Domain Owner Alert: Whois verification phishing scams have already begun
New RAA requirement to verify your contact information is great news to scammers.
Effective January 1, any domain name registrar that has signed on to the 2013 Registrar Accreditation Agreement (that includes all of the big registrars) must verify certain aspects of whois contact information.
The registrars must verify this by phone or email. Email will be the most popular method because it’s cheaper.
Law enforcement agencies asked for this as a way to reduce bogus contact information in the whois database. Apparently they’re oblivious to the fact that anyone trying to undertake a scam can easily get a throwaway phone number or email address.
Many predicted this new requirement would lead to a new phishing opportunity, whereby scammers would send phishing email to registrants about verifying their contact information.
Well, that took all of a few days.
One such email, purporting to be from GoDaddy, is already making the rounds.
The important thing to note here is that you should not ignore all emails from your registrar about verifying your whois information. Instead, you should carefully review them and take action on legitimate ones.
Failure to respond could result in your domain name being suspended. If your domain name is registered with eNom and you change your name or email address, the registrar will send an email to you. You have to click on a link in that email within 15 days or your domain will be suspended!
With this in mind, here are some best practices to consider. Hopefully domain name registrars are keeping this in mind with their policies:
1. Ideally, the email provides a code that you copy-and-paste once you’re logged in to your registrar account, rather than including a link in the email to click to verify.
2. If there is a click-to-verify link, it should not then require you to log in to your account. If it does, it’s likely a phishing scam. (You can argue that a click-to-verify link is better than a copy-and-paste code, since it doesn’t require you to log in. However, I think click-to-verify as a standard will enable more phishing scams.)
3. In general, registrars will not ask you to verify existing contact information provided for domains registered prior to December 31.
4. Opt-in to two factor authentication if your registrar offers it. (If they don’t, find one that does.) Even if a phisher gets your login credentials, they won’t be able to bypass the two factor authentication.