Decision for dispute CAC-UDRP-106616

The Panel is not aware of any other legal proceedings which are pending or decided and relate to the disputed domain name.

The Complainant has adduced evidence showing it is the owner of the following protected marks for the brand and corporate name INTESA SANPAULO:

- International trademark No. 920896 INTESA SANPAOLO, registered on 7 March 2007 in Nice Classification classes 9, 16, 35, 36, 38, 41 and 42;
- International trademark No. 793367 INTESA, registered on 4 September 2002 in class 36;
- EU trademark registration No. 5301999 INTESA SANPAOLO, registered on 18 June 2007 in classes 35, 36 and 38;
- EU trademark registration No. 12247979 INTESA, registered on 5 March 2014 in classes 9, 16, 35, 36, 38, 41 and 42.

The Complainant claimed that it is the registrant of the following domain names containing the marks INTESA SANPAOLO or INTESA:

<intesasanpaolo.com>, <intesasanpaolo.org>, <intesasanpaolo.eu>, <intesasanpaolo.info>, <intesasanpaolo.net>, <intesasanpaolo.biz>, <intesa-sanpaolo.com>, <intesa-sanpaolo.org>, <intesa-sanpaolo.eu>, <intesa-sanpaolo.info>, <intesa-sanpaolo.net>, <intesa-sanpaolo.biz>, <clienti-intesasanpaolo.com>, <serviziclienti-intesasanpaolo.com>, <intesasanpaolo-clienti.com>, <clienteintesasanpaolo.online>, <cliente-intesasanpaolo.com>, <assistenzaintesasanpaolo.com>, <intesa.com>, <intesa.info>, <intesa.org>, <intesa.biz>, <intesa.us>, <intesa.eu>, <intesa.cn>, <intesa.in>, <intesa.co.uk>, <intesa.tel>, <intesa.name>, <intesa.xxx>, <intesa.me>.

The Complainant adduced no evidence from WHOIS records to substantiate this claim. However, it did adduce evidence of use of the domain name <intesasanpaolo.com> which clearly relates to the Complainant.

The Respondent registered the disputed domain name <webintesasp.com> on 24 August 2023. This is the date given by the Complainant in its Complaint and in a letter sent by it to the Respondent by e-mail in September 2023 (see Factual Background). By contrast, the Registrar Verification performed by the CAC Case Administrator evoked a response from the disputed domain name's registrar -- WebNIC -- that gave the impossible registration date of "2024-08-24". The Panel therefore conducted its own ICANN look-up search (see Procedural Factors), which confirmed the date employed by the Complainant.

The Complainant, Intesa Sanpaolo, is Italy's leading banking group and a significant player on the European banking market. Its leadership in Italy, with roughly 14 million customers, around 3,300 branches and a market share of over 15% in most regions, applies from retail to corporate and wealth-management banking. The Complainant also has a strong presence in central and eastern Europe with a network of some 900 branches and over 7 million customers there. More widely, the Complainant's international network, which is specialized in supporting corporate customers, is present in 25 countries, in particular in the Mediterranean region and those countries where Italian companies are most active such as in the United States, China, India and Russia. The Complainant's business today results from the merger in 2007 of Banca Intesa S.p.A. and Sanpaolo IMI S.p.A. Its market capitalization is just under €66 billion. Intesa Sanpaolo's current managing director is Carlo Messina.

Domain names that the Complainant holds as registrant are connected to the official website which resolves to its domain name <intesasanpaolo.com>.

By letter sent on 20 September 2023 to the Respondent by e-mail, provided in copy to the Panel, the Complainant referred to its protected brand and to the Respondent's having included it when registering the disputed domain name <webintesasp.com>. The Complainant requested the Respondent to transfer the name to the Complainant on the ground of trademark infringement. The Respondent did not comply with this "cease-and-desist" request.

The Case File shows that the e-mail address to which the Complainant sent its letter is operational, since the CAC Case Administrator was able to determine delivery of CAC communications to that e-mail address when opening this proceeding.

