony…insurance emails and possibly deterring these individuals from seeking Aetna’s services in the future.”

Complainant states that it is not a customer of Respondent. Complainant states it has repeatedly asked Respondent to cease its practice of using Complainant’s AETNA mark in apparent phishing emails. Therefore, regardless of whether Respondent believes that its customers approve of Respondent’s practices, Complainant does not approve, given the likelihood of (and, indeed, actual) confusion that has occurred.

Complainant submits that an analyst in Complainant’s own IT Security Operations Center (“SOC”) office received a report about an email sent by Respondent using the Domain Name. Complainant’s analyst advised:

“It has been brought to the SOCs attention that an external entity is using the Aetna name in an impersonation email (original email attached; headers also attached separately in txt).

Based on the attached email’s HTML Source Code, it looks like the external individual copied an Aetna logo from the externally-facing AetnaInternational.com site.”

Complainant contends that not only is this evidence of actual confusion (by the recipient of the email), but the fact that this report analyzed an email using the Domain Name in which the headers disclosed an association with Respondent but nevertheless did not recognize it as what Respondent has described as a “simulated phishing email” makes clear that the confusion is real and disrupting Complainant’s business.

While Respondent argues that its use of the Domain Name was “without any intent to divert consumers” because it has not actually engaged in phishing activities, Complainant contends that such diversion clearly has occurred. Complainant states that Respondent’s own website makes clear that the purpose of its activities is to divert consumers by offering actual “phishing features” to test “employees’ behavior,” “specifically phish for sensitive information” and “track if a user replies to a simulated phishing email and… capture the information sent in the reply.” Further, Complainant emphasizes that Respondent admits the services it offers (such as those associated with the Domain Name) will result in instances where “an employee falls for one of these simulated phishing attacks.” As a result, not only have Respondent’s actions resulted in diversion, but they may have resulted in sensitive information being sent to Respondent that was intended for Complainant.

Complainant contends that while Respondent argues its use of the Domain Name was “not as a pretext for commercial gain” because it is associated with “educational programs directed at Security Awareness,” this argument tortures the definition of “educational” (which does not appear anywhere in the Policy as a means by which a respondent can successfully asserts rights or legitimate interests in a domain name). Even if Respondent’s simulated phishing attacks educate its (paying) customers’ employees, Complainant submits that this does not give Respondent any right to use the Domain Name. Respondent is a large public company with “37,000 corporate customers”; it is not a nonprofit educational institution such as a university or other academic institution. Respondent sells its Security Awareness Training program for a fee, which has contributed to Respondent’s annual recurring revenue in the amount of USD 198 million.

Complainant asserts that Respondent has ignored many of the important factors listed in section 2.5.2 of the WIPO Overview of Panel Views on Selected UDRP Questions, Third Edition (“WIPO Overview 3.0”), which are considered in weighing fair use under the Policy. For example, Complainant contends that in addition to the “commercial gain” that Respondent obtains via the Domain Name, Respondent’s use is intended to deceive and therefore is not “truthful”. Further, Respondent’s website does not make clear that it is not operated by Complainant, because the website contains no information whatsoever. Respondent has made clear – given its large number of customers and “[t]he world’s largest library of security awareness training content” and “thousands of templates,” – that it is “engaging in a pattern of registering domain names corresponding to marks held by the complainant or third parties”. Further, Respondent has not provided a prominent link (including with explanatory text) to the relevant trademark owner’s [Complainant’s] website. Finally, there is no actual connection between Complainant’s trademark in the Domain Name and the corresponding website content.

Complainant contends that although it has learned that Respondent claims the Domain Name is not being used in connection with a typical phishing scam, Respondent’s actions nevertheless constitute bad faith under the Policy. Respondent’s use of the Domain Name to impersonate Complainant is by design dishonest, unfair to Complainant and Complainant’s consumers, and primarily serves the interests of Respondent, a profitable public company, not the public itself. Furthermore, although Respondent claims it has tried to draw a line between “simulated phishing emails” and actual “phishing attacks”, Complainant states it is challenging to understand the difference. Respondent says its services are designed to “specifically phish for sensitive information” and will result in instances where “an employee falls for one of these simulated phishing attacks.” As a result, Respondent’s so-called “simulated” phishing attacks are not much different than actual phishing attacks – in the same way that a company sending actors disguised as bank robbers into a bank to test the bank’s security system are actually robbers despite their intentions (especially if the tellers hand over their cash as demanded), and serious adverse consequences can result.

