Typosquatting and BEC Fraud – The potersignal.com Incident

Background: Potter Electric Signal and Its Digital Footprint

Potter Electric Signal Company, LLC (hereafter Potter Signal) is a long-established manufacturer of life safety devices with a global presence (​wipo.int). Potter Signal’s primary domain pottersignal.com has been active since 1998, hosting its official website and serving as the backbone for corporate email communications with customers, vendors, and employees​. In late 2024, Potter Signal became the target of a typosquatting attack when a look-alike domain, potersignal.com (missing one “t”), was registered by an unknown actor. This case study analyzes the technical details of that incident – how the domain was weaponized for fraud, and what defenses could have prevented it.

Business Email Compromise (BEC) Context: The incident aligns with a broader rise in BEC scams, which have accumulated over $55 billion in reported losses globally in the past decade​ (proofpoint.com). BEC attacks typically involve impersonation techniques like spoofed or look-alike domains to trick targets into unauthorized payments. Such attacks exploit human trust rather than technical vulnerabilities, making them one of the most financially damaging cyber threats.

The Typosquatted Domain Registration

Typosquatting and BEC Fraud is a common issue facing all organizations that have an internet presence. The fraudulent domain potersignal.com was registered on November 6, 2024 via NameCheap, Inc. This timing was decades after Potter Signal’s brand and domain were established, highlighting that the attacker deliberately acquired a domain mimicking an existing trusted brand. The domain name incorporates the Potter Signal name but omits one “t” (“potter”→“poter”), followed by “signal.com”​(wipo.int). This one-letter deviation is a classic typosquatting strategy: a minor, often unnoticed typo in a URL that creates a confusingly similar string to the legitimate domain​. By deleting a single character, the attacker ensured that at a glance the domain could be mistaken for the real pottersignal.com address.

An example of typosquatting and BEC fraud

From the start, the domain’s configuration raised red flags. The registrant’s details were shielded behind a privacy service (“Withheld for Privacy ehf”), masking the attacker’s identity​ – a common tactic for malicious registrations intended for typosquatting and BEC fraud. Furthermore, potersignal.com had no legitimate website content; it resolved to an “inactive webpage” with no active web services​. This indicates the domain was not intended for any genuine business presence or customer use (unlike Potter’s real site) but likely parked or minimally configured. In other words, the sole purpose of potersignal.com was to serve as a malicious infrastructure for the attack, rather than to host a clone website.

Domain Infrastructure Notes: While specific DNS records for potersignal.com are not detailed in the public case file, we can infer some aspects. The lack of a live website suggests either a default NameCheap parking page or an empty hosting setup. However, to use the domain for sending and receiving email, the attacker would have configured email-related DNS entries (e.g. MX records) or used a third-party mail service. Many registrars offer email forwarding or mail hosting; the attacker could have utilized these to create addresses like @potersignal.com. It’s likely the MX was set to point to a mail server under the attacker’s control or a paid/free email service, enabling the sending of phishing emails and collection of any replies. Notably, no legitimate SSL certificates or public services were associated with potersignal.com, beyond its use in email headers – reinforcing that its value to the attacker was as a fake email domain rather than a web presence.

Timeline of the Incident

To understand the progression of this attack, here is a timeline of key events and discovery:

