WIPO Arbitration and Mediation Center

ADMINISTRATIVE PANEL DECISION

The Commissioners for HM Revenue and Customs v. Withheld for Privacy Purposes, Privacy service provided by Withheld for Privacy ehf / David Stock

Case No. D2021-1998

1. The Parties

The Complainant is The Commissioners for HM Revenue and Customs, United Kingdom, represented by Demys Limited, United Kingdom (“United Kingdom” or “UK”).

The Respondent is Withheld for Privacy Purposes, Privacy service provided by Withheld for Privacy ehf, Iceland / David Stock, United Kingdom.

2. The Domain Name and Registrar

The disputed domain name <hmrc-tax-refund-secure.com> (the “Domain Name”) is registered with NameCheap, Inc. (the “Registrar”).

3. Procedural History

The Complaint was filed with the WIPO Arbitration and Mediation Center (the “Center”) on June 24, 2021. On June 24, 2021, the Center transmitted by email to the Registrar a request for registrar verification in connection with the Domain Name. On June 24, 2021, the Registrar transmitted by email to the Center its verification response disclosing registrant and contact information for the Domain Name which differed from the named Respondent and contact information in the Complaint. The Center sent an email communication to the Complainant on June 25, 2021 providing the registrant and contact information disclosed by the Registrar, and inviting the Complainant to submit an amendment to the Complaint. The Complainant filed an amended Complaint on June 28, 2021.

The Center verified that the Complaint together with the amended Complaint satisfied the formal requirements of the Uniform Domain Name Dispute Resolution Policy (the “Policy” or “UDRP”), the Rules for Uniform Domain Name Dispute Resolution Policy (the “Rules”), and the WIPO Supplemental Rules for Uniform Domain Name Dispute Resolution Policy (the “Supplemental Rules”).

In accordance with the Rules, paragraphs 2 and 4, the Center formally notified the Respondent of the Complaint, and the proceedings commenced on June 28, 2021. In accordance with the Rules, paragraph 5, the due date for Response was July 18, 2021. The Respondent did not submit any Response. Accordingly, the Center notified the Respondent’s default on July 19, 2021.

The Center appointed Jon Lang as the sole panelist in this matter on August 3, 2021. The Panel finds that it was properly constituted. The Panel has submitted the Statement of Acceptance and Declaration of Impartiality and Independence, as required by the Center to ensure compliance with the Rules, paragraph 7.

4. Factual Background

The Complainant was formally known as “Her Majesty’s Revenue and Customs”, often shortened to “HM Revenue and Customs” or the initialism “HMRC”. It is a non-ministerial department of the United Kingdom Government responsible for the collection of taxes, the payment of some forms of state support and the administration of other regulatory regimes. As the UK Government’s tax authority, almost every UK individual and business is a direct customer of the Complainant and a user of its services. The Complainant operates a website within the UK Government’s official portal at “www.gov.uk/government/organisations/hm-revenue-customs”. The site can also be accessed through the domain name <hmrc.gov.uk>.

The Complainant is the proprietor of the following UK trademarks: Registration No. 2471470 for HMRC with a registration date of March 28, 2008, and Registration No. 3251234 for HM REVENUE & CUSTOMS (design) with a registration date of December 29, 2017.

The Domain Name was created on February 8, 2021. It does not resolve to a website.

The Complainant’s representative sent a cease and desist letter to the Respondent on June 15, 2021, but did not receive a response.

5. Parties’ Contentions

A. Complainant

The following is a summary of the main assertions of the Complainant.

General

As with other tax authorities around the globe, the Complainant and its customers are frequently targeted by phishing, online scams and other criminality. There are characteristics, which are common to domain names that have been used to target the Complainant and its customers for abusive purposes. Common features include, but are not necessarily limited to, the following:

- The use of domain names made up of the Complainant’s marks and additional generic terms.

- Additional terms are those associated closely with the Complainant and its activities and include words such as “tax”, “contact”, “gov”, or “verify”, or words which suggest a call to action, such as “claim”, “refund” or “demand”;

- Terms associated with common Internet-related activities, such as “secure”, “email”, or “click”;

- A lack of qualifying terms, which make the relationship (or non-relationship) between the registrant and the Complainant clear and unambiguous, such as “unofficial”;

- The use of visually similar domain names to the Complainant’s marks, including typographical or homoglyph variants;

- The use of false or redacted contact details on the WhoIs database;

- The use of the names and/or addresses of third parties on the WhoIs database which have been acquired through identity theft;

- Inactive websites, display of pay-per-click advertising or the use of default “parking pages”;

- The advertisement of premium rate telephone numbers impersonating the Complainant’s own helpline;

- The presence of mail exchange (MX) records in a domain name’s zone file, indicating that the domain name can be used to receive email.