The Complainant adduced screenshot evidence showing that access to the web page to which the disputed domain name resolves is initially blocked by Google Chrome Safe Browsing, with a browser red warning page being generated by that Google service instead. The page warns against proceeding further to access the blocked web page because it may contain harmful code or content which may induce an internet user unsafely to disclose information such as the user's password, telephone number or credit card number.

Brief investigation during the Panel's routine scrutiny of the Case File (see Procedural Factors) indicated that the postal address given for the Respondent relates to a real location in northern Italy, whereas the Respondent's e-mail username (amexfollia) bears no resemblance to the first name or surname given for the Respondent. The telephone number given appears to be in the correct format for an Italian mobile number. The Panel furthermore verified the type of warning referred to above that is issued by Google Chrome. Its Help page explains that: "Phishing and malware detection is turned on by default in Chrome. When you encounter phishing, malware, unwanted software, or social engineering sites, you may get a red warning that says 'Dangerous site.' If you see this warning, we recommend that you don't visit the site".

COMPLAINANT:

The Complainant contends that:

- the disputed domain name is identical or confusingly similar to a trademark in which the complainant has rights, since it is obvious that the disputed domain name <webintenasp.com> is at least confusingly similar to the Complainant’s trademarks INTESA SANPAOLO and “INTESA”, whereby the Respondent has exactly reproduced the well-known trademark INTESA, with the mere addition of the term “WEB” and the letters “SP" -- an abbreviation of the SANPAOLO portion of INTESA SANPAOLO;

- the Respondent has no rights or legitimate interests in respect of the disputed domain name since it has no authorization to use either the Complainant's INTESA SANPAOLO trademark or that for INTESA. Nor does the disputed domain name correspond to the name of the Respondent, who is furthermore not, to the best of the Complainant's knowledge, commonly known as “Webintesasp”. Lastly, no fair or non-commercial use of the disputed domain name is at stake but rather a suspect use that has elicited a browser malicious content warning page;

- the disputed domain name was registered and is being used by the Respondent in bad faith, most notably in view of the webpage to which it resolves triggering a browser warning against users risking the download of malware or being exposed to phishing – neither of which can, of course, constitute any form of bona fide offering. Moreover, the Complainant’s trademarks INTESA SANPAOLO and INTESA are distinctive and well known around the world, thereby indicating that the Respondent had knowledge of the Complainant’s protected brand at the time of registering a domain name which is so similar to that brand. By registering and then using the disputed domain name (including after having received a cease-and-desist letter), the Respondent has intentionally attempted to attract, for commercial gain, internet users to its website by creating a likelihood of confusion with the Complainant's mark as to the source, sponsorship, affiliation, or endorsement of its website in the sense of paragraph 4(b)(iv) of the Policy.

In these circumstances, the Complainant fulfils all the conditions set down by the Policy and thus it requests transfer to itself.

RESPONDENT:

NO ADMINISTRATIVELY COMPLIANT RESPONSE HAS BEEN FILED.

The Complainant has, to the satisfaction of the Panel, shown that the disputed domain name is identical or confusingly similar to trademarks in which the Complainant has rights (within the meaning of paragraph 4(a)(i) of the Policy).

The Complainant has, to the satisfaction of the Panel, shown the Respondent to have no rights or legitimate interests in respect of the disputed domain name (within the meaning of paragraph 4(a)(ii) of the Policy).

The Complainant has, to the satisfaction of the Panel, shown that the disputed domain name has been registered and is being used in bad faith (within the meaning of paragraph 4(a)(iii) of the Policy).

The Panel is satisfied that all procedural requirements under the UDRP were met and that there is no other reason why it would be inappropriate to provide a decision.

The Panel notes that its résumé of the Parties' contentions includes for the Complainant only its arguments pertinent to reaching a decision in this proceeding relative to the UDRP's criteria. In particular, references to some past ADR Panels' decisions illustrating early reactions to the now all too well-known problem of phishing are omitted.

