Businesses need a strong online presence to stand out, and a domain name is crucial to developing a robust digital identity. Unfortunately, malicious actors prey upon the importance of domain names and attempt to trick businesses into paying for unnecessary, fake, or deceptive domain-related services. Understanding what these scams are and how they operate is the first step in safeguarding your digital identity.
Domain name scams can take many forms, from fake invoices to false registration promises. These scams often appear legitimate, making it difficult to distinguish between genuine service providers and fraudulent entities.
What Are Domain Name Scams?
Domain name scams are fairly simple. Sometimes, a malicious actor looking for an easy payday impersonates a legitimate domain registrar company in an effort to trick businesses into paying for unnecessary or fake services. Other times, they try to trick businesses into switching to new, expensive registration and hosting services.
Most domain name scams are designed to look authentic. They create a sense of urgency or authority to pressure users to act quickly before they have a chance to examine the message closely or ask questions. Small businesses can be especially vulnerable to domain name scams as they may not have a dedicated IT team.
Unfortunately, these scams can lead to financial loss and even domain name hijacking, which happens when an unauthorized user takes over your legitimate, registered domain.
Five Common Domain and Hosting Scams
Navigating the world of domain names and hosting can feel like a minefield. From fake invoices to phishing emails, domain name scams can result in unnecessary payments and stress for businesses.
Both the Internet Corporation for Assigned Names and Numbers (ICANN) and popular domain registrars (e.g., GoDaddy, Namecheap) regularly publish scam alerts to warn businesses about domain-related scams.
While not all-inclusive, these are some of the most common domain name scams that can impact your business.
1. Domain Registration Scams
Domain registration scams often involve misleading messages about your domain name registrations. Scammers send emails or make calls pretending to be a legitimate domain registrar company. They claim urgent action is needed to prevent losing your internet domain name and urge you to pay to renew it, often charging inflated prices or potentially transferring your domain to another provider.
Alternatively, these types of scam messages may include offers to purchase different types of domain names. For example, if you own www.acmeco.net, you may receive a fraudulent message to purchase the more popular www.acmeco.com. Another common example of this scam involves receiving a message that claims someone in China is trying to register your domain with a Chinese address (i.e., acmeco.net as acemeco.cn.). While the emails often sound legitimate, there is no real risk to your business.
2. Fake Invoices and Renewal Notices
Fake renewal notices can look very convincing, and advancements in generative AI have only helped scammers scale and refine their tactics. Scammers send these to trick domain owners into paying for services they never signed up for. These suspicious emails often contain detailed, realistic-looking invoices demanding a renewal fee. However, the provided payment details direct funds to scammers, not genuine domain registrars.
For example, the Domain Registry of America (DROA) is a common offender of these scams. DROA is known for sending official-looking “renewal” notices to domain owners, prompting them to transfer their domains under the guise of renewal. In 2004, the Federal Trade Commission (FTC) took action against DROA’s misleading marketing practices, although warnings about DROA persisted well into 2023.
Fake renewal notices can also be used to trick victims into transferring their legitimate domain to a registrar controlled by a malicious actor. Once hijacked, the attacker can control the domain, redirecting traffic, impersonating the business, stealing emails, or even selling the domain to a third party.
3. Fake Invoices and Direct Mail Scams
Direct mail letters and invoice scams are another trick in the scammer’s toolkit. Here, scammers send bogus letters warning domain owners about expired or about-to-expire domain names. These letters resemble official requests from legitimate companies, urging immediate action. Often, they suggest transferring the domain to another registrar at a high fee. Unsurprisingly, DROA is a common perpetrator of this scam, and it’s closely related to fake renewal notices.
It’s crucial to know your current domain registrar company and never respond hastily to these unsolicited letters.
4. Search Engine or Directory Submission Scams
Every business wants its website to rank well on search engine results. That’s exactly what makes this scam so enticing. Malicious actors send emails promising to “submit your site to 500 search engines” or include your domain in a global directory. In reality, this either does nothing or charges you for services that don’t benefit your site.
At one point, search engines did accept manual submissions for websites, however, today’s major search engines like Google and Bing automatically index websites without the need for such services. In 2012, known SEO-experts published articles on search engine submissions being “officially a scam,” and the National Consumers League’s Fraud Center also issued warnings about business direct listings scams.
Domain Appraisal Scams
Domain appraisal scams involve false promises of high-value domain appraisals. Scammers pose as potential buyers, offering to buy your domain, but first requiring an expensive appraisal. They recommend specific “partner” appraisal services, which are fraudulent. You pay the appraisal fee, and the buyer mysteriously disappears. Genuine buyers won’t insist on a particular appraisal service, nor will they charge fees. If approached, research the buyer and never pay for unnecessary services. Always verify the authenticity of appraisal requests with trusted domain registry services before proceeding.
In 2020, malicious actors took advantage of changes GoDaddy made to its domain contract process, sending messages to domain owners, expressing interest in purchasing their domains and requesting appraisals from specific services. Once the appraisal fee was paid, the scammers ceased communication.
How to Protect Your Business from Domain Name Scams
Preventing domain name scams necessitates that domain owners remain attentive, implement strong security practices, and have a clear understanding of both how domain registration and domain name scams work. Whether you’re managing a single domain or an entire portfolio, here are key steps you can take to protect your business:
Register with Trusted Domain Registrars
Choose a reputable, ICANN-accredited domain registrar to handle your domain name registrations. Research their reviews and reputation. Avoid unknown providers with poor reviews or suspicious marketing tactics, especially those that convey urgency or offer unusually low prices.
Monitor Renewal Notices Carefully
Beware of unsolicited emails and suspicious emails concerning domain name renewal scams. Always verify the sender before taking any action. When in doubt, log into your domain registrar account directly and, as with any suspicious email, never click links—especially those that prompt you to enter your username and password.
Enable Domain Locking
Use domain locking services offered by your registrar to prevent unauthorized transfers or domain hijacking.
Use Multi-Factor Authentication (MFA)
As a best practice, all critical accounts should have MFA enabled, which helps reduce the risk of account compromise. This way, even if your password is stolen (or accidentally input in a fraudulent domain registration login), malicious actors are less likely to gain access to your account without the second form of verification.
Use the WHOIS
Regularly review your domain’s WHOIS information for accuracy. Consider using WHOIS privacy protection to hide your contact info from public databases, reducing the chances of being targeted by scammers mining these directories. If you’re looking to purchase a new domain name, you can leverage the WHOIS search in No-IP to verify if the domain is available or not.
Protect Your Trademark
If your business has a registered trademark, it’s a smart move to secure related domain names (.com, .net, .org, etc). This helps prevent malicious actors from registering domains that could confuse customers or be used to perpetrate other fraudulent activities.
Defend Your Domain with DNS Made Easy
From domain spoofing and hijacking to subdomain takeovers, DNS-based attacks can put your brand, users, and your bottom line at risk. DNS Made Easy helps your business stay ahead of DNS-based scams and attacks with lightning-fast resolution, built-in security controls, and global propagation in sections.
Ready to strengthen your DNS strategy? Contact us and take the first steps to securing your online presence.