Complainant acknowledges that, admittedly, Respondent’s registration and use of the Domain Name does not correspond to the common types of cybersquatting activity addressed by decisions under the Policy. But that does not mean the Panel should condone Respondent’s actions or find them outside the reach of the Policy. Doing so would encourage further “simulated” phishing attacks and other unimaginable harms caused by the unauthorized registration and confusing use of trademarks in domain names. Complainant states that as section 3.4 of WIPO Overview 3.0 makes clear, “[a] respondent’s use of [a] domain name to send deceptive emails” may constitute bad faith. The Overview is not limited to “actual” or “traditional” phishing activities and, therefore, applies to the facts of this case, in which Respondent sent deceptive emails because they appeared to come from Complainant, contained Complainant’s AETNA logo, and tricked recipients into believing that they actually came from or were associated with Complainant.

Even if Respondent’s use of the Domain Name does not correspond to the typical phishing attempt, Complainant argues that it is, by design, “intentionally attempted to attract, for commercial gain, Internet users to [Respondent’s] web site or other on-line location, by creating a likelihood of confusion with [Complainant’s] mark as to the source, sponsorship, affiliation, or endorsement of [Respondent’s] web site or location or of a product or service on [Respondent’s] web site or location” – the definition of bad faith as set forth in paragraph 4(b)(iv) of the Policy.

Complainant argues further that Panels have consistently found that the mere registration of a domain name that is identical or confusingly similar (particularly domain names comprising typos or incorporating the mark plus a descriptive term) to a famous or widely-known trademark by an unaffiliated entity can by itself create a presumption of bad faith. Complainant indicates that the AETNA trademark is famous and widely known, as referenced in a prior UDRP decision, and the general principle does not include an exception for domain name registrants that engage in so-called “simulated phishing attacks.” “Actual confusion” and “seeking to cause confusion” for Respondent’s commercial benefit, even if unsuccessful (both of which have occurred here) are evidence of bad faith. Finally, even if Respondent’s actions are not precisely bad faith under any of the definitions listed within the Policy, the Policy makes clear that the circumstances set forth in paragraph 4(b) are “without limitation.” In other words, the enumerated circumstances of bad faith are not exhaustive, but merely illustrative.

B. Respondent

As a preliminary point, Respondent alleges that Complainant has misrepresented to the Panel Respondent’s business practices generally and Respondent’s use of the Domain Name. Respondent asserts that it registered and has used the Domain Name in good faith, for legitimate business purposes constituting fair use. Respondent states that it has not engaged and will not engage in phishing attacks; rather as Complainant is allegedly aware, Respondent is a public company and recognized leader in the field of computer security training and has used the Domain Name only in connection with security awareness programs commissioned by some of its corporate customers. These programs include careful safeguards and are used not for phishing scams, as Complainant misstates, but instead to help stop phishing attacks.

Moreover, Respondent submits that it does not compete with Complainant and has never used the Domain Name to divert customers of Complainant, to speak unfavorably of Complainant, or in any way to disrupt the business of Complainant. Respondent has not attempted to sell or transfer the Domain Name to Complainant or anyone else. Respondent claims it has never used the Domain Name as a trade name, trademark or service mark.