Scrutiny of the Case File in this proceeding left the Panel unsatisfied as to three details:

- the date of the disputed domain names registration;

- the veracity of the Respondent's contact details given at registration;

- the type of warning issued by the Google Chrome browser, in relation to which the Complainant offered screenshot evidence.

The Panel considered it expeditious therefore to conduct its own investigations pursuant to its general powers under the Policy. These confirmed the date of registration given by the Complainant (see Identification of Rights), enabled the analysis of contact details that is included in the Factual Background (see Principal Reasons for the Decision for evaluation of their veracity), and confirmed that the Google Chrome warning page which the Complainant relies upon in supporting its allegation of the Respondent's phishing is indeed explicitly employed by Google to target phishing risks.

FINDINGS

The Panel finds in relation to the UDRP's cumulative three-part test as follows:

1. The disputed domain name's identicality to or confusingly similarity with a trademark or service mark in which the Complainant has rights

1.1. Demonstration of the Complainant’s rights relative to the disputed domain name

As outlined under Identification of Rights, the Complainant has adduced convincing evidence of protected rights under its trademark INTESA in particular, which is also the corporate name of one of the banks that merged in 2007 to form Intesa Sanpaolo. The Panel further takes note of its rights under its INTESA SANPAOLO trademark and notes the Complainant's major online presence and banking offerings operated under its <intesasanpaolo.com> domain name.

1.2. Confusing similarity of the disputed domain name to the Complainant’s trademarks

The dominant element of the disputed domain name’s stem “webintesasp” is the five letters of “intesa” and it is difficult, at least in English or Italian, to conjure up any other combination of the characters within the stem, or in conjunction with the characters of the TLD extension <.com>, that would not be confusingly similar to the Complainant’s INTESA mark. Given this, the Complainant’s contention that the term “web” is a mere generic addition becomes plausible as connoting this bank’s online presence, as does addition of the abbreviation “sp” as an indication of the other part of the Complainant’s name that has become well known widely across the globe after the 2007 merger of the Intesa and Sanpaolo banks. The Panel thus accepts the contention of confusing similarity, a finding only reinforced by the findings below.

2. Absence of Respondent’s rights or a legitimate interest in respect of the disputed domain name

Nothing in this proceeding’s Case File indicates that the Respondent may have any right or legitimate interest in the domain name, whereas there are significant indications that the interest it has pursued is an illegitimate one.

The strongest is the flagging by a browser user-protection feature of malicious content on the Respondent's webpage to which the confusingly similar disputed domain name resolves. This suggests that this name exists to lure internet users into some form of trap -- the browser-generated page warns explicitly of consequences associated with phishing if the destination web page is accessed -- even though the precise form it takes has not been shown.

In addition, the Respondent’s registration contact details arouse suspicion of concealed identity. The surname given, “Messina”, is also that of the Complainant’s CEO. This might in different circumstances to this case's be a mere coincidence, but that becomes less likely when one also considers the Respondent’s choice of e-mail username, “amexfollia”, which appears to join the shortened form of "American Express" with the Italian word for folly.

Even though other contact details given at registration (postal address, telephone number) might on their face appear realistic, the Panel, taking account of the obvious incentive for phishers to mask their true identity, finds the contact details to be of sufficiently uncertain veracity concerning the Respondent's identity as to cast doubt on the validity under the requirements for <.com> registration of the Respondent's registration of the disputed domain name in the first place.

The Panel thus concludes that the Respondent’s own conduct indicates the absence of any right or legitimate interest in the disputed domain name. It in this regard takes note of, but does not accord probative value to, the lack of a response by the Respondent to the cease-and-desist letter sent to it by the Complainant.

3. Bad faith registration and use by the Respondent

From what has been said above and been shown by the Complainant's evidence, there are ample grounds in this case to conclude that the Respondent must have known about the Complainant’s protected brand, that the disputed domain name’s registration was made in order to use it illegitimately and that the use it was actually put to is clearly illegitimate, with phishing being indicated – although this is by way of inference since direct evidence is lacking.

DECISION

On the basis of the above findings, the Panel HOLDS for the Complainant and ORDERS the transfer of the disputed domain name to it.