Phishing for Answers: Domains

Domain Renewal Safety:

Lately, there has been a big uptick in emails announcing that the recipient’s domain or hosting is going to expire in short term. Given the important nature of having an active domain is to a business owner, the thought of it expiring or dropping off of Google search results can be a worrisome read first thing in the morning. While some messages are legitimate, others use social engineering just prey upon the recipient to do a knee-jerk reaction into clicking on their message link. Over the years, we have seen thousands of these attempts and they are getting harder and harder to discern from the legitimate ones.

How do I know which ones are legitimate?

  1. Sender
  2. Timing
  3. Email Design
  4. Link
1. Sender
Is the email from the organization that you registered your domain or service with? If you asked us to register your domain, it will come from either us or gkg.net. Beware of senders that appear very similar.
2. Timing
Registrars generally have a schedule for when they send notifications. Below are a few common registrars and their respective schedules:
Common Registrar Renewal Notification Schedules:
GKG GoDaddy Network Solutions
4 renewal notifications:
60, 30, 7 days previous and day of expiration.
6 renewal notifications:
90, 60, 30, 15, 10, 5 days previous and day of expiration.
Average of 6 renewal notifications:
90, 60, 30, 14, 7 days previous and day of expiration.
Whois verification Once per year. Whois verification: Varies. Whois verification: 1-2 per year.
3. Email Design: 
Most registrars are large enough to have a professional and focussed email notification. You will generally see the Registrar listed at the top, along with all of the domain information below, including the any and all domains up for expiration, when they are to expire and a link to renew them.
4. Link to Renew Services: 
This is where you can generally tell quickly the legitimacy of the email. If you roll your cursor over the link and wait for a few seconds, it will generally show a tooltip that reveals the url of where that link will take you. Look very closely at that link and see if it looks like it goes back to that particular registrar. Spoofers are getting quite good at making their links look legit, but watch some things to look out for are mis-spellings, long domains, and urls that are extremely long. Here are some examples: