The RAA’s new requirement to verify your contact information is great news for scammers.
As of January 1, any domain name registrar that has signed the 2013 Registrar Accreditation Agreement (which includes all major registrars) must verify certain aspects of the whois contact information. .
Registrars should verify this by phone or email. Email will be the most popular method because it is cheaper.
Law enforcement agencies have requested this as a way to reduce bogus contact information in the whois database. Apparently, they are oblivious to the fact that anyone who tries to scam can easily get a disposable phone number or email address.
Many predicted that this new requirement would lead to a new phishing opportunity, in which crooks would send phishing emails to registrants to verify their contact information.
Well, it took a few days.
One of those emails, supposedly from GoDaddy, is already doing the rounds.
The important thing to note here is that you should not ignore all emails from your registrar regarding verification of your whois information. Instead, you need to review them carefully and take action for the legitimate cases.
If you don’t respond, your domain name could be suspended. If your domain name is registered with eNom and you change your name or email address, the registrar will send you an email. You must click a link in this email within 15 days or your domain will be suspended!
With that in mind, here are some best practices to consider. Hopefully domain name registrars keep this in mind with their policies:
1. Ideally, the email provides a code that you copy-paste after logging into your registrar account, rather than including a link in the email to click to verify.
2. If there is a Click to Verify link, then it should not require you to log into your account. If so, it is most likely a phishing scam. (You can argue that a click-to-verify link is better than a copy-paste code because it doesn’t require you to log in. However, I think clicking to verify as standard will allow more phishing scams.)
3. In general, registrars will not ask you to verify existing contact information provided for domains registered before December 31st.
4. Opt for two-factor authentication if your registrar offers it. (If they don’t, find one that does.) Even if a phisher obtains your login information, they won’t be able to bypass two-factor authentication.