The Complainant asserts that in most circumstances, domain names which match one or more of the criteria listed above are likely to have been registered and used in bad faith and that the more criteria which are matched, the greater the likelihood of bad faith registration and use. Moreover, where there is direct evidence that a domain name has been registered for fraudulent use then, by definition, it will have been registered and used in bad faith.

Microsoft’s “Defender SmartScreen” service reports that the Domain Name is unsafe and the Complainant believes that it has been, or is being used for potentially criminal purposes.

In addition to its registered rights, the Complainant asserts that it also has unregistered rights in the initialism HMRC.

Confusing similarity

The Domain Name is confusingly similar to the Complainant’s well-known HMRC mark in that it only differs by the addition of the dictionary words “tax refund” and “secure”. By virtue of it being the United Kingdom’s governmental tax authority, the words “tax refund” and “secure” are inherently associated with the Complainant and its activities.

Viewed as a whole, the HMRC mark is the most prominent, dominant and distinctive element of the Domain Name. The adornments “tax refund” and “secure” do not dispel any possibility of confusion but rather do the opposite, increasing the potential for confusion among Internet users.

The generic Top-Level Domain “.com” is required only for technical reasons and can be ignored for the purposes of comparison. Equally, the hyphens in the Domain Name do not further distinguish it from the Complainant’s mark.

The Respondent has no rights or legitimate interests in respect of the Domain Name

The Complainant contends that the Respondent does not have any rights or legitimate interests in the Domain Name:

- The Complainant has found no evidence that the Respondent has been commonly known by the names “hmrc” or “hmrc tax refund secure” prior to or after registration of the Domain Name. The Respondent is not a licensee of the Complainant and has not received any permission, consent, or acquiescence from the Complainant to use its marks or name in association with registration of the Domain Name or, indeed, any domain name, service, or product;

- The Complainant has found nothing to suggest that the Respondent owns any trademarks that incorporate or are similar or identical to the terms “hmrc” or “hmrc tax refund secure” or that the Respondent has ever traded or operated as “hmrc” or “hmrc tax refund secure”;

- The Domain Name has been flagged by a reputable third party security service for phishing or other criminal activity. Use of the Domain Name for criminal activity, such as phishing or malware distribution, could never give the Respondent a legitimate interest in the Domain Name;

- It is highly unlikely that the Respondent intended to use the Domain Name for any legitimate or fair use. Indeed, the Complainant cannot conceive of any use to which the Domain Name could be put that would not infringe the Complainant’s rights. Similarly, the Domain Name could not be used without causing widespread confusion given that it is confusingly similar to the Complainant’s HMRC mark and name;

- The Respondent did not reply to the communication sent by the Complainant’s representative and the Respondent’s non-response and failure to give an explanation to the Complainant’s contentions is an admission thereof.

The disputed domain name was registered and is being used in bad faith

The Complainant contends that the Domain Name was registered and is being used in bad faith:

- The Domain Name has been flagged by a reputable third party security service for phishing or other criminal activity. Attempting to deceive Internet users cannot be a bona fide use and any such use must be abusive to, or take unfair advantage of the Complainant’s rights;

- At the point of submission of the Complaint, the website associated with the Domain Name no longer resolves and is “passively held”. Such passive holding constitutes bad faith in the circumstances of this Complaint: the Complainant is very well known both in the UK and beyond and its marks have been used for many years prior to registration of the Domain Name; the Domain Name has been used for potentially criminal purposes which is entirely incompatible with any good faith use; given the fame, widespread use and reputation of the Complainant, it is inconceivable that the Respondent could have registered the Domain Name without the Complainant’s marks in mind and with good-faith intentions. This is especially so given the inclusion of the terms “tax refund” and “secure”, which could only reasonably relate to the Complainant and its activities when incorporated into a domain name that also includes the Complainant’s well-known name and mark.

