This morning I received an emailed form submission through one of my websites. The message said that I was going to lose my domain name (my .com) if I did not click the link and complete my online payment. Of course, I knew better. This is a relatively new domain and I knew that it isn’t even close to expiring. In addition, the company messaging me was not my domain registrar. I knew right away that this was a scam.
Here’s how the scam works:
- You get the message that you are going to lose your domain.
- You panic, click the link, and are led to a legitimate-looking page to “renew” your domain, so you pay.
- This company then transfers your domain name away from your initial registrar and over to their services. The prices are usually higher than reputable domain registration companies AND now your personal information is in the hands of a disreputable company.
I see how people can fall for these kinds of scams. The company seems legit. The message references the actual name of the domain. You may not even remember who you registered your domain with and how long ago that was. Here are some tips to keep you from getting scammed this way.
- Don’t click shady links in emails. I repeat: DO NOT CLICK SHADY LINKS. By now you should know how phishing scams work. Scammers will do anything to try and get your information. I know you’ve received messages that looked like they were from Paypal saying that your account is being canceled unless you click this link. Usually, the message is ridden with spelling errors and the links in them will not go to paypal.com. If you click it, the page will ask you to verify your password. Then the scammers have your login info. If you get an email like this (and they purport to come from various places: Paypal, your bank, the IRS, etc.), DO NOT click the link. If you want to verify, type the Paypal website in yourself and sign in to your account to see if you have a notice from them there.
- This one is simple. Take note of when you register your domain, for how long, and with what company. Ignore any domain renewal notices from anyone but this company.
- Only register with a reputable company. There are a TON of domain registrars in business. If they aren’t a company you already know, do some research first.
- Enable “domain locking” through your registrar. This will require you to approve any domain transfers, so no company will be able to do this without you being aware. (This doesn’t keep them from gaining your personal information, but it does keep them from shadily transferring your domain to their company.)
- Pay a few extra dollars to get domain privacy with your registrar. This prevents people/companies from doing a WHOIS to determine who owns the domain. Your information will be obscured from the WHOIS system. This is how a good number of them get contact information for domain owners. This wouldn’t have stopped them from contacting me because they (or their bot, most likely) filled out a form on my website.
- Use a contact form and reCAPTCHA on your website. This was where my issue came from. I hadn’t implemented reCAPTCHA on this new site yet, but I have now.
If you have fallen victim to one of these scams, contact your original domain registrar and see how you can get it returned to their control. This may take some time because if you have been transferred, you have to wait 60 days before you can transfer your domain again.
Be safe out there on the interwebs!