  1. November 6, 2024 – Domain Registered: The typosquat domain potersignal.com is registered through NameCheap. The registrant uses privacy protection to hide their identity. No immediate public use of the domain is evident (the domain sits idle with an inactive page).
  2. Mid-November 2024 – Attack Preparation: Behind the scenes, the attacker likely configures the domain for email use. This could involve creating one or more email accounts or aliases on @potersignal.com (possibly impersonating real Potter Signal staff). They may also set up SPF records or other DNS settings to improve deliverability of emails from this domain.
  3. Late November 2024 – Phishing Emails Sent: The attacker initiates a Typosquatting and BEC Fraud scheme using the domain. On or about November 26, 2024, Potter Signal discovers that potersignal.com is being used in an email phishing campaign​. The attacker is intercepting ongoing correspondence between Potter and its customers and injecting fraudulent emails into the conversation. Specifically, the attacker impersonates Potter Signal (and even specific Potter employees) and sends messages to Potter’s customers from the fake domain, requesting that payments owed to Potter be sent to a fraudulent bank account​.
  4. December 2024 – Incident Response Initiated: Upon discovery, Potter Signal presumably launches an incident response: informing their customers of the scam, working to contain the fraudulent communications, and gathering evidence (including screenshots of the phishing emails). They likely also contact the registrar and possibly law enforcement about the fraudulent domain. Several email screenshots showing the impersonation (the attacker posing as Potter or its staff) are collected as evidence.
  5. February 14, 2025 – WIPO Complaint Filed: Potter Signal files a complaint with the WIPO Arbitration and Mediation Center to dispute the domain potersignal.com under the Uniform Domain Name Dispute Resolution Policy (UDRP)​. The complaint asserts Potter’s trademark rights and details the fraudulent use of the domain. WIPO requests registrar verification; NameCheap reveals the registrant’s provided identity (“BiBi Bill, Billi, United States”) which appears to be a likely false name​. The domain is locked to prevent transfer during the dispute.
  6. March 2025 – No Response from Attacker: WIPO formally notifies the Respondent (the domain registrant) of the proceeding, but the attacker fails to respond, resulting in a default judgment scenario​. The lack of response is typical in such cases – a fraudulent actor will often abandon a domain once exposed. Meanwhile, the domain remains unusable for the attacker due to the dispute and increased scrutiny.
  7. April 8, 2025 – Decision and Domain Transfer: The WIPO panel (sole panelist Lynda M. Braun) issues a decision. The panel finds that Potter Signal proved all elements of the UDRP: (i) confusing similarity to its POTTER mark, (ii) the attacker’s lack of rights or legitimate interests, and (iii) registration and use in bad faith​. The decision specifically notes the phishing scheme as evidence of bad faith misuse​. The panel orders that potersignal.com be transferred to Potter Signal​. This effectively seizes the malicious domain from the attacker, preventing any further use in fraud. (Decision dated April 8, 2025​, wipo.int.)

Attack Execution: Phishing and Impersonation Tactics

The core of this incident was a Business Email Compromise attack leveraging the fake domain to impersonate Potter Signal in the eyes of its customers. The attacker’s modus operandi can be reconstructed as follows:

  • Typosquatted Domain as Trust Anchor: By using potersignal.com for email communications, the attacker’s messages appeared to come from an address nearly identical to Potter’s legitimate email domain. For example, a customer expecting an email from someone at @pottersignal.com could be fooled by a message from [employee.name]@potersignal.com – the missing “t” is easily overlooked. Attackers exploit the fact that busy recipients might “just skim over an email address and won’t notice a difference if only one or two characters are different.”​ . This impersonation was deliberate and convincing: the attacker even used the name of an actual Potter Signal employee in the email alias, to give the appearance that the message was coming from that real individual​. Such grooming of details (correct names, references to real transactions) adds legitimacy to the phishing emails.
  • Interception of Ongoing Conversations: According to the WIPO findings, the attacker was able to “fraudulently intercept communications between the Complainant and its customers”​. This suggests the attacker had insight into real invoices or conversations that were in progress. One likely scenario is that the attacker had compromised one side’s email account (potentially a customer’s email system, or less likely, a Potter Signal employee’s email) and learned of pending payments. Armed with this inside knowledge, the attacker could time their phishing emails to insert themselves at the right moment. For instance, if a legitimate invoice from Potter was emailed to a client, the attacker (monitoring the client’s inbox via malware or a breach) could step in. The attacker might email that client from the fake domain (posing as the Potter representative) stating something like “Please note our banking details have changed. Kindly send the payment to this new account …”. By doing so, the attacker hijacks the conversation: the customer thinks they are continuing the correspondence with the legitimate company, not realizing the domain on the latest email is slightly different. Meanwhile, the real Potter Signal might be unaware that their customer received altered instructions.
  • Phishing Email Characteristics: The content of the fraudulent emails was aimed at diverting funds. The attacker “requested that payments owed to the Complainant be sent to a fraudulent bank account”​. In essence, this was a fake invoice/billing scam, a subtype of BEC. The emails likely referenced an outstanding invoice or overdue payment (possibly one the attacker saw from the intercepted communications) and provided new payment instructions under false pretenses. No malicious links or attachments were needed – the ask itself (wire money to a specified account) was the payload. Notably, such text-only social engineering emails often bypass traditional spam filters, because “BEC scam emails do not contain any links or malicious attachments”, allowing them to “slide by email spam and malware filter protections.”​ (securityboulevard.com). The phishing messages in this incident were convincing enough that Potter’s customers could have been fooled, had the scheme not been uncovered in time.
  • Impersonating Employees and Domains: The attacker’s use of both the company’s name and an employee’s identity is a powerful impersonation tactic. It combined domain spoofing (via typosquat) with persona spoofing (using a real staff member’s name/title). From the customer’s perspective, the emails appeared to come from a legitimate Potter Signal sender – all elements (from address, display name, email signature perhaps) would look normal, except the subtle domain spelling. This is a textbook example of a BEC false invoice scheme (sometimes also called vendor email compromise when an external supplier is impersonated). As noted in one security analysis, attackers frequently “act as if they are the supplier and request fund transfers to fraudulent accounts,” exploiting assumptions that payments to known vendors don’t require close scrutiny​(proofpoint.com). Here the “supplier” is Potter Signal and the customers are asked to pay the scammer.