Respondent argues that in this proceeding, Complainant represented to the Panel, as required by the Rules under paragraph 3(b)(xiii), that “the information contained in this Complaint is to the best of the Complainant’s knowledge complete”; however, Respondent contends that the information in the Complaint is not complete. Respondent states that Complainant has communicated with Respondent and its counsel for eight months, learned in detail about Respondent’s computer security training practices and the nature of the use of the Domain Name, and then proceeded to file this misleading Complaint. By way of background, Respondent states that over an eight-month period from May until December 2020, the parties communicated with one another repeatedly about certain trademark matters. The parties and their outside counsel exchanged over 10 letters and emails during this time, and their lawyers participated in a business-to-business conference call in June 2020 in an attempt to resolve matters. During these discussions, Respondent states it identified itself and explained to Complainant, in writing and otherwise, the nature of its security awareness program. Furthermore, Respondent submits that in the course of these discussions Complainant must have reviewed Respondent’s website at “www.knowbe4.com”. On May 26, 2021, in response to a request from WIPO and in connection with its Amended Complaint, Complainant identified Respondent, with which it had been communicating. However, Respondent asserts that Complainant chose not to update or amend any of its substantive allegations concerning Respondent. Complainant proceeded based on a misleading Complaint with no mention of the parties’ prior discussions.

(i) Identical or confusingly similar

Respondent states the Domain Name incorporates, but is not identical to, the AETNA trademark; the Domain Name includes the prefix “help-” with the word and hyphen. Given the actual context in which the Domain Name has been used by Respondent, and particularly in light of the various precautionary measures employed by Respondent (discussed below), Respondent contends that the Domain Name should not be considered confusingly similar to Complainant’s trademark.

(ii) Rights or legitimate interests

Respondent states that despite knowing otherwise, Complainant continues to allege that Respondent has engaged in “illegal activity” in the form of a “phishing scam.” On this basis alone Complainant contended that Respondent cannot have any rights or legitimate interests in respect of the Domain Name. However, Respondent asserts that these allegations concerning illegal activity and a phishing scam are unfounded; Respondent contends that the use of the Domain Name in connection with computer security training programs, without any intent to divert consumers or tarnish Complainant’s trademark, constitutes a legitimate, fair use under the Policy.

Respondent explains that it has developed a platform enabling organizations to assess, monitor, and minimize the threat of social engineering attacks. Social engineering relies on the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes. For cybercriminals, social-engineering attacks are low-cost and high-volume, and unfortunately can be successful. Phishing is one form of social engineering. Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details directly from users by deceiving them. Phishing is typically carried out by email spoofing, and it often directs users to enter details at a fake website whose “look” and “feel” are almost identical to a legitimate one.

Respondent states that a key tenet of its security platform is the ability of its corporate customers to perform simulated social engineering attacks on their own employees as part of training programs. These social engineering tests, typically in the form of simulated phishing emails based on real-world incidents, may use actual third-party names and other content to enhance the effectiveness of the simulation. In particular, Respondent states that from time to time it may register domain names containing third-party names or marks, or variations thereof, to be used by corporate customers in connection with simulated phishing emails to their employees.

Respondent further explains that it has taken a number of precautionary steps to ensure that its use of the Domain Name in connection with computer security training does not result in any commercial harm:

- Respondent’s training materials that reference the Domain Name are not, and have not been, distributed to the general public.

- Respondent’s customers who have used these materials have communicated with their employees about the computer security testing.

- There has been no website or content hosted at the web address associated with the Domain Name.

- There is no reason that someone would ordinarily type in the Domain Name as part of a web address. Even if someone were to type in the Domain Name as part of a web address, the user would receive an automated error message that the “site can’t be reached” because the server IP address “could not be found.”

- There is no reason why a search engine such as Google would include the Domain Name in the results of search queries.

- Employees of Respondent’s customers who try to reply to a test email referencing the Domain Name receive an error message that the message was not delivered because the domain name could not be found.

- Employees of Respondent’s customers who click on a link in the test email referencing the Domain Name are, by default, redirected to a landing page where they are provided with immediate feedback that they have responded to a simulated phishing test.

Respondent adds that the Domain Name has not been used as a trade name, trademark or service mark; to divert the customers of Complainant; to speak unfavorably of Complainant; or in any way to disrupt the business of Complainant. Furthermore, Complainant has never attempted to sell or transfer the Domain Name to Complainant or to anyone else.

