Hijackers have something in common with pickpockets Their modus operandi is stealth. Their victims no more realize their pockets have been picked than their domain names transferred to a new Registrar and Registrant. In these cases the surreptitious transfer of a domain name is equivalent to a registration. Cybersquatting by theft. AHI Invest GmbH v. Site Service International, Richard Sorensen, D2009-0561 (WIPO June 15, 2009). Unless the victim checks his vital statistics from time to time he would be unconscious of having lost control of his property. A close variant is phishing, which is an ironic parody of fishing used in the sense of reeling in unsuspecting innocents. The actions differ in that phishing targets complainants’ customers rather than complainants themselves. Phishing is a different but even more powerful economic model of chicanery than hijacking.

Phishers’ stock in trade is to create look-a-like web sites designed to deceive Internet users into believing the reality of appearance and thus disclosing credit card information, passwords, social security numbers and other personal information to steal identities, run up fraudulent bills and create databases for spam e-mail. The Royal Bank of Scotland Group plc v. Teddy Jackson, FA0705000992134 (Nat. Arb. Forum July 2, 2007) (fraudulent lottery scheme ). Evident tortious conduct and criminal culpability are presumptively bad faith; by consensus two of the three circumstances under the Policy in which registration and use merge.

It sometimes happens that there is a third victim, the person reported by the Registrar as the registrant of the disputed domain name. The Royal Bank of Scotland Group plc v. [Redacted], FA0908001282153 (Nat. Arb. Forum October 28, 2009) is illustrative. Paragraph 4(j) of the Policy reads, “[a]ll decisions under this Policy will be published in full over the Internet, except when an Administrative Panel determines in an exceptional case to redact portions of its decision.” Where the respondent is the victim of identity theft, it is appropriate to withhold respondent’s name from publication or redact it to protect his or her identity. National Westminster Bank plc v. [Redacted], FA0606000724496 (Nat. Arb . Forum July 20, 2006), citing Wells Fargo & Co. v. John Doe as Holder of Domain Name, FA 362108 (Nat. Arb. Forum December 30, 2004) and Wells Fargo & Co. v. John Doe as Holder of Domain Name , FA 453727 (Nat. Arb. Forum May 19, 2005):

[The] panels omitted the respondent’s personal information from the decision in an attempt to protect the respondents claiming to be victims of identity theft from any further injury.

National Westminster Bank plc v. [REDACTED], FA0807001215821 (Nat. Arb. Forum August 21, 2008) (“Apparently, Respondent is a victim of identity theft and the Panel elects to redact Respondent’s personal information from the decision to prevent the further victimization of Respondent.”). The Panel in the latest case involving The Royal Bank of Scotland followed this precedent in redacting the respondent’s name. The unknown phisher registered <rbs-partners.com> for “a fraudulent scheme that seeks to obtain personal financial information from Internet users in the United States.” The phisher never makes an appearance as a respondent; the identified registrant is but a convenient victim.