Top 5 Ways To Prevent Domain Theft

Lately I’ve been receiving a lot of questions around domain security. As many of you know I run the website where I receive theft reports from people whose domains have been stolen. I’ve helped a number of people recover their domains and through this experience I’ve learned the most common ways a domain can be stolen.

There are many different ways to prevent domain theft but I thought it would be the most beneficial to my readers to compile the top five ways you can prevent domain theft. Since it is next-to-impossible to involve law enforcement in domain recovery (try explaining to a police officer that your domain name was stolen and see what he/she says!) it is up to the domain-owner (sometimes with the help of the registrar) to do everything they can to keep their domains secure.

1) Don’t use a GMail, Yahoo mail, or any other free web-based email account as the Admin or Tech contact for your domains.
Free webmail services are easy compromised by even novice hackers. The email account associated with your domain is the most important link in the domain transfer process. If someone gains access to this account they might be able to transfer your domain without you ever knowing – or at least not noticing until it is far too late.

2) Lock your Domain Names
This may seem like a simple concept but it is oftentimes overlooked. When you purchase a domain from someone on a forum or through an expiry service it may come-into your account “unlocked”. By simply locking the domain you can help prevent transfers even if someone does gain access to your email account since a domain must be unlocked to transfer it.

3) Don’t use completely unknown registrars
I’ve seen a growing number of domain thefts from people who registered their domains with a completely unknown registrar. When they try to contact the company they get someone’s voicemail or even worse the hiss and beeping of a fax line. If your domain name is stolen the registrar can be a key ally helping you to get it back. Pick a registrar that you know you can get in touch with 24/7 – and not trying to name names – okay I’ll name one – stay away from 1&1.

4) Don’t sell High-Value domains using Pay Pal
One of the most common domain theft scams is when a thief offers to buy your $5,000 domain with Pay Pal. Steer clear of this as it’s a great way to unknowingly give-away your domain to a thief. I always like to compare this to buying a car. Would you sell someone your $30,000 BMW and accept a personal check? No – you’d expect a cashiers check. Pay Pal is rampant with fraud and way people get-away with it is by buying your domain, you transfer it to them once you receive the money, then they contact their credit card company and say that some unknown charge from Pay Pal appeared on their account and they think their card was compromised. I see a lot of these cases at and there is little that can be done once you’ve already transferred a domain to someone else – especially if they are out of the country.

5) Work with your Registrar
If your domain is stolen contact your registrar immediately. Companies like GoDaddy,, and are all very good at helping domain owner recover stolen domains.

As the Domaining industry continues to grow, domain security will become increasingly important. Now is the time to make sure your domains are secure and report stolen domains and forum scammers. If we work together we can all do our part to help prevent domain theft.

{ 2 comments… add one }

  • theoretical May 30, 2009, 8:20 pm

    I'm not sure what using a non-free email service has to do with this. If someone hacks into your gmail account, then that's a federal offense and one that google will be there to back you up with IP logs and such. If you run your own mail server on your VPS, or worse, shared host… how are you less vulnerable to someone hacking your email account? How are you better protected? If anything you should ensure that you follow good security practices regarding frequently changed, unique and hard to crack passwords. I'm sure there's something I'm missing but I don't see it.

  • domainvestors May 30, 2009, 9:00 pm

    Thanks for the question – this is one that comes-up a lot so I am happy to clarify.

    While it is a federal offense to hack a Gmail or Yahoo email account nonetheless many of these accounts are compromised every month. The #1 way I have seen domains stolen through DomainTheft is by people hacking-into an existing GMail or Yahoo mail account so this is definitely a problem. Just think – it is considered felony grand-theft to steal a car, but this doesn't stop thieves from stealing a car.

    Now onto the security differences. GMail and Yahoo mail and other free email programs have known security holes and hackers/social engineers can find their way into these account without too much of a fuss. Here is a link to a video actually showing how people hack GMail with known encryption algorithm security flaws:

    Using your own private email account hosted through your hosting provider is usually more secure because hackers spend less time trying to find vulnerabilities in lesser-known systems. GMail and Yahoo mail are big targets and one's that hackers enjoy getting more credit for gaining access to and sharing online. Try doing a quick Google search for “hacking gmail” and you'll find plenty of people explaining exactly how this is done.

    Oftentimes a major technique you can use with your own account as well is to forward your email address to a different address at a completely different domain. This means even if the email address is compromised they won't actually have access to your mail as it is just a pass-through address.

    Many computer security experts (I went to Carnegie Mellon and had some friends that worked at CERT) suggest staying as far-away from services like GMail and Yahoo mail when dealing with sensitive data due to the fact that they have been proven time and time again to be less secure than an email account you setup through your hosting provider.

    To keep your email safe most security-experts suggest using a hosted email account and for sensitive information encrypting your email by only sending over a secure connection. At the end of the day I always feel you are better safe than sorry.

    Thanks again for the question!


Leave a Comment