Domain registration phishing attack

Post hero image

Table of contents

This widespread domain registration phishing attack has been kicking around on and off for years, and it has recently resurfaced in our customers' inboxes. This hair-raising scam might look legit at first glance. That’s why we’ll dismantle it into pieces so you’ll know what threat indicators to watch out for!

What exactly is the domain registration phishing attack about then?

The idea behind this attack is that failure to secure your domain names will allow another company to register them for themselves. This would of course be bad news indeed to any company with a valuable trademark to protect.

The email is supposedly sent from a domain name registration center trying to reach a company’s domain owners. The so-called registrars are claiming that an application has been received from a Chinese company that is trying to register a CN domain that is in conflict with the owner’s company name.

Domain Registration Phishing Attack 1 email

The email is usually sent from a domain that has just been registered 1-2 months ago, e.g. ““ in this case. This is a clear red flag, made worse by the fact that the domain has nothing to do with “China Registry.” The name of the “Service & Operations Manager” (in this case Thomas Liu) and the company (China Registry) may sometimes change but the message and the email template remains the same in this popular scam.

What is the goal?

The attacker's agenda is to get you to respond to the email; that triggers the actual attack. They are claiming that in order to protect your trademark you must register the Chinese domains for yourself. This of course comes with a price tag.

In short, the scammer’s goal is to get paid by tricking the victim into paying domain registration fees that don’t really exist. Falling for this scam could turn out to be costly.

The scam has been roaming around the internet for years, which indicates that it works. Especially for those unfamiliar with how domains and registration work, this might quicken the pulse.

However, these are phishing emails from cybercriminals and should be ignored.

Tips on how to stay safe

  • Stay calm. A sense of urgency is the most common emotional state social engineers try to create. They want you to think that there is little time before something bad happens if you do not act fast. Stay calm and think before you act.
  • Don’t forward. In this case the sender is urging you to forward this message to your CEO. Never forward suspicious email. Even when your intentions are good, you might accidentally help the attacker spread the malicious email. If you want to discuss a suspicious email with your colleagues, take a screenshot of the email instead of forwarding it.
  • Google the scam. You could use the sender domain, or the contact, or the company’s name as a search term. You will see that several parties have already reported this scam.
  • Tell Information Security. If despite all of this you somehow end up on the hook of a scammer, report it to your company’s IT department.

Remember to stay safe!

Hoxhunt response

Our Threat Analysis Team examines tens of thousands of reported phishing emails, including ones like these, a week–and have captured tens of millions of threats to date. They cluster the threats, rate them, and incorporate the nasty ones into our training simulations in real time to ensure our training stays at the cutting edge of the constantly-evolving threat landscape. Hoxhunt users are thus drilled on spotting and reporting the latest actual threats making the rounds, removing potentially catastrophic threats from your system with every push of the Hoxhunt reporting button. Read more to learn how to equip your employees with the phishing training that will protect your company from scams.

Explore more phishing types

Want to learn more?
Be sure to check out these articles recommended by the author:
Get more cybersecurity insights like this