Domain Registrar Account Phishing: Who is at Responsible?


I would imagine that just about every domain name owner has received an email that purports to be a domain registrar. Typically, these phishing emails request that the recipient click a link within the email and then provide private account information, which would give the sender access to the domain owner’s registrar account. Some of these emails look pretty close to actual registrar emails, and they can be confusing.

I’ve shared some probably examples of phishing emails I received or were submitted to me. For instance, here is an example of a likely GoDaddy phishing email and here is an example of a likely phishing email. I also discussed why domain registrar phishing emails are bad for everyone who buys and sells domain names. Put simply, domain phishing is harmful to the business of domain investing.

The question I have today is who is responsible  when a customer’s domain registrar account is hacked and their domain names are stolen, and who should be responsible for ensuring successful recovery of a domain name after a domain hijacking?

With phishing, there is quite a bit of blame placed on the domain owner who likely caused this to happen by accidentally providing account information to an unauthorized party. Yes, it was an unintentional error that may have caused the theft, but the thief probably wouldn’t have been able to steal domain names without having that information. It can be very expensive for a domain owner to recover a domain name using legal channels, and it can get complicated if the current registrant is not the thief (ie the domain name was resold).

On the other hand, many registrants may not be aware that domain name theft is a major problem, and they may not think about account security in the same way they would for their bank or financial institution. There  are  marketing emails, ICANN update emails, expiration emails, and other types of emails sent by domain registrars, so these emails  can be confusing for recipients.

When it comes to domain name theft, do you think the domain owner who may have been phished should bear the costs of recovering a domain name, or should the domain registrar be responsible for verifying claims and recovering domain names? Should ICANN play any role in assisting with a domain hijacking? I recently read that the ICA is working on something, and I am curious what your thoughts are on the processes and policies for recovering stolen domain names.

Leave a Reply