Respondents contends that when assessing fair use, panels look beyond the domain name itself and assess whether the overall facts and circumstances of the case support a claimed fair use. As part of this assessment, panels have found a number of factors informative, including whether: (1) the domain name has been registered and is being used for legitimate purposes and not as a pretext for commercial gain or other such purposes inhering to the respondent’s benefit; (2) the domain name registration and use by the respondent is consistent with a pattern of bona fide activity, whether online or offline; and (3) the respondent reasonably believes its use (whether referential, or for praise or criticism) to be truthful and well-founded.

Here, Respondent submits that the Domain Name has been registered and is being used for legitimate purposes and not as a pretext for commercial gain. The Domain Name registration and use by Respondent is asserted to be consistent with a pattern of bona fide activity – the offering of educational programs directed at security awareness. Respondent reasonably believes its use is truthful, well-founded, and in the public interest. Based on factors similar to these, various UDRP panels have rejected the complaints of trademark owners. Indeed, use of another’s trademark for educational purposes is the archetypical example of fair use. Respondent states that where, as here, it has incorporated the Domain Name into a template used by corporate customers for security awareness training programs, there should be no question that Respondent has legitimate interests in respect of the Domain Name.

(iii) Registered and used in bad faith

Respondent contends that to satisfy this element, Complainant bears the burden of proving that Respondent both registered and is using the Domain Name in bad faith, but Respondent asserts that Complainant has shown neither condition. Respondent submits there is no evidence in the record (nor could there be) that:

- Respondent has provided inaccurate contact information in connection with its registration of the Domain Name;

- the Domain Name was registered or acquired primarily for the purpose of selling, renting, or otherwise transferring it to Complainant or a competitor of Complainant, for valuable consideration in excess of Respondent’s out-of-pocket costs;

- the Domain Name was registered in order to prevent Complainant from reflecting its mark in a corresponding domain name;

- Complainant and Respondent are competitors and the Domain Name was registered by Respondent primarily to disrupt Complainant’s business;

- the Domain Name was registered by Respondent in an intentional attempt to attract, for commercial gain, Internet users to Respondent’s website or other on-line location; or

- Respondent has ever used the Domain Name as its trade name or trademark.

Absent any such evidence of bad faith, the Complaint alleges, without more, that Respondent has engaged in a phishing scam and that Respondent’s motive in registering and using the Domain Name seems to be simply to disrupt Complainant’s relationship with its customers (or potential customers) to attract Internet users for potential gain. Respondent asserts these allegations are baseless. Respondent claims that its intentions in registering and using the Domain Name have been honest, fair and in the public interest. Its use of the Domain Name as part of security awareness training has, it claims, provided important education to workforces about threats to information security and about companies’ policies and procedures for addressing threats. This use has helped organizations manage the risk of social engineering attacks such as phishing, by converting newly educated employees into a critical last line of defense against cyberattacks.

Respondent emphasizes that the Policy was designed to deal with a relatively narrow form of dispute between trademark proprietors and domain name registrants, namely, the deliberate registration of a domain name featuring the complainant’s trademark or a confusingly similar variant of it with a view to causing damage or disruption to the complainant or its business or unfairly exploiting the complainant’s trademark for the registrant’s own advantage. Here, Respondent’s bona fide, good-faith registration and use of the Domain Name is hardly the type of circumstance that the Policy was designed to address. For the foregoing reasons, Respondent concludes there is no basis for a determination of bad faith and the Complaint must be denied.

6. Discussion and Findings

In order to succeed on its Complaint, Complainant must demonstrate that the three elements set forth in paragraph 4(a) of the Policy have been satisfied. These elements are that:

(i) the Domain Name registered by Respondent is identical or confusingly similar to a trademark or service mark in which Complainant has rights;

(ii) Respondent has no rights or legitimate interests in respect of the Domain Name; and

(iii) Respondent has registered and is using the Domain Name in bad faith.

A. Supplemental Filing

Neither the Rules nor the Supplemental Rules make provision for supplemental filings, except at the request of the panel (see Rules, paragraph 12). Paragraph 10 of the Rules enjoins a panel to conduct the proceeding “with due expedition”; therefore, UDRP panels are typically reluctant to tolerate delay through additional rounds of pleading and normally accept supplemental filings only to consider material new evidence or provide a fair opportunity to respond to arguments that could not reasonably have been anticipated. See WIPO Overview 3.0, section 4.6; Welcomemat Services, Inc. v. Michael Plummer Jr., MLP Enterprises Inc., WIPO Case No. D2017-0481.

