GoDaddy Domain Renewal Scam

Today I got a notification from GoDaddy that my domain is expiring and I need to do something about it.

I do use GoDaddy for a few domains so this isn't unusual.  At a glance the e-mail matches the formatting of the GoDaddy e-mails pretty well.  It's definitely a scam though.  How can I tell?

The Scam E-mail

The Breakdown

Phishing scams generally want to get your credentials so they can get access to your data to steal it, scam other people, and make money off you.  It's common for these scams to target e-mail, bank accounts, Office365 accounts, or your company credentials.  Whatever the scammer can get their hands on that'll make money or allow them to spread their scam is good to them.

The first thing you should always check is the e-mail address of the sender.  This can be faked but things like SPF and DKIM (call us for help setting these up) make this a lot harder for the scammers.  This e-mail immediately fails this check but they did a pretty good job getting a domain that's sort of close and generic.

The second thing I check is the link.  Realistically, I'm paranoid so I don't click the link in the e-mail and I go to the website directly, but this is a good check anyway.  Mouse over the link without clicking it and it'll show the website the link goes to.  This one goes to "godaddy . paysafety . cc / login" so that's a big nope.  Good try putting the GoDaddy domain in the link though.  

This e-mail displayed a domain I actually own so they put some effort into this.  Likely they used a data scraper to go through domain registrations looking for any visible e-mail addresses associated with the domain.

How do you protect yourself?

Two-Factor Authentication (2FA or MFA) is a great way to prevent your credentials from being used against you.  Your credentials not getting out into the wild is best, of course, but if you do get scammed 2FA is going to save you.  If I had gotten tricked by this scam and they got my username and password it wouldn't do them much good.  GoDaddy's actual website would have asked me for my 2FA key, usually called a Time-based One-time Password (TOTP).  This is that six digit code that's only good for a minute.  The scammers don't have my key so they're stuck.

In my case I'm protected by Internetek's full security suite.  So while this e-mail got through the mail filter, the DNS filter blocked the website.  This is called a layered security approach.  You don't trust a single thing to protect you.  You have many layers of security that catches whatever the others miss.  Like having deadlock on your door but also having motion sensors or a big dog (or a dog that thinks it's big).  Now that I've seen the e-mail it's definitely getting blocked by the mail filter too.  This is part of the service Internetek provides to clients to protect them from the scammers and hackers out there.

in News