In summary, the weaponization of potersignal.com was straightforward but effective: use a lookalike domain to send believable emails that trick customers into misdirecting payments. The domain itself gave the attacker an appearance of legitimacy and a way to anchor the scam outside of Potter’s real infrastructure. Unlike more complex cyber-attacks, this incident did not involve malware or vulnerabilities; it was a social engineering con enabled by domain spoofing.

Indicators and Technical Red Flags

From an IT/security perspective, several indicators of compromise (IOC) and anomalies could have signaled this attack:

  • Recently Registered Domain: A key indicator was the age and timing of potersignal.com. It was registered in November 2024​, just weeks before the scam emails were sent. In contrast, pottersignal.com had been in use for over 25 years​. Such a new domain engaging in financial communications is suspicious. Security teams and savvy users can leverage WHOIS lookups or email security tools that flag emails from domains younger than a few months. A quick WHOIS check on potersignal.com in late 2024 would have revealed it was brand-new and using privacy masking – traits common in malicious domains.
  • Domain Name Discrepancy: The most glaring clue is the spelling of the sender’s domain in the phishing emails. The difference between “pottersignal.com” and “potersignal.com” (one “t” missing) might be hard to spot, but it is a definitive indicator of fraud once noticed. Users should be trained to carefully inspect sender addresses, especially when money is involved. In this case, any customer who noticed the missing “t” and cross-verified with Potter Signal’s official domain would recognize it as a fake. For IT systems, advanced email defense solutions can perform fuzzy matching or use custom rules to detect domains that closely resemble known trusted domains. For example, an email security gateway could flag an external email claiming to be from “Potter Signal” that isn’t actually from pottersignal.com. This kind of look-alike domain detection is increasingly a feature in anti-phishing and BEC protection services.
  • Unusual Email Routing or Metadata: If one were to examine the email headers of the phishing messages, there might be technical tells. The emails would originate from mail servers not used by Potter Signal. Potter’s genuine emails (MX records) would route through known services or IP ranges (perhaps Office 365, Gmail enterprise, or a known mail server), whereas the phony emails might come from a generic VPS or a mail provider the attacker used. For instance, an email from potersignal.com might show an SPF “pass” for potersignal.com but that SPF record would be something recently set up and not matching Potter’s legitimate SPF. Additionally, if Potter Signal had set up DMARC for their real domain, any direct spoof attempt would fail, which is why the attacker resorted to a lookalike domain. No DMARC existed for the fake domain, and the fake domain was under the attacker’s full control, so standard email authentication checks (SPF/DKIM) would not flag these emails as spoofed – they were technically authentic from the perspective of the sending domain. This is a challenge in BEC: if the domain is wholly owned by the attacker, traditional email auth doesn’t raise an alarm because the emails aren’t forging someone else’s domain, they’re using their own deceptive domain.
  • Inactive Website: Another red flag is that visiting http://potersignal.com yielded no real content (the WIPO panel noted it was inactive)​. A customer who tried to click any link to Potter’s website provided in the fraudulent emails (if any) or who manually checked the domain might notice it doesn’t have a proper site. A legit company domain almost always has a working website or at least a landing page. The absence of a functional site (or the presence of a placeholder) is a warning sign. In some cases, attackers will set up a basic clone webpage to avoid this giveaway, but that wasn’t done here.
  • Mismatch in Communication Channels: Potter Signal primarily uses its official domain for all communications​. If a customer was being contacted from a different domain for a billing issue, this is an inconsistency. Many organizations include notices in their emails or invoices like “Note: All official emails from Potter will come from @pottersignal.com. We will never contact you from any other domain.” If Potter had such a notice, it could help alert recipients. In absence of that, customers might still notice if earlier emails about the same transaction came from @pottersignal.com and suddenly a follow-up comes from @potersignal.com – a subtle but critical change.
  • WHOIS Privacy and Registrant Info: While average customers won’t check WHOIS records, IT security teams responding to the incident likely did. The use of a privacy service and the eventual reveal of an odd registrant name (“BiBi Bill”)​wipo.int strongly indicate this was not an authorized or legitimate domain. Legitimate business partners typically do not need to hide their identity for a domain that is used to communicate with clients. This privacy usage, combined with the timing and content of emails, solidified the assessment that the domain was malicious.

