Phishing Alert: Fraudulent Domain Expiry Email Citing ICANN and Webnames - Webnames Blog

Phishing Alert: Fraudulent Domain Expiry Email Citing ICANN and Webnames

Phishing email targeting domain name registrants

We’ve witnessed an increase in sophisticated phishing emails concerning domain names over the past few weeks. We want to bring your attention to a recent specific email that has been reported to us by vigilant customers. The email purports to be from ‘ICANN’, with the subject line “ACTION REQUIRED: Your domain name will be expired in 24 hours”. The email attempts to impersonate ICANN (The Internet Corporation for Assigned Names and Numbers) and and refers to a fictitious ICANN fee. 

Please be aware that this email is NOT a legitimate correspondence from Webnames or ICANN. does NOT and never will send notices of this kind.

This email is a clear phishing attempt, orchestrated to incite fear around the potential loss of a domain name, have you click the “Confirm & Pay Now” button, and capture your credit card information. Upon closer examination of the email, there are many telltale indications it is a phishing attempt, including the following:

  • Suspicious sender and sending domain name information
  • Urgency around payment and threat of domain being disabled
  • “Confirm & Pay Now” button that does not direct to (hint: in most cases you should be able to hover the mouse pointer over the button/link to view the URL at the bottom of your screen, instead of clicking it and potentially visiting a page that might contain malware)
  • No specific contact information, or Customer Support signature
  • Address that doesn’t correspond to Webnames 

As always, if you have any doubt about whether an email was sent from, please do not take any action until you have contacted us directly through our Support helpline and confirmed its legitimacy. 

But, how did they know my domain name?

This phishing email is more sophisticated than many because it also leverages a current or previously registered domain name, associating it with the domain registrant’s email address.  The scammers behind this email are able to do this by scraping publicly available information from ICANN’s publicly accessible WHOIS database.  ICANN, the administrative authority for domain names whose identity is also being fraudulently used in this phishing attempt, mandates that domain ownership data is made public through a Whois lookup and in this case. If a domain name that you have registered is not using WHOIS Privacy Protection, your associated Registrant information (e.g., name, email address, address, etc.) can be at risk of being scraped and used by scammers in phishing attempts, smishing (text spam), robocalls, or other forms of spam.  Adding WHOIS privacy to a domain name after it has already been registered can still help to prevent your information being scraped in the future by other bad actors – it’s never too late to protect your privacy. 

Recognize patterns and practice safe browsing

While the email cited above is just one instance of attempted abuse of Whois domain data, it is possible that other concurrent fraud campaigns may use a different pretext than ICANN or domain expiry. As noted in the above example, always be vigilant and take the following precautions: 

  • Carefully scan the name and email address of the sender
  • Is the domain name on the email address one you recognize and does it belong to the organization which is supposedly sending this email?
  • Were you expecting this email regarding the product or service in question?
  • Are links on the email pointing to pages and websites you recognize as the sending organization?
  • Are there typos or incorrect grammar in the email content?

To reiterate, we at Webnames are always here to help and if you are in doubt about the veracity of an email or any communication that purports to be from us, please call our support to verify.

Learn More

Why You Might Get Spammed for Buying a New Domain Name (And How to Use Domain Privacy to Prevent It)

Potential scam alert: Domain expiration notices from ‘Domain Registry’

Share this:

Posted in: