We got a letter recently, alerting us that our domain name is expiring soon. The letter, which looks a lot like an invoice, goes on to state we can renew our domain and add-on similar available domains for an additional fee. It includes our correct domain URL and our actual expiration date.
Except this letter isn’t from our domain provider. It’s from a company trying to get us to move our domain to them for several times what we pay our current provider. They aren’t really cybercriminals. It’s not even technically a scam if they do provide domain hosting services (though we do note, this only mentions how to give them money, and nothing about how to actually move your domain—which is a pretty complicated process). But it is deceptive marketing (at best).
It’s also not an unusual tactic. A quick search of the company’s name shows hundreds of results, including a Better Business Bureau page with an F rating. Many people have been tricked by a similar letter, only to find out from their actual domain provider that they didn’t actually renew anything.
So how did they get this information to begin with? It’s really easy to look up who owns a domain name and when it expires by doing a WHOIS lookup. WHOIS lookups show domain owners, including their contact information, along with information like the domain registrar, registration date, and expiration date.
Even though ICANN (the non-profit entity responsible for coordinating internet naming—basically they control URLs) explicitly says WHOIS lookups should not be used for marketing or spam purposes, less than scrupulous companies will use this information to try to get to get money from you. They’ll try to get you to move your domain to them or buy similar URLs by scaring you with expiration dates and messages about protecting your online reputation.
But there is something you can do to prevent these types of scams from coming to you. Most domain registrars (the companies like GoDaddy that you buy your URL from) offer privacy for an extra fee. These fees are typically pretty small (less than $10 a year). Adding privacy won’t hide your expiration date, but it will protect your contact information. This should drastically reduce your chances of getting these types of scams.
We also recommend turning on automatic renewal for your domain names if you haven’t already. That won’t prevent scams from coming to you, but it will prevent you from losing your domain because you forgot to renew it in time.
If you aren’t sure if you have domain privacy turned on, it’s pretty easy to find out – just do a WHOIS lookup on yourself. This will also show you who your domain registrar is, along with your expiration date.
Like many cybersecurity issues, taking a few extra seconds with a careful eye can prevent you from falling victim to a scam like this – but taking steps to prevent it from happening in the first place is even better.