05 November 2015
by James Cottis
You’ve come to expect phishing emails that pretend to be your bank. Or offering you Amazon deals. Or telling you your Netflix account has been suspended.
So when a misspelled email asks for your banking password, or a link points you to “amason.com”, or you get asked to install an attachment to reinstate your account, you know to not do that. You’ve read about phishing emails, you know better.
But phishing emails aren’t just focused on getting your banking details. With many people using the same passwords for multiple sites, getting just one password from one person can unlock dozens of sites. You answer one phishing email, and there goes your bank account, your email, and that one secret account on that site you swear no one else knows about.
Phishers know this, and are trying new tactics, including sending emails about your domain name.
You might have recently received an email that looked like this:
Subject: Domain [DOMAIN] Suspension Notice
The following domain names have been suspended for violation of the [REGISTRAR] Abuse Policy:
Domain Name: [DOMAIN]
Registrant Name: [YOUR NAME]
Multiple warnings were sent by [REGISTRAR] Spam and Abuse Department to give you an opportunity to address the complaints we have received.
We did not receive a reply from you to these email warnings so we then attempted to contact you via telephone.
We had no choice but to suspend your domain name when you did not respond to our attempts to contact you.
Click here [LINK] and download a copy of complaints we have received.
Please contact us by email at mailto:[EMAIL] for additional information regarding this notification.
Spam and Abuse Department
Abuse Department Hotline: 480-124-0101
If you call the number, it doesn’t exist, and if you click the link, it attempts to download a virus.
Unsurprisingly, no registrar is actually sending out these emails.
As phishers grow more sophisticated and try new avenues, it can be difficult to identify legitimate emails from scams. As more companies produce HTML-based emails that just ask you to click a link in an email, it’s become second-nature to just assume that the link will take you to where you need to go, whether checking on an order, verifying your account details, or seeing the latest viral cat video.
You know to keep an eye out for certain scammers, but when a company you don’t expect to be spoofed is suddenly sending you messages, you might panic and think that you just need to check, just need to click that link.
But there are a few things you can check before you click:
Most scammers don’t have all the data they need to perfectly spoof a company. In the example above, while they have the registrant’s full name, they don’t have it split into first name and surname. So the greeting is “Dear Sir/Madam” instead of “Dear [FIRST NAME]”.
Legitimate messages should always have your details, whether your name or your account number. If it seems to be missing something, don’t click the link.
Before you click that link, hover over it. Or, if you’re on a mobile, press and hold the link to see the full URL. Is it going to the correct site? Are there any typos in the URL? Is it going to a suspicious-sounding file, like archive.pdf.rar?
If you have any doubts whatsoever about the link, don’t click it. When you receive a notification, most sites will display it in your account section as well as send it to you via email, especially if it’s something important. Log into the site through your browser, and check to see if there’s a message there as well. If there isn’t, you’ve dodged a bullet.
The “From” might say the right company, but is the email address something else completely? Are there any slight misspellings (for example – paypal.co.uk versus paypai.co.uk)? Does it refer to a particular department that you don’t think would ever actually exist?
All of these are obvious signs when you look closely at them, but if you give it a quick glance, you might not notice. So if there’s the faintest doubt, check all the details, from the email addresses to the Internet headers.
And even before you receive that email, there are a few things you can do to protect yourself:
It might cost a little more, but setting up Domain Privacy keeps your personal details out of the hands of scammers digging through WHOIS data. Once Domain Privacy is activated, whenever someone views your WHOIS data, they see a third party, and your name, address, email address, and telephone number are safe.
Nominet has free domain protection for your .uk, .co.uk, .org.uk, and .me.uk domains, and we offer Domain Privacy for many gTLDs.
Most modern browsers alert you if you’re visiting a page identified as a potential threat, and will make you go through several steps before you proceed to that page. Make certain you update your browser to the latest version and that you have the security settings turned on.
It can take some time for a site to be flagged as dangerous, so don’t expect your browser to always save you.
With the sample email above, clicking the link will download a virus. If your antiviral software is up to date, it’ll catch it and put it in quarantine before it has a chance to cause any damage. Always make sure you have a strong antiviral and that it’s updated regularly.
Many modern antivirals also include browser add-ons that point out phishing sites and other scam websites, providing a second layer of protection on top of your browser’s security settings.