How to Protect Yourself from Domain Hijacking

Over Christmas there was a well-publicized case of domain-hijacking that gained some worldwide media attention when David Airey had his domain,, stolen. The story was a familiar one ‚Äì a domain thief gained access to a domain holder’s email account (in this case, a Google GMail account) and then used that account to gain control of the domain name and transfer it to himself.

This story had a happy ending and the domain was returned to its rightful owner thanks to, in this case, Go Daddy, which was the receiving Registrar in the fraudulent transfer.

At Tucows we’re actively engaged in the battle against online fraud including domain name theft, phishing, and spam. When domain name thefts are reported to us, our Compliance Team acts accordingly to assist with retrieval of domains where possible.

I talked to Paul Karkas our Compliance Manager. There are a couple of tips to avoiding domain name theft he suggested all domain owners and resellers learn:

1. Use WHOIS Privacy. It can protect you to a certain extent from this kind of theft. If the administrative email address that is listed with the domain name under WHOIS is exposed, then a potential domain thief has two pieces of information he needs – the domain name, and the email address used to manage it. The thief can then gain control of the email address, and then use that email address to gain control of the domain by having passwords emailed to himself. WHOIS Privacy offers some protection because it prevents the domain thief from finding out what the administrative email address is for the domain name.

2. If you can avoid it, don’t use free, web-based email addresses for your administrative contact. In this case, a security flaw in GMail allowed the hacker to gain control of the email account of the domain holder. Likewise, having your entire domain portfolio under a single administrative email account is another mistake. Never mind having one domain name stolen, if a thief gains control of your email account, he could steal your entire portfolio of names.

3. Your domain name is worth more to you than you might think. It may only cost you $10 a year to register the domain, but take a moment to imagine what the cost would be if you had to change domain names tomorrow. It could be as easy as reprinting business cards, or as difficult as re-branding your entire company.

4. Chose your Registrar wisely. Look for a Registrar with a solid Compliance team and a good record within the industry. They’ll have policy and procedures in place to protect you against domain name theft, and in the event your domain is taken from you fraudulently, you stand a better chance of getting it back with a solid registrar. Our CEO, Elliot Noss, has talked about this in the past. You can read his “Ten questions to ask before you pick your domain name Registrar” post for more information on how to make an informed choice.

If you do one thing today, make it this: activate WHOIS privacy on your domains. At Tucows, we recognize the value of WHOIS Privacy, and we include it free with every domain name sold.

This entry was posted in blog on January 2, 2008 by Tucows.