We’ve encountered some companies who will try to take (not win) your domain name business under the guise of a renewal notice. They make you think you’re simply paying to renew your domain, where in reality, they’re getting you to transfer it to their business. It’s a shady practice that while technically legal, it’s hugely unethical, and can cause a nightmare for your business if it succeeds (imagine your email going down for months … or forever.) This article explains the issue, what really happens, and how you can prevent it from happening to you.

Some background info to get us started:

First: What’s a domain name?

If you run a business, chances are you own one or more domain names. A domain name is the .com, .ca, or whatever name is attached to your website and email addresses. You know, when somebody types you@yourcompany.com? The “yourcompany.com” is the name you registered to make your emails more official and easy to remember. It sure beats gmail.com or telus.net in terms of professionalism and branding.

Second: Domain names are effectively rented

You never really “own” your domain name. You rent it yearly by paying a registrar (a company who sells domain names) to have exclusive access to it. If you stop paying for it, it goes back on the market and anybody can register it. You can register it at any registrar of your choice – e.g. GoDaddy, EasyDNS, etc., just like you can choose your insurance provider or energy company.

Third: Domains can be moved between registrars

If you paid one registrar to rent your domain, you can move it to another one if you don’t like their service or for some other reason. This is a process known as a domain transfer. And this is the core process that these scammers are trying to exploit.

What’s in it for the sender?

Selling domains (and getting that recurring revenue from them) is big business. According to Verisign’s Domain Industry Report (as of Dec 10, 2019), in the second quarter of 2019 there were over 354.7 million domains registered. Estimates place revenues for the industry at $6 billion or more.

The market is also highly cut-throat and competitive. Domains have become a commodity over the years as the market has matured and become saturated with players. With consumers seeing all registrars as effectively the same, prices have been driven down. Most new clients we talk to can’t even name the company their domain is registered with, even though they pay them yearly for the service. Because of this, registrars have a tough time branding themselves, attracting new customers, and selling the value of their services in a largely price-driven market dominated by big players.

So naturally, like any other saturated market, some players will resort to more creative tactics to drum up business. This is what this article is about.

What are they doing to you?

The basic process is this:

1. They send you an email or a letter saying your domain name is up for renewal, and you need to pay a fee.
2. You complete the paperwork, pay the fee, and do some extra steps to unlock your domain and provide a code.
3. They transfer your domain from your current registrar (which you chose) to theirs (which you didn’t choose.)
4. Now they have your domain, and most importantly—you—by the cajones, for lack of a better phrase.

OK, so I’m paying somebody else for my domain. What’s the big deal? It still works right?

No, not always. And there’s other risks.

It could result in your email and website going down. There are important records tied to a domain that tell the Internet where your website and email are hosted. These can be lost when the domain moves to another registrar (they are not automatically copied.) Given they’re using a scam to get your business, do you think they care if these records come along properly?

You may never get your domain back in your control. They may not provide any sort of easy way to fix this. They may provide forms on their website (which are conveniently broken), or a phone number that nobody answers, or if they do, stalls and delays and gives you the run-around to avoid giving you your domain at all costs. And guess what? When you “renewed” your domain, you signed a contract to allow them to manage it, so you might be hooped. Imagine losing your email and website forever and having to change your Internet name. It’s not not fun or cheap to reprint and change everything with your website on it, and start from scratch with SEO in search.

You may disrupt your website / IT provider’s ability to service your account. Last but not least, if you can’t get a hold of your domain, neither can your website / IT provider. If they ever need to make changes to your settings (and they will, eventually, as technology changes), you’ll be stuck. So even if the transfer went OK, things still work, you will run into a wall next time you rebuild your website (launching is impossible without control of the domain), or have to change email setup, setup a server, etc.

Do you trust your credit card or personal/company info with a company like this? Who knows what else they’re doing with these, really.

Your domain is your most important digital asset in the Internet age. Take it seriously. Protect it like you would a bank account.

What do these scams look like?

In most cases, you’ll either get an official-looking letter in the mail, or an unsolicited email telling you that you need to renew your domain.

Two you’ll find in Canada are “Domain Registry of Canada”:

And iDNS:

Both of these will contain a letter/form which looks along the lines of this (the iDNS logo is interchangeable with the Domain Registry logo above, they are the same company effectively):

They can also come by email

You can get these by email sometimes too. Same sort of idea, except they’ll be linking to a website where you do this all online. Same tactics and rules apply to them too.

Why is this not illegal?

Because you are free to choose which registrar you use, and in the fine print of the letter, they do disclose that you are transferring your domain to them, not just renewing:

But they’re counting you won’t actually read the letter—or truthfully, even know what your domain name even is. All you’ll likely see when you glance at this is an official-looking logo, the words “Domain Name Expiration Notice” on the top right, and a price on the bottom right. Looks like a bill, smells like a bill, must be a bill right? Sure, except you never did business with this company before and owe them nothing. They prey on you not paying attention.

How to Prevent This From Happening To You

1. Domain registrars will never send you a printed letter. It simply costs them too much for an existing customer. They tend to send emails. So any snail-mail copies you get about domains can likely hit the garbage.
2. Anything from “iDNS” and “Domain Registry of Canada” should hit your shredder as quickly and forcefully as possible. Make it a fun way to take out your pent-up office anger. Just don’t hurt yourself and be safe. 😉
3. Take some time to get to KNOW where your domain is. Which company manages it for you? And if you registered it, where did you register it at? Write this down. Ensure key staff know where it is too, such as your IT person, web person, financial / controller, etc. It should not just be an email you got in your inbox several years ago. Put it somewhere in your company records and keep the records up to date if you make changes, so people can access them easily.
4. Have an IT or web firm manage the domain on your behalf. Ideally, an IT company if you work with one, but if you have nobody else, a web firm can sometimes also help with this. Ensure they’re reputable and ensure that they’ll give your domain back without question if you ever want it (yes, nine10 does this, it’s in writing.) A good firm will fully manage the domain, and protect you from scams like this.
5. Use Privacy on your domain (.ca’s include it for free), or consider setting the contact information on the domain to your IT provider/web provider.  A good provider will not only renew the domain for you, they will also act as a gateway who filters out all of the scam emails for you. If there’s something legitimate, they’ll let you know. Anything else is probably a scam.
6. Put your critical thinking hat on for a second. Does this seem odd? Didn’t you renew this not long ago, or already pay a monthly or yearly bill? Do you recognize this company? If you have any signals about anything like this, listen to them. It’s your gut telling you there’s something wrong with this, and it’s usually right.
7. Ask your IT / web provider. If you have a web or IT person, ask them about the letter/email you got. It can’t hurt, and they can usually tell you right away if the mail is legitimate or not. Believe me, we don’t mind. We’d rather you ask than you get scammed!

Fortunately, you have some safeguards

This is a problem that the governing authorities of domains (ICANN, CIRA) know about. Some steps they put in place to help this from happening is a locking mechanism on your domain. Each domain can be locked, and while the lock is on, it can’t be transferred. It’s not super simple to remove the lock, and usually your IT / web person would do this for you. This kind of forces you to contact them to complete the process, and hopefully at that stage, they can stop you before its too late. Of course, if you have given any personal, company or credit card info to the scammer already, that might be a lost cause at this point. Watch your credit card bills and if you see any charges, consider filing a dispute if you can’t resolve it with them.