Complainant’s Supplemental Filing states that Respondent in its Response “brought to light significantly different facts…than were (or could have been) known to Complainant when it filed the Complaint.” In particular, the Supplemental Filing states that “Complainant was unaware (and could not have been aware) when it filed the Complaint that [Respondent] was the registrant of the Disputed Domain Name.” Further, Complainant states that “this Supplemental Filing is intended to address only the most relevant factual and legal issues in the Response that were not – and could not have been – known to Complainant when it filed the Complaint.”

Taking Complainant’s statements at face value, the Panel recognizes that Complainant could have assessed the identity of Respondent (and any relevant implications) – as Respondent points out – when Complainant filed its Amended Complaint (and Respondent’s identity had been disclosed at that point), even prior to Respondent’s filing of the Response. The Panel notably observes that Complainant appears to have employed different legal counsel for filing its Complaint in this case, as compared to the outside counsel previously relied upon by Complainant in discussions with Respondent concerning use of Complainant’s trademark for Respondent’s security training programs, such that it may not at first glance have been obvious to counsel filing the Complaint that there had been prior correspondence between Respondent and earlier Complainant counsel. The Panel, in all events, considers that it is important to provide Complainant with the opportunity to respond given its belated comprehension of both Respondent’s identity and Respondent’s actual use of the Domain Name. Prior to the Supplemental Filing, the pleadings of the parties read like “two ships passing in the night.” The Panel will therefore accept the Supplemental Filing and consider it to the extent it provides relevant facts and legal analysis pertaining to Respondent’s identity and actual use of the Domain Name.

Finally, even with the Supplemental Filing considered, the Panel determines that it does not change the Panel’s decision on the three required elements under the Policy, although it does serve to dispel any concerns that Complainant might have misled the Panel. Therefore, the Panel determines that it unnecessary to grant Respondent leave to file an additional reply to Respondent’s Supplement Filing.

B. Identical or Confusingly Similar

The Panel determines that Complainant has demonstrated that it has well-established rights in its AETNA trademark, through both registration and long-standing, widespread use of the mark in commerce.

With regard to confusing similarity, the Panel observes that the Domain Name incorporates the AETNA mark in its entirety, while adding as a prefix the word “help” along with a hyphen (“ - ”). Numerous UDRP decisions have found that the addition of other terms (whether descriptive, geographical, pejorative, meaningless, or otherwise) will not prevent a finding of confusing similarity. See WIPO Overview 3.0, section 1.8. Respondent has argued that the actual context in which the Domain Name is used, along with the various precautionary measures employed by Respondent, should be taken into account so that the Domain Name is not considered confusingly similar to Complainant’s mark. The Panel disagrees. As indicated by section 1.7 of WIPO Overview 3.0, panels view the first element of the UDRP largely as a threshold test concerning a trademark owner’s standing to file a complaint. Further, the test typically involves a side-by-side comparison of the domain name and the textual components of the relevant trademark to assess whether the mark is recognizable within the domain name. Here, the addition of the prefix “help-” does not dispel confusing similarity with Complainant’s mark. See e.g., Seiko Epson Kabushiki Kaisha v. Domain Admin, Whois Privacy Corp., WIPO Case No. D2018-2894 (finding <help-epson.com> confusingly similar to EPSON); WeWork Companies Inc. v. Aryeh Rapaport, WIPO Case No. D2019-1078 (additional word “help” does not avoid finding of confusing similarity).

Accordingly, the Panel finds that the Domain Name is confusingly similar to a trademark in which Complainant has rights in accordance with paragraph 4(a)(i) of the Policy.

