When businesses and blogs rename or merge, old domains sometimes get left behind. Security researchers say expired domains can put data at risk.
Scammers may set up fake shops on expired domains and use them to steal credit card data from unwary bargain hunters. Or they may target email accounts linked to the domain to scam clients, steal company secrets and break into employees’ shopping and travel accounts.
Prevention is as easy as renewing and protecting all your domains, but that’s not always simple, especially if you own a lot of domains. Here’s what you need to know about your risks when a expired domain, how to keep yours current and avoid to get steal data
What Happens When Domain Expire?
The first thing you need to know is that when domains expire, they’re available to anyone who wants to pay to register them. They’re also easy to find online, through sites that offer expired domain name searches and lists of recently expired domains to bid on. Some buyers buy expired domains for legitimate projects. Others are not so ethical.
Your expired domain could end up as a fake online store
Criminal gangs snap up expired domains to turn them into phishing sites. That damages the brands that lose their domains, the brands impersonated by the scammers, and shoppers who fall for the scam.
Your expired domain could let data thieves into your business
Last year, security researchers with Australian cybersecurity firm Iron Bastion proved that registering abandoned business and law firm domains could give criminals access to insider data.
By setting up a catch-all email forwarding service for domains they re-register, criminals can access confidential client data and emails. They can run scams using this information or sell it on the dark web. They can also take over former employees’ social media, banking, and professional accounts by changing the passwords linked to the old domain’s email addresses.
What should you do with domains you don’t use anymore?
Security experts say the best way to safeguard your old domains is to keep renewing them, even if you’re not currently using them. Then you should close the email accounts associated with those domains and unlink those email accounts from alerts sent by banks, airlines, and other services that handle sensitive (and valuable) information.
If you must let your old domains go, you’ll need to be thorough about updating any online accounts you and your employees set up using old domain email addresses. Then you’ll need to close those email accounts.
In either case, it’s wise to let your customers and vendors know about your change of email address. Give them some advance notice, ask them to whitelist your new email address, and then ask them to delete the old address when you’ve closed that account.
For any email account on any domain, it’s always a good idea to set up two-factor authentication (2FA). By requiring a code from an SMS message or an authenticator app, you reduce the risk of someone maliciously changing your password on your email account and other accounts you set up with your email address.
And speaking of passwords, don’t make it easy for hackers to guess or brute-force yours. Every email address on your domains should have a strong password that’s not used for any other accounts.
How can you keep all your domains current and safe?
Follow these recommendations from domain security experts to keep your domains in your possession.
Give your domain registrations fewer chances to lapse. Start by registering or renewing for the longest amount of time you can, like three years instead of one. Then set your registrations to auto-renew.
Keep your registration information up to date. Update your domain registration accounts when your email address, phone number, or other contact information changes. Changed credit cards or online payment services? Make sure you change your domain payment information, or your auto-renewals will fail.
Keep your registration information private. Domain privacy protection costs a few dollars a year, and it’s worth it. If you add domain privacy when you register your domain. Your registrar’s contact information is listed in the WHOIS public database. Without domain privacy, your name, email address, and other personal data are on display. That can put you at risk for spam, scams, and harassment.
Lock your domains. Domains must be unlocked when you’re transferring them to a new host. Otherwise, lock them to keep scammers from transferring them to a different web host without your consent.