In summary, a combination of domain intelligence and email metadata analysis provided clear indicators of the scam. The challenge, however, is catching these indicators in real-time: the attacker’s strategy relies on the likelihood that neither automated filters nor hurried humans will notice the one-letter discrepancy or the domain’s youth before complying with the payment request.

Registrar and Response Actions

The domain was obtained through NameCheap, a popular domain registrar. NameCheap was not directly complicit in the attack, but the choice of registrar is notable. Affordable registrars with instant purchase and free WHOIS privacy are often favored by attackers to spin up fraudulent domains cheaply and anonymously. In this case, NameCheap’s default privacy (offered via an Iceland-based service) allowed the registrant to initially remain hidden​.

Once Potter Signal discovered the scam, they had a few options to mitigate the domain’s threat:

  • Registrar Abuse Report: It’s likely (though not explicitly stated in the WIPO decision) that Potter Signal contacted NameCheap’s abuse department in late November or December 2024 to report the fraudulent use of potersignal.com. Registrars can suspend or take down domains engaged in phishing, especially when provided evidence (like phishing email headers). However, abuse handling varies by provider and can take time. The attacker might have also acted quickly, using the domain for only a short window, thus even a rapid abuse complaint might not stop initial damages. We don’t know if NameCheap took any interim action; the domain was still under the attacker’s control until the WIPO proceeding locked it.
  • WIPO UDRP Complaint: Potter Signal chose to file a UDRP case (D2025-0611) as a legal remedy to wrest control of the domain. This approach focuses on trademark infringement due to typosquatting and can result in the domain’s transfer. One advantage of UDRP is that once the case is filed and the registrar is notified, the domain is typically locked – preventing the attacker from transferring it away or altering ownership. Indeed, on February 17, 2025, WIPO requested registrar verification and NameCheap disclosed the true registrant information and presumably locked the domain​. From that point, the attacker was effectively stuck; even if they were still monitoring that domain’s email, they knew the gig was up. The downside of UDRP is speed – it took until April 2025 for a final decision. During that time, the domain was neutralized (due to the lock and likely the attacker abandoning it after exposure), but the process isn’t instantaneous.
  • Law Enforcement: The case documentation doesn’t mention criminal investigations, but fraud of this sort (especially if any money was lost) can involve law enforcement. Potter Signal or its affected customers may have reported the incident to agencies like the FBI’s Internet Crime Complaint Center (IC3). In BEC cases, the FBI often urges immediate reporting and involvement of banks to freeze transfers(​upguard.com). While UDRP handled the domain recovery, law enforcement could pursue the financial trail. From a technical perspective, if law enforcement gets involved quickly, they can also work with registrars to suspend domains without waiting for UDRP. However, often the urgency is on recovering funds rather than the domain itself.