C. Rights or Legitimate Interests

The Panel observes that both parties in this case have employed sophisticated legal counsel who have submitted thorough briefs with numerous exhibits (including Complainant’s Supplemental Filing) to address a relatively unique situation within the framework of the UDRP: Respondent has used the Domain Name by incorporating it into a template used for security awareness training programs for its clients. In particular, Respondent, while taking a number of precautionary steps, has used the Domain Name to send simulated phishing emails as part of its training program against social engineering computer attacks. This use of the Domain Name for these simulated emails is further restricted, as there is no website or content hosted at the web address associated with the Domain Name, and any person involved in a training program who receives such an email is redirected to a landing page where they are provided with immediate feedback that they have responded to a simulated phishing test.

The key debate between the parties is whether this use constitutes a “legitimate noncommercial or fair use of the domain name, without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue” under the Policy, para 4(c)(iii).

On the one hand, Complainant contends that for a number of reasons, this type of use cannot be considered fair use, including that: Complainant did not authorize Respondent to use its AETNA mark; Complainant repeatedly asked Respondent to cease its practice of using Complainant’s AETNA mark in simulated phishing emails; Respondent’s use of the Domain Name causes actual confusion; Respondent’s use is not “educational” given that Respondent charges a fee for its security training programs and Respondent is a for-profit company; Respondent’s use is intended to deceive and therefore is not truthful – that is, Respondent’s use to impersonate Complainant is by design dishonest, as well as unfair to Complainant and its consumers, and primarily serves the interests of Respondent, not the public; Respondent has engaged in a pattern of registering domain names corresponding to marks held by Complainant or third parties; and Respondent’s so-called simulated phishing attacks are not much different from actual phishing attacks.

Respondent, on the other hand, contends that use of the Domain Name in connection with its computer security training programs, without any intent to divert consumers for commercial gain or to tarnish Complainant’s AETNA mark, constitutes a legitimate, fair use. Respondent submits that the Domain Name is being used as part of a bona fide activity – the offering of educational programs directed at computer security awareness; that such use of another’s trademark for educational purposes is the archetypical example of fair use; that the use is for legitimate purposes and not as a pretext for commercial gain; that Respondent has taken a number of precautionary steps to ensure that its use of the Domain Name in connection with computer security training does not result in commercial harm or create confusion among Internet users; and that Respondent reasonably believes its use is truthful, well-founded and in the public interest.

The Panel determines that the issue of fair use in this case presents an interesting question and a close call, but not one that the Panel needs to address in light of its finding under the next heading concerning paragraph 4(a)(iii) of the Policy. The Panel observes, on the one hand, that even if the Domain Name is being used for alleged educational purposes, the Domain Name itself (encompassing Complainant’s mark) still may tend to suggest sponsorship or endorsement by Complainant, even if as the Domain Name is used only in the context of Respondent’s educational training programs. On the other hand, the Domain Name is not connected to any website (public or otherwise), so its use (as noted in Respondent’s precautionary steps) is uniquely limited and not a type of use that seeks to use Complainant’s trademark for any kind of commercial leverage or benefit. In the interest of judicial economy, the Panel does not decide the question of whether Respondent has established any rights or legitimate interests in the Domain Name under the Policy.

D. Registered and Used in Bad Faith

The third element of paragraph 4(a) of the Policy requires that Complainant demonstrate that Respondent registered and is using the Domain Names in bad faith. WIPO Overview 3.0, section 3.1, states that “bad faith under the UDRP is broadly understood to occur where a respondent takes unfair advantage of or otherwise abuses a complainant’s mark” and “bearing in mind that the burden of proof rests with the complainant.”

Here, there is no doubt that Respondent, when registering the Domain Name, was aware of Complainant’s AETNA trademark. The question is whether, despite that awareness, and in view of Respondent’s asserted fair use intention for registering the Domain Name, the registration amounts to bad faith. The Panel determines that in this case, where Respondent reasonably believed that what it was doing constituted legitimate fair use, and where this intention was backed up by precautionary measures and a unique and restricted form of use, it cannot be said that the registration of the Domain Name was in bad faith. See e.g., Human Resource Certification Institute v. Tridibesh Satpathy, Edusys, WIPO Case No. D2010-0291. Again, as noted above, this case presents a close call on the question of fair use, but that “close call” only serves to underpin that there is no obvious bad faith registration, which Complainant has the burden of demonstrating.

