Domain Registrar Account Phishing: Who is at Responsible?

I would imagine that just about every domain name owner has received an email that purports to be a domain registrar. Typically, these phishing emails request that the recipient click a link within the email and then provide private account information, which would give the sender access to the domain owner’s registrar account. Some of these emails look pretty close to actual registrar emails, and they can be confusing.

I’ve shared some probably examples of phishing emails I received or were submitted to me. For instance, here is an example of a likely GoDaddy phishing email and here is an example of a likely phishing email. I also discussed why domain registrar phishing emails are bad for everyone who buys and sells domain names. Put simply, domain phishing is harmful to the business of domain investing.

The question I have today is who is responsible  when a customer’s domain registrar account is hacked and their domain names are stolen, and who should be responsible for ensuring successful recovery of a domain name after a domain hijacking?

With phishing, there is quite a bit of blame placed on the domain owner who likely caused this to happen by accidentally providing account information to an unauthorized party. Yes, it was an unintentional error that may have caused the theft, but the thief probably wouldn’t have been able to steal domain names without having that information. It can be very expensive for a domain owner to recover a domain name using legal channels, and it can get complicated if the current registrant is not the thief (ie the domain name was resold).

On the other hand, many registrants may not be aware that domain name theft is a major problem, and they may not think about account security in the same way they would for their bank or financial institution. There  are  marketing emails, ICANN update emails, expiration emails, and other types of emails sent by domain registrars, so these emails  can be confusing for recipients.

When it comes to domain name theft, do you think the domain owner who may have been phished should bear the costs of recovering a domain name, or should the domain registrar be responsible for verifying claims and recovering domain names? Should ICANN play any role in assisting with a domain hijacking? I recently read that the ICA is working on something, and I am curious what your thoughts are on the processes and policies for recovering stolen domain names.

Elliot Silver
Elliot Silver
About The Author: Elliot Silver is an Internet entrepreneur and publisher of Elliot is also the founder and President of Top Notch Domains, LLC, a company that has closed eight figures in deals. Please read the Terms of Use page for additional information about the publisher, website comment policy, disclosures, and conflicts of interest. Reach out to Elliot: Twitter | Facebook | LinkedIn


Please enter your comment!
Please enter your name here

Recent Posts

It Pays to Know Random Phrases

My eyes bulge out of my head sometimes when I see a somewhat obscure term in a domain name coming up for auction. Oftentimes,...

Monitor Landing or Parking Page Downtime

When I first started developing my domain names, I learned the importance of downtime monitoring. On some of my growing websites, there would be...

Squadhelp is Reinvesting and So Am I

Squadhelp CEO Darpan Munjal shared a series of tweets about the growth of the platform. Darpan shared that revenue last month was higher than...

If You Want to See a Stampede, Look No Further Than This…

If you're seeking engagement on Twitter in the domain name space, the best thing you can do is tell people you're looking to buy...

Nick Huber: “drop a little coin” for a Premium Domain Name

I do not know Nick Huber, but I see he has a large following on Twitter and frequently offers advice to startup founders and...