- Use of a privacy service by the Respondent in the circumstances of this Complaint is indicative of bad faith given that the Domain Name is confusingly similar to the Complainant’s HMRC mark and the other indicia of bad faith, including that the Domain Name has been used for potentially criminal activity.

B. Respondent

The Respondent did not reply to the Complainant’s contentions.

6. Discussion and Findings

Paragraph 4(a) of the Policy requires a complainant to prove that a respondent has registered a domain name which is: (i) identical or confusingly similar to a trademark or service mark in which a complainant has rights; and (ii) that the respondent has no rights or legitimate interests in respect of the domain name; and (iii) that the domain name has been registered and is being used in bad faith. A complainant must prove each of these three elements to succeed.

A. Identical or Confusingly Similar

The Complainant is the owner of the HMRC and HM REVENUE & CUSTOMS registered marks and clearly has rights in those marks, although it is not necessary to consider the latter mark for present purposes.

Ignoring the gTLD “.com” (as the Panel may do for comparison purposes), the Domain Name comprises the HMRC mark followed by the words “tax”, “refund”, and “secure”, with all elements of the Domain Name being separated by hyphens. Accordingly, the HMRC mark and Domain Name are not identical and thus the issue of confusing similarity must be considered. Application of the confusing similarity test under the UDRP typically involves “a side-by-side comparison of the domain name and the textual components of the relevant trademark to assess whether the mark is recognizable within the disputed domain name” (section 1.7 of the WIPO Overview of WIPO Panel Views on Selected UDRP Questions, Third Edition (“the WIPO Overview 3.0”)). Section 1.7 of the WIPO Overview 3.0 goes on to provide “[…]in cases where a domain name incorporates the entirety of a trademark, […] the domain name will normally be considered confusingly similar to that mark for purposes of UDRP standing”.

The HMRC mark is incorporated in its entirety within the Domain Name. It is clearly recognizable within the Domain Name. The addition of the words “tax”, “refund”, and “secure” does not prevent a finding of confusing similarity between the Domain Name and the HMRC mark.

The Panel finds that the Domain Name is confusingly similar to the HMRC mark for the purposes of the Policy and thus paragraph 4(a)(i) of the Policy has been established.

B. Rights or Legitimate Interests

By its allegations, the Complainant has made out a prima facie case that the Respondent lacks rights or legitimate interests in the Domain Name.

Accordingly, the burden of production shifts to the Respondent to come forward with arguments or evidence demonstrating that it does in fact have such rights or legitimate interests. The Respondent has not done so and accordingly, the Panel is entitled to find, given the prima facie case made out by the Complainant, that the Respondent indeed lacks rights or legitimate interests in the Domain Name. Despite the lack of any answer to the Complainant’s contentions however, the Panel is entitled to consider whether there would be anything inappropriate in such a finding.

A respondent can show it has rights to or legitimate interests in a domain name in various ways even where, as is the case here, it is not licensed by or affiliated with a complainant. For instance, it can show that it has been commonly known by the domain name or that it is making a legitimate noncommercial or fair use of the domain name without intent for commercial gain to misleadingly divert consumers or to tarnish the trademark or service mark at issue. Here, however, the Respondent is not known by the Domain Name. Nor can it be said that there is legitimate noncommercial or fair use. There appears to be no active use at all, the Domain Name not resolving to any webpage. In any event, given that any noncommercial or fair use must be without intent to mislead, even if the Respondent could point to some use, it is unlikely it would be regarded as legitimate or fair, given that the Domain Name is confusingly similar to the Complainant’s HMRC mark and would inevitably create a false impression (no doubt by design) of being a domain name of the Complainant.

A respondent can also show that it is using a domain name in connection with a bona fide offering of goods or services. Whilst it appears that no use is being made of the Domain Name at present, given the inevitably of a false impression being created if it were to be used (in turn suggesting that any use would be for improper purposes), it is beyond doubt that any offering of goods or services in the future would not be treated as bona fide.

There is no evidence before this Panel that the Respondent has rights or legitimate interests in the Domain Name. The Respondent has not come forward with a Response and it can only be assumed that there is nothing it could say that might support an assertion that it does in fact have rights or legitimate interests in the Domain Name. Indeed the Domain Name, having been flagged by a reputable third party security service as described earlier, far from supports any suggestion that the Respondent could demonstrate rights or legitimate interests in the Domain Name.