During the WIPO proceeding, NameCheap’s role was to provide the factual data about the registration. The WIPO panel found that the respondent had no rights to the domain, given it was purely using Potter’s trademark in bad faith​. The decision unequivocally called the activity what it was: “an email phishing scheme” and noted that using a domain for such illegal activity is evidence of bad faith registration and use​. The attacker’s failure to defend the case further strengthened Potter Signal’s position.

By April 2025, once the domain was ordered to be transferred​, Potter Signal would gain control. They could then decide to keep the domain (to prevent re-registration by others and perhaps set it to redirect to the real site or sinkhole any stray emails) or simply disable it. The registrar would implement the transfer following the decision, typically within a few days or weeks of the decision (unless any appeal or delay).

Prevention and Mitigation Strategies

This incident, while damaging, holds valuable lessons for preventing or mitigating similar attacks. IT professionals can consider the following defensive measures:

  • Register or Monitor Similar Domains: One proactive defense is to register common typos or variants of your company’s domain (especially those differing by just one character or a homoglyph). As Spoof Checker’s security guidance notes, organizations can preempt BEC scammers by registering lookalike domains themselves – e.g., Potter Signal might have registered poterSignal.com (single “t”), pottersignals.com (with an extra “s”), etc., so that attackers cannot hijack those variants​. Of course, you can’t buy every possible variant, but focusing on the most likely confusions is cost-effective (especially obvious ones like missing a repeated letter). At minimum, companies should utilize a domain monitoring service to get alerts when new domains similar to their brand are registered. Early warning can enable faster response (e.g., reaching out to the registrar or hosting provider to suspend a malicious domain before it’s used).
  • Email Authentication and Policies: Implement strong email authentication on your own domains and encourage partners to do the same. Potter Signal already uses its legitimate domain for emails; by having SPF and DKIM configured and a strict DMARC policy (such as p=reject or quarantine), Potter can ensure that emails truly from pottersignal.com are trusted and any direct spoofs of that domain are blocked or flagged. While, as noted, DMARC won’t stop an attacker from using a different domain, it does eliminate the simpler threat of exact-domain spoofing. Additionally, some email security solutions like Spoof Checker leverage DMARC and SPF checks to compare the sender’s domain to the display name or reply-to. For inbound protection, organizations can employ advanced email filtering rules: for example, flag any inbound email where the sender’s domain is one letter off from an important partner’s domain. Many secure email gateways and cloud email suites (like Microsoft 365 Defender or Proofpoint Email Protection) have BEC filters that can detect impersonation attempts by analyzing sender address patterns. Enabling these and tuning them (adding your domain and key partner domains to watchlists) can automatically quarantine emails from lookalike domains. In our case, a rule could have been: “If sender domain == potersignal.com (one ‘t’) and not pottersignal.com, mark as potential fraud.”
  • User Education and Verification Procedures: Technology alone is not foolproof against BEC, because ultimately these scams target human behavior. It’s crucial to train employees and customers to be vigilant about verifying payment requests. Key practices include: always verify changes in payment instructions through a secondary channel (e.g., if you get an email to send money to a new bank account, call the known phone number of the person/company to confirm it). Potter Signal could communicate to its clients that any request to redirect funds should be treated with caution and verified. Many companies now put disclaimers in invoices like, “We will never notify you of banking changes purely by email.” Frequent reminders to check the exact sender email for anomalies could have helped a customer spot “potersignal.com” before sending money. Running regular security awareness training that includes BEC scenarios – such as fraudulent vendor invoice exercises – can reduce the likelihood that employees or clients fall prey to these scams. In this incident, one of Potter’s customers noticing the misspelled domain and alerting Potter early likely played a role in limiting the damage.
  • Secure Email Accounts and Communications: The “interception” aspect implies at least one email account (sender or receiver) was compromised. Ensuring all employees (especially those in finance or accounts receivable/payable) use multi-factor authentication (MFA) on email accounts can prevent attackers from easily breaching communications. Likewise, encourage partners to secure their email. If the attacker hadn’t been able to read real invoices (through a compromised account or other leak), they would not have known who to target or when. Email encryption or secure portals for sending invoices can also reduce exposure (though once an account is compromised, encryption might not help). Essentially, good cyber hygiene – strong passwords, MFA, monitoring for suspicious login activity – can stop the attack chain earlier by denying the attacker the “inside info” needed to execute such a convincing scam.
  • Incident Response and Recovery: Despite preventative measures, some BEC attacks will slip through. It’s vital to have an incident response plan. Potter Signal’s use of UDRP was one response to disable the domain. Equally important was working with banks once the fraud was discovered. If a customer had sent funds to the attacker’s account, immediate action is needed: contacting the bank’s fraud department to attempt recall of the wire and reporting to authorities. The FBI’s guidance is to report BEC incidents within 24–48 hours for the best chance of fund recovery (​upguard.com). In our case study, we don’t have evidence that money was lost, but had the scam succeeded, those steps are critical. On the technical side, incident response should include collecting all forensic evidence (emails, headers, logs of who accessed what mailbox when, etc.), scanning systems for any malware (in case the attacker used malware to gain access), and reviewing all similar domains to ensure this was an isolated incident.
  • Takedown and Legal Action: Utilizing services that assist with takedowns (security companies like Spoof Checker, and some domain registrars offer anti-phishing takedown support) can speed up removal of malicious domains. Also, asserting trademark rights (as Potter did) is a valid path – not only does it recover the domain, but it creates a legal record of the abuse. In some cases, if the attacker can be identified (which is rare when they hide behind privacy and foreign accounts), they could face legal consequences. While an average IT team might not handle the legal side, it’s useful to coordinate with the organization’s legal counsel when trademarks are involved in a fraud; a cease-and-desist letter or UDRP complaint can be an effective tool in the toolkit, complementing technical mitigations.

