Domain Name Expirations

A section of HTML text showing "authentication failed" in bold tags

Phishing

From time to time I’m asked by a client if they should let one or more of their domain names expire for a variety of reasons:

  • They’ve purchased the .com, .net, .co, .us, etc…  for their business name and want to only keep one of them to save money.
  • They purchased a different domain name they like better and just want to replace the old one.
  • They’re going out of business and don’t need a website anymore.

Beware of Expired Domains

How Scammers exploit expired domain names:

Domain names are like the addresses of our online properties, essential for email communication, web presence, and business credibility. But what happens when a domain expires? Many people assume it just fades away into the digital ether. In reality, expired domains are highly sought-after by attackers and scammers who use them for nefarious purposes, often with surprising ease. Let’s explore how this process works and why it’s crucial to protect yourself against these potential threats.

When you register a domain, it becomes your digital property for as long as you maintain the registration by renewing it. Just like leasing a piece of land, as long as you keep paying, you keep owning. You use this domain for everything from hosting your website to setting up company email addresses, connecting with clients, receiving official correspondence, and even logging into various accounts. But if you miss a renewal, the domain eventually expires, and here’s the catch: anyone else in the world can register it.

The Risks of Expired Domains:

When a domain name expires and someone else registers it, you lose all control over how it’s used. And this is where scammers often swoop in, leveraging the domain’s established presence for malicious activities. Here are some of the key ways they exploit expired domains:

  1. SEO Exploitation: Domains often build authority with Google and other search engines over time. Scammers can use the “reputation” of an expired domain to rank their own websites higher in search results, taking advantage of any SEO value the domain has built. This can be as simple as piggybacking off the domain’s former credibility.
  2. Website Cloning and Fake Shops: With tools like the Wayback Machine (on archive.org), scammers can download a replica of the original website that once existed on the domain. They can then set up a fake version of the business, complete with a functioning website on the same domain. Unsuspecting customers might assume they’re on a legitimate website, unwittingly providing sensitive information like credit card details that go directly to the scammer.
  3. Email and Password Resets: One of the most significant risks comes from email impersonation. If scammers replicate old email addresses, they could receive any incoming emails intended for the original owner. This opens the door for fraudulent password resets on other accounts, unauthorised access to personal or business data, and interception of critical information from banks, legal entities, or customers. The potential for data theft and misuse is vast.
  4. Data Harvesting for Financial or Legal Gain: By gaining access to old emails or receiving misdirected communications, scammers can collect information related to finances, legal matters, and confidential business dealings. They may use this data directly for financial fraud or as a foothold to launch further attacks.

How to Protect Your Domain & Data:

If you’re planning to discontinue a domain, consider the potential risks. To safeguard against these threats, follow these guidelines:

  • Maintain Renewals Beyond Use: If there’s even a chance that the domain’s previous use could expose you or your clients to risks, consider renewing it for a few years beyond when it’s actively used. By the time the domain does expire, the value of any associated emails or web presence will likely be negligible.
  • Monitor Expired Domains: If you do let a domain expire, keep an eye on it occasionally to see if it’s been re-registered. Certain monitoring tools can alert you if your old domain becomes active under a new owner, allowing you to take action if needed.
  • Use Dedicated Emails for Sensitive Accounts: Avoid tying highly sensitive accounts (like those with banks, legal entities, or essential business tools) solely to a domain-based email. Having a backup email—especially one outside your domain—can help you maintain access and control over important accounts even if your domain changes hands.

Real Life Example:

A few years ago I had a client who had 2 domain names for her business – one with the state name spelled out and the other with the state’s initials like this: virginiabusiness.com and vabusiness.com. Deciding to save money, she let one expire. A scammer purchased the domain name, made a duplicate of the client’s website, and set it up to steal people’s credit card information. Since both sites were identical, customers had no way of knowing that one was stealing their information.

Unfortunately, when this happens, there aren’t a lot of resources available to get the scammer’s site taken down. I tried for months to get the fake site taken down but I didn’t have much luck. With domain name privacy and scammers using content delivery networks like CloudFlare, it’s almost impossible to find out who the owner is and where the original site is being hosted. The same is true if you accidentally let your domain name expire. Once it’s purchased by a scammer there are only a few choices that you have: buy the domain name back from the scammer at an exorbitant rate or purchase another one.

Stay Vigilant!

The exploitation of expired domains is a growing trend in cybercrime, with research showing an increase in frauds involving these domains for data theft, credit card fraud, and phishing scams. Whether you’re managing a business domain or a personal one, take proactive steps to protect yourself against this hidden but increasingly common threat.

In the digital landscape, where brand reputation and customer trust are paramount, ensuring the security of your online property—even after it’s no longer in use—is a critical step toward a safer internet experience for everyone. The reality is that it’s only about $20.00/year to keep a domain name – and it might be worth spending that money for as long as you’re in business.

Scroll to Top