Proofpoint sues Facebook over dummy sites used for anti-phishing training

Proofpoint argues it is using the domains in good faith.
Facebook takedown
Stickers bearing the Facebook logo at the F8 developers conference in San Jose, California, on April 30, 2019. (REUTERS / Stephen Lam)

Proofpoint has filed a lawsuit against Facebook arguing that it should be allowed to use domains that imitate the Facebook and Instagram brands to test customers’ ability to avoid online scams.

Cybercriminals often imitate popular brands’ sites, including Facebook and Instagram, to dupe unsuspecting users, then pilfer their credentials or distribute malware. Proofpoint is one of several security companies that provides customers with phishing training that includes look-alike domains of popular brands in order to test clients’ wits on avoiding common cons.

By sending messages that appear to be from “Instagrarn” rather than “Instagram,” for instance, Proofpoint and other email security firms test clients’ ability to detect attacks. Social media sites, particularly Facebook and Instagram, are typically among the top most imitated in criminals’ so-called typo-squatting schemes, according to Palo Alto Networks research published in September.

The suit, filed Tuesday in an Arizona district court, is a countersuit to Facebook’s effort to seize domain names that Proofpoint has been using to imitate the Facebook and Instagram brands for its tests. Facebook began its effort to transfer the domains in November under the auspices of a Uniform Domain-Name Dispute-Resolution (UDRP) request, in which it argued the domains are confusingly similar to the brands’, according to court documents.


Proofpoint argues it is not confusing, noting in the suit that it has used the domain in “good faith” and for legitimate purposes. Proofpoint notes it alerts customers to the fact that the look-alike domains are just a test, not actual company domains and that the customers are not actually being targeted in a criminal scheme.

“Consumer confusion is unlikely because Proofpoint clearly states on the websites to which the Domain Names are pointed: ‘Hi! This web site belongs to Proofpoint Security Awareness Training. This domain is used to teach employees how to recognize and avoid phishing attacks,’” the suit states.

The domain names in question include “,” “,” “,” “” and “,” according to the suit.

The case highlights an age-old question for the information security community — will their efforts to make the ecosystem safer be interpreted as malicious, slights of hand or hijinks?

In an unrelated case in December, Tribune Publishing apologized for sending employees a phishing test that promised employees a Christmas bonus.


Before that, in 2019, two professionals working for security firm Coalfire Labs who were hired to test an Iowa courthouse’s defenses were jailed and charged with burglary for breaking into the courthouse. The charges were later dropped.

For companies like Proopoint that are in the business of testing customers’ ability to spot and avoid scams, UDRP requests like Facebook’s should not apply, Proofpoint argues. The service Proofpoint offers is making both customers and Facebook safer, Proofpoint lawyers argue in the filing.

“By using domain names similar to those of well-known companies, Proofpoint is able to execute a more effective training program because the workforce is more likely to learn to distinguish typo-squatted domains, which are commonly abused by bad actors to trick workers, from legitimate domain names,” Proofpoint said in court documents, adding that its registration of the domains in question was lawful.

“This protects both the employer that provides this training to its workforce as well as the owners of legitimate domain names, including social-media companies like Defendants,” it went on.

Typo-squatting schemes crop up in everyday scams, but criminals also leverage news cycles to dupe users — last year criminals seized on the presidential election to mimic websites in an effort to run political influence operations, according to the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency. The Department of Justice worked to shut down several domains that imitated pharmaceutical giants Moderna and Regeneron, which are developing treatments for the coronavirus.


An arbitrator appointed by the World Intellectual Property Organization Arbitration and Mediation Center has already ordered that the domain names in question be transferred to Facebook and Instagram, according to the suit. Namecheap, a domain name registrar based in Arizona, has ten business days to transfer the domains to Facebook under the UDRP, according to the suit.

Proofpoint is seeking declaratory relief from the judge in Arizona noting that it has not caused confusion by using the domains, that they did not register them in bad faith and that they have not infringed trademark rights of Facebook. Proofpoint claims in the suit that without a court decision on the matter, it “will suffer immediate and irreparable harm.”

Proofpoint and Facebook did not immediately return request for comment.

The case was first noticed by Seamus Hughes, the deputy director of the Program on Extremism at George Washington University. 

Shannon Vavra

Written by Shannon Vavra

Shannon Vavra covers the NSA, Cyber Command, espionage, and cyber-operations for CyberScoop. She previously worked at Axios as a news reporter, covering breaking political news, foreign policy, and cybersecurity. She has appeared on live national television and radio to discuss her reporting, including on MSNBC, Fox News, Fox Business, CBS, Al Jazeera, NPR, WTOP, as well as on podcasts including Motherboard’s CYBER and The CyberWire’s Caveat. Shannon hails from Chicago and received her bachelor’s degree from Tufts University.

Latest Podcasts