Domain registration scams are common since most people own at least one domain. They take advantage of a user’s naivety and urgency of renewing a domain name. As most of us know, if you don’t get your domain renewed in time, the registrar seizes it and you lose your investment. Unfortunately, many scammers use phishing emails to persuade unsuspecting victims into sending money or giving up their domain registrar account credentials so that the attacker can steal the domain name. In other instances, the scammers just want to trick you into giving them money through bunk SEO promises or investments.
I’m going to show you an example of a standard registrar phishing and scamming email I received in my own inbox.
What Does Domain Phishing Email Content Look Like?
First, let’s take a look at the email content and then we’ll show you the red flags to detect the scam. We’ve removed the hotlink to the phishing site, but the rest of it is intact:
Attention: Important Notice , DOMAIN SERVICE NOTICE
Domain Name: noobsecurity.com
ATT: Jennfier xxx
Response Requested By
1 – Marc. – 2017
PART I: REVIEW NOTICE
Attn: Jennfier xxx
As a courtesy to domain name holders, we are sending you this notification for your business Domain name search engine registration. This letter is to inform you that it’s time to send in your registration. Failure to complete your Domain name search engine registration by the expiration date may result in cancellation of this offer making it difficult for your customers to locate you on the web. Privatization allows the consumer a choice when registering. Search engine registration includes domain name search engine submission. Do not discard, this notice is not an invoice it is a courtesy reminder to register your domain name search engine listing so your customers can locate you on the web. This Notice for: noobsecurity.com will expire at 11:59PM EST, 1 – Marc. – 2017 Act now!
Payment by Credit/Debit Card
Select the term using the link above by 1 – Marc. – 2017
This arrived in my spam inbox. There were three of them in a row. The fact that this went to my spam box is the first red flag. I have Gmail, and Google filters phishing emails pretty well. However, you could be unfortunate and have one of these emails pass through your email filters and go directly to your inbox.
What are the Red Flags?
Now, let’s take a look at what the email looks like in my Gmail account.
The first red flag is the from email address. The example shows “safemail.info,” and this is definitely not a registrar but a site that allows you to resell domains. If you received this email, the first thing to ask — “Is this my registrar’s domain?” You should know your registrar’s domain. Other phishing attackers use free email domains such as Gmail or Yahoo and others use hacked personal accounts. You should first check the sender’s email address to ensure that it’s from the registrar’s domain.
Note: this is not a 100% foolproof method as the “From” address in an email can be forged. Many email vendors such as Gmail detect forged addresses and automatically send them to your spam box, but in many cases the sender does not forge the “From” address specifically to avoid these filters. They prefer to use hacked addresses or legitimate domains to trick email filters into allowing the phish to pass through to your direct inbox.
Some companies use marketing email web applications, so it is possible to receive emails from a third-party address, but for official account and payment emails, most companies stick to sending from their official domain. If you are still unsure, registrar’s have a fraud and security department. Forward the email to them and ask if it’s legitimate or a phish.
The next red flag is how the recipient’s name is formatted. First, they spelled my name wrong. The next flag is the way the date is formatted. Since I live in the US, this is not a common format. Again, this isn’t 100% foolproof, but it should make you suspicious.
Second, the English is very poor. You don’t have to be a whiz at spelling and grammar to pick up on the errors.
The final red flag — and the one that should convince you never to fall for this scam email — is the links. In this example, the links are included in the “Select Package” hyperlink and in one of the links blacked out.
We’ve removed the phishing URL, but it links to a page that is not a registrar and doesn’t match the sender email address domain. You can see the domain within the link by hovering your mouse over the URL. In this instance, the scam sends you to an SEO page that tricks you into paying for fraudulent SEO services. The following image is the landing page for the link.
Notice that the page has nothing to do with re-registering a domain name. This scam email wants to scam you into buying SEO services that will likely get your site penalized by any major search engine. However, some scammers use a page that looks like a registrar page to trick you into sending them money. They could also send you to a page that asks you for the login credentials to your registrar account. If an attacker gets your registrar credentials, they can then forward your domain to a third-party site or even transfer ownership of the domain to themselves, essentially stealing your business.
What You Can Do to Avoid These Scams
So how do you identify a scam domain email from a legitimate notice that your domain is about to expire?
Here’s a recap of what to check when you receive a domain renewal notice:
- Is the “From” address using the official registrar domain?
- Are the links in the email pointing to your registrar? What is your domain’s registrar? You can check your registrar information by going to Domain Tools and typing your domain name into the text box. You will find the registrar information in the “Registration Service Provider” section.
- Is the English poor? Do they even spell your information correctly? English registrar providers will have professional emails sent to you where the content is proofed and edited.
- Do they address you by name? In this example, they had my name misspelled, but many phishing emails are sent blindly without even having the recipient’s name. Your registrar will likely address you by name and repeat private information back to you. They will also link you to their own website so that you can log in directly and not through a third-party site.
Instead of clicking links within these emails, it’s better to type the registrar domain directly into your browser and log in. You will then see if your domain is truly expiring and you need to renew it.
A good way to keep domains renewed is to use the registrar’s auto-renew system and link it to a PayPal account that is then linked to a bank account and credit card. You can also renew directly on your debit or credit card, but when they expire you must update the registrar system to avoid losing your domain.
If you are still unsure and apprehensive, log into your registrar directly or forward the email to their customer service or security department to ask them if it is a legitimate notice.