The contentions of the Complainant, by which it has made out a prima facie case that the Respondent has no rights or legitimate interests, have not been contradicted or challenged, or cast into doubt by the analysis set out above. Accordingly, the Panel finds that the Complainant has fulfilled the requirements of paragraph 4(a)(ii) of the Policy.

C. Registered and Used in Bad Faith

Paragraph 4(b) of the Policy provides a number of non-exclusive scenarios, which may evidence a respondent’s bad faith. They include, for instance, a respondent registering a domain name in order to prevent an owner of the trademark or service mark to which it is said to be confusingly similar or identical, from reflecting the mark in question in a corresponding domain name (provided that the respondent has engaged in a pattern of such conduct). A respondent registering a domain name primarily for the purposes of disrupting the business of a competitor is another scenario, as is a respondent intentionally attempting to attract, for commercial gain, Internet users to its website by creating a likelihood of confusion with a complainant’s mark as to the source, sponsorship, affiliation or endorsement of its website or of products or services on it.

Sometimes, particularly in cases where nothing at all is done with a domain name, it is not possible for a complainant to demonstrate a precise literal application of one of the paragraph 4(b) scenarios.

However, the paragraph 4(b) scenarios are non-exclusive and simply illustrative, and thus other circumstances demonstrating that a respondent seeks to take unfair advantage of, or to abuse a complainant’s trademark (such behaviour being broadly understood to constitute bad faith for the purposes of the Policy) are usually enough to establish this third limb of paragraph 4(a) the Policy (even if not falling within one of the paragraph 4(b) scenarios).

The Respondent clearly knew of the Complainant and its HMRC mark at the time of registration of the Domain Name. Further, it is difficult to see how the Respondent would not also appreciate that any use of the Domain Name by anyone other than the Complainant would be inherently deceptive, in that it would inevitably mislead Internet users into believing that the Domain Name or any website or email address associated with it, was that of the Complainant. The addition of the words “tax”, “refund”, and “secure” which follow the HMRC mark (separated by hyphens) would hardly ameliorate the risk of Internet users being deceived, as the Respondent must well have known, but likely to increase such risk.

The Domain Name has the hallmarks of bad faith registration and use. It is inherently deceptive and ripe to be used in a phishing scam or other nefarious activity. To this end, it has been held by past UDRP panels that where a domain name has been used, or connected with phishing activities, a finding of bad faith will follow (e.g., Confédération Nationale du Crédit Mutuel v. Daniel Delcore, WIPO Case No. DLC2009-0001). Needless to say, use of a domain name in connection with criminal activities would also support a finding of bad faith registration and use.

The fact that in this case no use is being made of the Domain Name at present (and hence can be treated as being passively held), does not prevent a finding of bad faith registration and use. Indeed, a passive holding of a domain name can support a finding of bad faith. UDRP panels must examine all the circumstances of the case.

Section 3.3 of the WIPO Overview 3.0, provides:

“While panelists will look at the totality of the circumstances in each case, factors that have been considered relevant in applying the passive holding doctrine include: (i) the degree of distinctiveness or reputation of the complainant’s mark, (ii) the failure of the respondent to submit a response or to provide any evidence of actual or contemplated good-faith use, (iii) the respondent’s concealing its identity or use of false contact details (noted to be in breach of its registration agreement), and (iv) the implausibility of any good faith use to which the domain name may be put”.

The Domain Name incorporates the distinctive HMRC mark. No Response was filed or evidence of actual or contemplated good faith use provided. None would seem plausible. The letter sent on the Complainant’s behalf received no reply. Moreover, a privacy service was used by the Respondent. Whilst there are of course recognized legitimate uses of privacy and proxy registration services (see section 3.6 of the WIPO Overview 3.0), in the circumstances of this case, the Panel finds that the Respondent’s use of a privacy protection service additionally supports an inference of bad faith. Finally, any good faith use of the confusingly similar, indeed inherently deceptive Domain Name, would seem highly implausible. The passive holding of the Domain Name in the circumstances of this Complaint, supports a finding of bad faith.

In all the circumstances, the Panel finds that, for the purposes of the Policy, there is evidence of both registration and use of the Domain Name in bad faith.

7. Decision

For the foregoing reasons, in accordance with paragraphs 4(i) of the Policy and 15 of the Rules, the Panel orders that the Domain Name <hmrc-tax-refund-secure.com> be transferred to the Complainant.

Jon Lang
Sole Panelist
Date: August 16, 2021