You wouldn't believe how often I get asked if some sketchy-looking domain notice is legit. As someone who works closely with clients on their websites, I've seen all kinds of scams, and domain name scams are some of the most common traps people fall into. It's like clockwork – every week, someone forwards me an email or shows me a letter asking if they really need to pay up to keep their domain safe. Spoiler alert: they usually don’t.
Domains aren’t just digital real estate; they’re valuable assets. Scammers know this and are constantly cooking up new ways to trick people into handing over money or, worse, control of their domain. Whether it’s a fake renewal notice or a phishing email pretending to be from your registrar, these scams can do real damage to your brand and your business.
So, let’s dive into some of the most common domain name scams I’ve encountered and, more importantly, how you can avoid falling for them. Trust me, a little knowledge goes a long way in keeping your domain secure.
The Most Common Domain Name Scams
Domain Expiration Scams
It should come as no surprise that one of the most common domain scams relies on outright lying. Scammers will send fake domain expiration notices to companies or individuals in order to cause some sort of panic or reaction. Really, though, they’re just telling a fabricated story so that you’ll be incentivized to pay their exorbitant fee to secure your domain.
Some of the notices these scammers come up with can look extremely professional and official, sometimes even copying designs, branding, or logos of legitimate domain registrars.
Domain Registration Scams
Domain registration scams are a little more complicated. They’re ultimately based on getting you to believe you have to pay a fee that doesn’t exist. Sometimes a scammer will say you need to pay to reach certain regions with expensive extensions only they can provide. So while they deceive you into thinking you’re helping your brand, you’re just needlessly emptying your wallet.
Just like the expiration notices, any domain registration scam emails or contacts are going to look official. These scammers aren’t the sharpest tools in the shed, but they are devious, and they’ll use any logo or language to get you to buy in.
Fake Invoices and Renewal Notices
The goal is to scam you out of money, and nothing does that better than a fake invoice or renewal notice. Everyone hates being late on a bill. They’ll exploit that anxiety by pestering you with threats or negative language just to get you to pay it.
For larger companies that don’t pay attention to every invoice, this is a huge and growing problem. These scammers know what those invoices and notices look like. They’ll use every tactic they can to get businesses both large and small to pay as quickly as possible.
Direct Mail Letter Scams
Direct mail is when things get physical. No, not with violence or threats, but this is where domain owners get scams in their actual mailboxes. Just like the above, the letters claim you’re behind on payments or renewals so they can score a quick buck. They’ll be written with threatening language, they’ll have official branding, and they’ll be convincing to the average person.
Most people tend to give more credence to physical mail than random emails. Impersonation scams are the most common form of direct mail fraud. So no matter how convincing the materials are, don’t always believe everything you get in the mail.
Phishing Scams
Phishing scams are as nefarious as it gets. Instead of pretending to be a random company or solicitor, scammers send emails claiming to be your actual domain registrar. More people will fall for a scam if they think they’re getting a bill directly from GoDaddy, DreamHost, or any other domain registrar. Unfortunately, the consequences of phishing could be much worse than a fraudulent payment.
That email won’t ask you to pay a bill, it’ll have you click a link. After finding a convincing login page, you won’t be on your registrar’s home page, but you will have given a scammer your login credentials. Then, they could use that info to hijack your domain. Getting that domain back isn’t an easy fix. It could require courts and legal action that could leave you paying all those legal fees without getting your domain back.
Domain Hijacking
So let’s say you fell prey to the phishing scam and now a scammer has your login credentials. Unfortunately, that will likely lead to domain hijacking. That’s when a scammer gains unauthorized access to your domain accounts and transfers the ownership to themselves. Don’t think this is a rare occurrence, either. Over 3,000 different domains are hijacked every week and that number will only continue to grow unless domain owners stay vigilant.
If you know of your registrar having any weak or exploitable security, you may want to consider another one - even if domain transfers are difficult. That process is much less difficult than having to recover a hijacked domain.
How To Fight Domain Name Scams
Now that you’ve read about the dangers it’s time to talk about the solutions. While most of you might think you’re smart enough to avoid all of the above scams, it’s not that simple.
The sophistication of these kinds of fraud is only going to grow. You might get an email or piece of mail that looks identical to one your actual registrar would send. So instead of assuming you’ll be able to sniff out any suspicious emails, here are some easy ways you can fight domain name scams.
Verify Authenticity
First of all, you need to verify every piece of contact you receive. That’s not limited to your domain registrar either, you should already be doing that with any sensitive information. The banner or email might appear to be from Bluehost, but when you look at the actual email address, you see a bunch of random numbers and letters.
Ensure that you’re receiving emails from the verified accounts and website. Spend a second or two analyzing the email address or content before clicking any links. Every major company will have a way of verifying your email or communication info, so make sure you’re paying as close attention to your email as they are.
Enable Domain Locking
Don’t forget to enable domain locking!
Oh and for those wondering what domain locking is it’s a way of guaranteeing that only authorized users can make domain account changes. Just like when someone freezes their credit, this process ensures that no one other than specifically authorized users can transfer or change the domain account.
Most domain registrars have some form of domain locking service and typically have it on by default, but make sure you’re actively using this extra layer of security.
Use WHOIS Privacy Protection
As I already mentioned, a domain name is a kind of property. It’s a permanent listing that includes a permanent record. If you’ve ever owned one, your name is on different lists as its owner. That list includes WHOIS, a public database that anyone can access. That database includes a list of domains, who they’re registered to, and any other personal information attached to it. That could include phone numbers, names, and addresses.
Don’t worry though, your domain registrar likely has a service for this too. Unfortunately, while registrars like GoDaddy charge a service fee, alternatives like Porkbun offer to remove your private information from WHOIS for the cheap price of free.
Stay Informed!
So by reading this article, you’re already giving yourself a wealth of knowledge about domain name scams and how to avoid them. However, this is not the end of domain name scams. There will be new scams created every year and the only way to stay ahead of the game is to stay informed. Keeping you and your team informed about the latest scams is the simplest way to spot them. The Federal Trade Commission has an entire page dedicated to identifying and avoiding the latest scams so there’s no excuse for being ignorant.
Knowledge and education are the greatest tools we have against scams. Make yourself aware of scammer tactics and they’ll be that much easier to spot.
Educate Your Team
So right after educating yourself on this subject, you need to start educating your team. Unless you're a small business with a staff of one, your team likely has its own set of responsibilities that could include domain account access. When regularly scheduling new training sessions with updated reading material - like from the FTC - you add the most robust layer of security possible.
Your team should also have a protocol and process for suspicious activity. Make sure they’re not just deleting odd emails. If they encounter a potential scam, they need to report it to ensure no one becomes a victim of that same scam.
Report Domain Name Scams When You Encounter Them!
The most important detail is to avoid staying quiet. Don’t keep suspicious activity or emails to yourself, especially when they’re impersonating your registrar or another online company. You might not have the resources to track down those scammers, but the company they’re pretending to be certainly might. This will help identify scammers and track their activity which could lead to fewer scams in the future.
The FTC, your domain registrar, even your web host - every one of these entities wants to hear about the scams you receive. We want watchdogs like the FTC to protect us from scams, and the only way to do that is to help them identify what to watch out for.