Part IV – How to Protect Your Domain Name Against Domain Hijacking or Unauthorized Transfers
For many registrants, domain names (and the services connected to them, like websites and emails) are essential to their professional and personal lives. Whether used for online commerce, or simply to communicate with family and friends, domain names are valuable assets and should be managed with care.
Here are some best practices to help you prevent hijacking or unauthorized transfer of your domain name.
Register with an email address that is not connected to your domain name. When you register your domain name, you will be asked to provide contact information, including your email address. This information goes into the WHOIS record for your domain name, which might be viewed publicly. It is best to use an email address that is not associated with the domain name you are registering. For instance, if your domain name is example.com, a best practice is to use an address in WHOIS that is not firstname.lastname@example.org.
Here's why. if your domain name is hijacked by someone who has gained access to your account with the registrar, that person will likely alter the WHOIS information to remove you as the registered holder of the domain name. If you used an email address that is not associated with your domain name in WHOIS, you will be able to provide that email address as evidence to the registrar that you were the registered holder of the domain name before it was altered by unauthorized access to your account.
Create a strong, unique password. Protect your domain name from cybercriminals by creating a unique, strong password. Online services are compromised frequently, making user names and passwords available to criminals who may attempt to hijack your domain name using the information you provide for other accounts. Avoid this by creating a strong password that you use exclusively for your domain name account.
Do not share your password. You are responsible for the security of your domain name. You should never give anyone the login information to your online account. This includes web hosting providers or web designers as well as friends and colleagues. It is not recommended that you list website designers, hosting providers, or any other third parties as the registrant(s) of your domain name. If you choose to do so, seek legal advice as to contractual obligations that third parties should adhere to with regards to the administration of your domain.
Inquire about multistep authentication. Some registrars offer registrants the ability to implement a multistep authentication when accessing your account. This provides added protection by requiring a unique security code, in addition to your username and password, to access your online accounts. Refer to the terms of your registration agreement to see if multistep authentication is available.
Check the email account(s) associated with your domain frequently. Whatever email address or addresses you provide, you must be sure they are active accounts and that you check them regularly. You want to keep your contact information up to date to be sure you receive WHOIS Data Reminder Policy (WDRP) notifications, renewals, and other important notices from your registrar. This is particularly important for those who use a privacy or proxy service. If you use a privacy service, consider leaving your name as the registrant of record in the WHOIS. This can serve as another evidence to your registrar that you were the registered holder of the domain name.
Ask your registrar to put a transfer lock on your domain name. You can request that your registrar put a transfer lock on your domain name. Putting this lock on your domain name is not a fail-safe way to guard against unauthorized transfer or hijacking of your domain name, but it could be another layer of security. Each registrar has a different way of implementing the transfer lock. Some require two-factor authentication to remove the lock; some simply require authorization from the registrant. Check with your registrar about their policies regarding transfer lock and decide whether it is a service that's right for you.
Finally, be smart about your online behavior. Be cautious with the links you click in emails, with the attachments you open, and with the websites you visit. These are means that criminals can use to steal your username and password.
Also, read the following documents, published by ICANN's Security and Stability Advisory Committee:
- SAC040: Measures to Protect Domain Registration Services Against Exploitation or Misuse
- SAC044: A Registrant's Guide to Protecting Domain Name Registration Accounts
My Domain Name Was Transferred Without My Authorization - What Do I Do?
Act immediately and contact your registrar. If you believe your domain name was transferred to a new registrar or registrant or if your account information was modified without your consent, immediately contact your registrar. Don't delay! The sooner you contact your registrar, the better. If you wait, your domain name may be transferred again and again, further complicating the process and making it harder to retrieve your domain.
Trust the process. Act quickly to inform your registrar, but don't panic! There are specific rules that govern the transfer of domains that are designed to protect you. A registrar may only initiate a transfer if it has obtained a completed Form of Authorization (FOA) from either the registrant or the administrative contact for the domain. Ask your registrar to request a copy of the form used for authorizing the transfer. The registrar that the domain name was transferred to must be able to produce a copy of this documentation when it is requested. Failure to do so is grounds for reversal of a transfer in the event that a complaint is filed under the Transfer Dispute Resolution Policy. If you've contacted your registrar and they are unable or unwilling to assist you, submit an Unauthorized Transfer Complaint with ICANN. We will review your situation to see if we can assist you in recovering your domain.
Read More: Do You Have a Domain Name? Here's What You Need to Know: Part I – Part II – Part III
FAQs for Registrants: Transferring Your Domain Name
About Domain Name Transfer to a Different Registrar
Transfer Complaint infographic [PDF, 124 KB]
EPP Status Codes | What Do They Mean, and Why Should I Know?
ICANN's Transfer Policy (effective as of 1 December 2016)
The "Do You Have a Domain Name? Here's What You Need to Know" educational series is part of ICANN's broader efforts to help you better understand the ICANN policies that affect you, your role in the Domain Name System (DNS), and the role of the ICANN organization, registries, and registrars in the DNS ecosystem.