Regarding use of the Domain Name, Complainant acknowledges that Respondent’s actions are not precisely identified as bad faith under any of the definitions listed within the Policy; however, Complainant emphasizes that the Policy makes clear that the circumstances set forth in paragraph 4(b) are intended to be illustrative and “without limitation.” The Panel agrees that Respondent’s use of the Domain Name does not fall within the traditional types of bad faith use by respondents listed under paragraph 4(b) of the Policy. Most importantly, however, the Panel determines that the Domain Name is not being used to take unfair advantage of or otherwise intentionally abuse or tarnish Complainant’s mark. In particular, the Domain Name is not being used as a trademark or other naming device for purposes of leveraging the goodwill and reputation of Complainant’s AETNA trademark to bring Respondent commercial gain. Respondent here did not use the Domain Name (encompassing Complainant’s mark) to divert Internet traffic to an offering of or promotion of Respondent’s services. Nor would the unsuspecting Internet user who might type the Domain Name as part of a web address reach an operable webpage that would somehow redound to the benefit of Respondent; the user would simply receive an automated error message that the “site can’t be reached” because the server IP address “could not be found.” Thus, use of Complainant’s trademark does not inadvertently enhance the number of Internet users that might arrive at Respondent’s commercial website offering security training services. Instead, as discussed above, the Domain Name is being used in a rather unique fashion, to send simulated phishing emails within the scope of Respondent’s computer security training program, with certain associated precautionary steps. At the same time, with all this being said, it might nonetheless be reasonable to suggest that Respondent, having heard Complainant’s strong objections to use of its trademark for these purposes, should have desisted from doing so.

As to Complainant’s assertions of confusion arising from Respondent’s use of the Domain Name, to continue Complainant’s analogy – were a security company to simulate a bank robbery to promote its services, it might show poor judgment, and it might cause harm leading to some sort of liability, but if it simply never robbed the bank, it didn’t commit the sort of wrong covered by a bank robbery statute. Here, it is an open question whether Respondent harmed Complainant – one that this panel is not empowered to address – but on this limited record, the Panel finds that Respondent’s use of the Domain Name does not appear to be the sort of wrong covered by the Policy. Instead, these are issues that fall outside the Policy and are better suited for the courts. As both parties appear to recognize, the Policy from its inception – with proceedings that are by their very nature highly abbreviated and permitting only limited fact finding – “was designed to deal with a relatively narrow form of dispute between trade mark (and service mark) proprietors and domain name registrants, namely the deliberate registration of a domain name featuring the complainant’s trade mark or a confusingly similar variant of it with a view to causing damage or disruption to the complainant or his business or unfairly exploiting the complainant’s trade mark for the registrant’s own advantage.” See e.g., Human Resource Certification Institute v. Tridibesh Satpathy, Edusys, WIPO Case No. D2010-0291; see also Second Staff Report on Implementation Documents for the Uniform Dispute Resolution Policy (October 24, 1999), available at <http:www.icann.org/udrp/udrp-second-staff-report-24oct99.htm> (“Except in cases involving “abusive registrations” made with bad faith intent to profit commercially from others’ trademarks (e.g. cybersquatting and cyberpiracy) the adopted policy leaves the resolution of disputes to the courts and calls for registrars not to disturb a registration until those courts decide. The adopted policy establishes a streamlined, inexpensive administrative dispute-resolution procedure intended only for the relatively narrow class of cases of “abusive registrations”.); LIBRO AG v. NA Global Link Limited, WIPO Case No. D2000-0186.

In conclusion, the Panel emphasizes that the decision in this case is limited to the criteria under the Policy, and the Panel makes no findings concerning the parties’ rights under applicable national law – which may in any event be better suited for determination by a court.

Complainant has failed its burden to demonstrate that the Domain Name was registered in bad faith.

7. Decision

For the foregoing reasons, the Complaint is denied.

Christopher S. Gibson
Presiding Panelist

Brian J. Winterfeldt
Panelist

Martin Schwimmer
Panelist
Date: August 3, 2021