Conclusion

The potersignal.com incident serves as a stark reminder of how a single-character domain spoof can facilitate a highly convincing fraud. The attacker in this case demonstrated planning: registering a deceptive domain and timing their impersonation to coincide with real financial transactions. Technically, the scheme capitalized on the inherent trust in recognized names and domains – a trust that was undermined by a subtle typosquat. For the targeted company (Potter Electric Signal) and its customers, the incident could have resulted in significant financial loss and reputational damage had it not been detected when it was.

From the analysis, we see that traditional security filters might not catch such scams because the emails did not contain malware and came from a domain the attacker legitimately owned. This puts the onus on a combination of advanced email defenses, vigilant human scrutiny, and proactive measures like domain monitoring to catch anomalies. As the WIPO panel concluded, the domain was used in bad faith to mislead and defraud by impersonation. The swift action to investigate and reclaim the domain was crucial in shutting down the attack channel.

Moving forward, organizations should take stock of this case and evaluate their preparedness against BEC threats. The cost of registering a few extra domains or rolling out a new email security rule is trivial compared to the potential losses from a successful invoice fraud. Likewise, user awareness can be the difference between spotting a fraud or unknowingly complying with it. In the cat-and-mouse game of cybersecurity, typosquatting for BEC is a technique that is here to stay – but with layered defenses and informed stakeholders, incidents like potersignal.com can be identified and neutralized before damage is done.

Sources:

  • WIPO Arbitration and Mediation Center, Case No. D2025-0611 – Potter Electric Signal Company, LLC v. BiBi Bill wipo.intwipo.intwipo.intwipo.intwipo.intwipo.int (detailing the domain registration date, misuse in phishing scheme, and UDRP decision to transfer the domain).
  • Security Boulevard – N. Panwar, “How Attackers use Typosquatting Domains for BEC and Ransomware Attacks” securityboulevard.com​ (explaining the use of look-alike domains in BEC scams and an example scenario).
  • UpGuard – “What is Business Email Compromise and How to Prevent It”upguard.com (advising on typosquatting prevention by registering similar domains, and email authentication measures SPF/DKIM/DMARC).
  • Proofpoint Threat Reference – “Business Email Compromise (BEC)” proofpoint.com) (describing impersonation via lookalike domains and the global impact of BEC fraud).