Skip to main content

What You Should Do If You Receive A Suspected Fraudulent ICANN Email

 

Fraudulent ICANN emails

Criminals impersonate trusted senders in email to gain your trust so they can obtain access to sensitive data. These phishing emails may appear to come from various sources including ICANN, your registrar or registry, or other business partners.

The security of our community remains one of our key priorities. While ICANN takes steps to investigate certain types of misuse, you must take steps to protect your personal information at all times. Fortunately, there are ways you can make sure a specific email really comes from ICANN.

Suspicious emails

Phishing and scam emails typically use deception such as forging a trusted sender’s address or domain or using a similar or lookalike domain. Scam messages typically ask for the reader to reply, call a phone number, click a link or open an attached file to steal personal information.

If you receive a suspicious email, please FORWARD it to globalsupport@icann.org. Our team can take a look to determine if it's a fake. If it is, we'll work to get the source of the email shut down if possible. Reporting these emails helps protect the entire ICANN community.

Note: Please FORWARD the suspect email –– don’t cut and paste the contents, because valuable tracking information about the source will be lost.

We've provided some hints about identifying fake email below, but scammers adjust their tactics. So, if you have any doubts, please forward suspicious email to our Global Support team for review.

If you receive a suspicious email appearing to come from ICANN:

  • Avoid clicking on links or opening attached files.
  • Forward suspected scam messages immediately to globalsupport@icann.org with "suspected phishing" in the subject line.
  • If possible, include a copy of the suspicious message with headers (see links to guides below). Our support team will reply to your message as soon as possible.

Things to consider in reviewing email from ICANN:

  • Legitimate email messages sent from ICANN will not come from another domain, such as "icann-monitor.org" or "icann-support.org".
  • Be suspicious of any email that offers domain renewal services from ICANN. ICANN does not process domain registrations or collect fees from registrants directly. All fee collections are transactions between the registrar and the registrant.
  • ICANN will not send domain registrants WHOIS Data Reminder Policy (WDRP) messages directly. If you receive an email about your domain that purports to come from ICANN, contact your sponsoring registrar directly for any concerns about the status of your account.
  • Ask your email provider if they can use the ICANN SPF record to check which senders are authorized to use our domains and help filter out spoofed senders.

Ways to spot fake email:

  • A false sense of urgency. Scams often tell you that your account will be in jeopardy if something critical is not updated right away.
  • Fake links. These may look real, but they can lead you into trouble. Check where a link is going before you click by hovering over the URL. If it looks suspicious, don't click.
  • Attachments. A real email from ICANN will never include an attachment or software. Attachments can contain malware, so you should never open one unless you are 100% sure it's legitimate.

To learn more about phishing:

education.apwg.org

antiphishing.org/resources

onguardonline.gov/phishing

Guides for viewing Email Headers:

https://support.google.com/mail/answer/22454?hl=en

http://mxtoolbox.com/Public/Content/EmailHeaders/

 

 

Comments

    Geoff Bickers  11:44 UTC on 05 January 2017

    Phishing emails have been reported from icann-monitor[.]org If you receive email from that domain - please delete without opening. Similar fraudulent messages may originate from icannmonitoring[.]org or one of many similar domains. Email sent by ICANN will originate only from the domain icann[.]org

Domain Name System
Internationalized Domain Name ,IDN,"IDNs are domain names that include characters used in the local representation of languages that are not written with the twenty-six letters of the basic Latin alphabet ""a-z"". An IDN can contain Latin letters with diacritical marks, as required by many European languages, or may consist of characters from non-Latin scripts such as Arabic or Chinese. Many languages also use other types of digits than the European ""0-9"". The basic Latin alphabet together with the European-Arabic digits are, for the purpose of domain names, termed ""ASCII characters"" (ASCII = American Standard Code for Information Interchange). These are also included in the broader range of ""Unicode characters"" that provides the basis for IDNs. The ""hostname rule"" requires that all domain names of the type under consideration here are stored in the DNS using only the ASCII characters listed above, with the one further addition of the hyphen ""-"". The Unicode form of an IDN therefore requires special encoding before it is entered into the DNS. The following terminology is used when distinguishing between these forms: A domain name consists of a series of ""labels"" (separated by ""dots""). The ASCII form of an IDN label is termed an ""A-label"". All operations defined in the DNS protocol use A-labels exclusively. The Unicode form, which a user expects to be displayed, is termed a ""U-label"". The difference may be illustrated with the Hindi word for ""test"" — परीका — appearing here as a U-label would (in the Devanagari script). A special form of ""ASCII compatible encoding"" (abbreviated ACE) is applied to this to produce the corresponding A-label: xn--11b5bs1di. A domain name that only includes ASCII letters, digits, and hyphens is termed an ""LDH label"". Although the definitions of A-labels and LDH-labels overlap, a name consisting exclusively of LDH labels, such as""icann.org"" is not an IDN."