Domain Owner Alert: Whois verification phishing scams have already begun

New RAA requirement to verify your contact information is great news to scammers.

Effective January 1, any domain name registrar that has signed on to the 2013 Registrar Accreditation Agreement (that includes all of the big registrars) must verify certain aspects of whois contact information.

The registrars must verify this by phone or email. Email will be the most popular method because it’s cheaper.

Law enforcement agencies asked for this as a way to reduce bogus contact information in the whois database. Apparently they’re oblivious to the fact that anyone trying to undertake a scam can easily get a throwaway phone number or email address.

Many predicted this new requirement would lead to a new phishing opportunity, whereby scammers would send phishing email to registrants about verifying their contact information.

Well, that took all of a few days.

One such email, purporting to be from GoDaddy, is already making the rounds.

The important thing to note here is that you should not ignore all emails from your registrar about verifying your whois information. Instead, you should carefully review them and take action on legitimate ones.

Failure to respond could result in your domain name being suspended. If your domain name is registered with eNom and you change your name or email address, the registrar will send an email to you. You have to click on a link in that email within 15 days or your domain will be suspended!

With this in mind, here are some best practices to consider. Hopefully domain name registrars are keeping this in mind with their policies:

1. Ideally, the email provides a code that you copy-and-paste once you’re logged in to your registrar account, rather than including a link in the email to click to verify.

2. If there is a click-to-verify link, it should not then require you to log in to your account. If it does, it’s likely a phishing scam. (You can argue that a click-to-verify link is better than a copy-and-paste code, since it doesn’t require you to log in. However, I think click-to-verify as a standard will enable more phishing scams.)

3. In general, registrars will not ask you to verify existing contact information provided for domains registered prior to December 31.

4. Opt-in to two factor authentication if your registrar offers it. (If they don’t, find one that does.) Even if a phisher gets your login credentials, they won’t be able to bypass the two factor authentication.


  1. says

    Surely it’s no accident that this phishing scam targeted GoDaddy customers over the weekend when registrar staff is likely to be out of the office. I’m referring not just to GoDaddy but to the smaller registrar at which was registered earlier this morning. The extra time lag in inter-registrar communication will probably allow the phishing scam to run its course with less chance of early intervention.

    Coming from a background where rehearsing apocalypse scenarios was a daily routine monitored with stop watches and clipboards, I’m curious how long it takes 2 registrars — from start to finish — to redirect the name servers of a phishing-related domain so that people stop revealing their passwords.

    Anybody care to estimate the duration between my phone call to GoDaddy and the moment goes dark?

    My intention here isn’t to embarrass GoDaddy, since I’m a loyal customer and respect what they do. I’m simply curious how long it takes our industry to put out a fire once the fire is visible.

  2. says

    Phishing scams succeed by emulating legitimate requests, in this case, that of the confirmation of one’s registration email.

    GoDaddy is the biggest domain registrar in terms of absolute numbers; 99% of its users have limited know-how or willingness to be on “alert” of concurrent scams.

    Clearly, the ICANN requirement for contact verification did not account for the introduction of such scams. There were plenty of domain thefts due to phishing scams, and with such a measure they will increase exponentially.

    • James says

      @Arco: In face, we warned ICANN of this specific threat (phishing and potential uptick of hijacking) during RAA negotiations. They were unpersuaded.

  3. Tim Ruiz (personal opinion) says

    @Andrew, why is it the registrars’ entire responsibility. Of course, we will act as quickly as we can after some minimum due dilligence. But the registry itself is often forgotten. In my own personal opinion, the registry may be the better choice for processes and policies to more quickly deal with many of these issues. And either way, if there were clear and solid safe harbors for both, even faster response could be taken with due dilligence following and reversal if necessary. Certainly there are other nuances to consider, but food for thought.

  4. says

    The good news: the legitimate email from GoDaddy requires no login.

    The bad news: the legitimate email from GoDaddy requires no login.

    As I said previously, when user interaction is required, the user loses.

      • says

        Unfortunately, while for you and I – and others deeply immersed in this business – this is discernible, for millions of others it won’t make any difference. It’s impossible to tell apart two systems, one real and one fake, when you aren’t aware of the existence of the fake one. That’s the psychology behind phishing, it’s a transparent injection in a process.

  5. Robbie says

    I like how fast these companies can take down these sites, but do nothing when it comes to stolen domains ho hum…

  6. MAGOOgle says

    Phishing will not be a problem for me. I actually study the scams I get in emails. I look at the entire header and view them in plain text.

    What bothers me is the idea of having a domain suspended if I do not reply in 15 days as I may be where no data is available for weeks at a time.
    So what now, I’ll loose my domain, have my sites go down ?

    Must be more to this than we are being told. I think the requirement is just trying to nail down Trade Mark squatters.

    It does not seem to be well thought out.

    And No legit co., most especially a web based company should send a email out containing a weblink requirement from a email that I did not generate at the site. Have we not learned from the bank phishing.

    • John Berryhill says

      Yes, anyone who knows you may be unavailable for 15 days may file a Whois data problem report, and you will lose your domain.

Leave a Reply