Domain Renewal Scams
Fake 'your domain is expiring' notices that trick you into paying a bogus registrar or transferring your domain.
Last reviewed: 1 June 2026
What this scam is
Domain renewal scams send official-looking notices — by email, letter, or online form — claiming that your website's domain name is about to expire, and urging you to renew it with the sender immediately to avoid losing it. The sender is not your real domain registrar. Depending on the variant, the fraud either extracts a fee for a worthless or non-existent renewal, or — more seriously — tricks you into initiating a domain transfer that moves ownership of your domain to the fraudster's account.
Domain names are often mission-critical business assets. Losing or accidentally transferring a domain can take a website offline, disrupt email, and cause significant reputational and commercial harm. Scammers exploit this anxiety by creating urgency: 'expires in 5 days', 'final notice', 'act now to prevent loss of your online presence'.
Because domain registration records (WHOIS data) were historically public, fraudsters could easily identify domains, their expiry dates, and contact information. Even with WHOIS privacy becoming more common, large volumes of business email addresses are publicly available, and domain names are easily scraped from websites. This makes targeting straightforward, and the fraudster does not need to know who your real registrar is to send a convincing notice.
How it works
The scammer identifies domains (by scraping websites, purchasing lists, or using WHOIS lookup tools) and sends notices to the contact email on record — or to the business's general email address — from a company with a registrar-sounding name. The notice is formatted to resemble a genuine domain management email, complete with domain name, expiry date (often accurate, if scraped), and a prominent payment link or bank transfer instruction.
In the fee-extraction variant, the victim pays a renewal invoice — typically at an inflated rate — to a company that either does nothing, or registers the domain in their own account without proper transfer of ownership to the victim. The victim believes their domain is secure; in fact, the situation may be worse than before.
In the domain-transfer variant, the notice includes a form or link that, when completed or clicked, initiates a registrar transfer request from your real registrar. Once you 'confirm' the transfer through what appears to be a routine renewal process, your domain moves to the fraudster's registrar account, where they can hold it for ransom, let it lapse, or use it maliciously.
Some variants target domain owners nearing the end of a redemption period (after the domain has already lapsed), offering to recover it for a large fee — then taking the money without acting.
Why this scam works
Domain renewal scams are effective because the stakes feel high and the action requested is familiar. Everyone who owns a domain knows it needs renewing. When a notice arrives with your actual domain name and a realistic-looking expiry date, the emotional trigger — 'I might lose my website' — is immediate and powerful.
The fraud also exploits the transactional nature of domain renewals. Most domain owners renew by clicking a link and paying a fee; there is nothing unusual about receiving a renewal notice and following up. The difference between a real notice and a fake one is the sender's identity — a detail that is easy to miss in a busy inbox.
For organisations where the domain is managed by a junior administrator or is registered under a personal email address, there may be no clear internal record of which registrar holds the domain, making it harder to immediately identify a fraudulent notice.
A typical pattern
A small business receives an email saying their domain expires in three days. The notice is formatted like a professional registrar email and shows the correct domain name and a realistic-looking expiry date. The business manager, worried about losing the website, clicks the link and pays a renewal fee. They receive a confirmation. Several months later the domain fails to renew properly, or the manager discovers the domain is registered with a company they have never heard of. Their original registrar still holds the record and the renewal payment accomplished nothing.
Common red flags
- Renewal notice from a company that is not your actual domain registrar
- Urgent 'final notice' framing with a short expiry deadline
- Pricing substantially higher than standard domain registration rates
- Notice contains a form to complete that could initiate a domain transfer
- Sender email address does not match a known registrar's official domain
- Notice arrived by post rather than through your registrar account dashboard
- No personal account login or verification required to process the renewal
- Link in the email leads to a domain other than your registrar's official site
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
FINAL NOTICE: your domain [domain name] expires in 5 days. Renew immediately with [company name] for [amount] to maintain your online presence.
ACTION REQUIRED: [domain name] is due to expire on [date]. To prevent interruption to your website and email services, please confirm renewal using the link below.
This is your final opportunity to secure [domain name] before it becomes available to the public. Renew now for [amount] to retain exclusive ownership.
Your annual domain registration for [domain name] is due. Please transfer [amount] to the account below to process your renewal for the next 12 months.
We have detected that [domain name] is approaching expiry. As an authorised domain service provider, we can renew it on your behalf for [amount]. Please complete the form to confirm.
URGENT: If you do not renew [domain name] within 48 hours, it will enter the public release pool. Secure it now for [amount] to avoid losing your domain.
Common variations
- Email renewal notices from fake or unofficial registrars
- Postal renewal notices mimicking official domain registry correspondence
- Transfer-initiation forms disguised as renewal confirmation pages
- Expired domain recovery scams charging large fees to retrieve a lapsed domain
- Typosquatted domain offers claiming you need to secure similar domain variants
- SSL certificate renewal scams using the same notification format
How to verify before you act
The only reliable way to check your domain's status is to log in to your actual registrar's account directly — not by following any link in an unsolicited email or letter.
- Identify your real registrar: check the account where you originally registered, review your email archive for registration confirmations, or use an official WHOIS lookup (e.g. your country-code registry's own lookup tool) to find the listed registrar. - Log in directly: go to your registrar's official URL by typing it into your browser. Check your domain's actual expiry date in your account dashboard. - Never click renewal links in unsolicited emails: type your registrar's web address directly or use a saved bookmark. - If you receive a renewal notice from an unfamiliar company, do not complete any forms they provide, as this may initiate a transfer request. - Set up automatic renewal with your real registrar to eliminate the window of opportunity these scams exploit. - Enable domain lock (registrar lock) on your domain — this blocks transfer requests unless you explicitly remove the lock in your own account.
Payment methods used
- Card
- Bank transfer
- Invoice payment
Who is usually targeted
- Website owners
- Small businesses
What to do immediately
- Do not click any links or complete any forms in the notice
- Log in directly to your registrar account using your own bookmarks or by typing the URL
- Check your domain's actual expiry date in your account — compare with the notice
- If you have inadvertently completed a form, contact your real registrar immediately to check for transfer requests and block any pending transfers
- If payment was made, contact your bank or card issuer to report the fraud and request a chargeback
- Report the fraudulent notice to your national domain registry or consumer protection authority
How to prevent it
- Know exactly which registrar holds each of your domains and keep a record updated with the contact email and renewal dates
- Enable auto-renewal with your real registrar so you are never in an expiry window that scammers can exploit
- Apply registrar lock (domain lock) to all business-critical domains to block unauthorised transfers
- Use domain-specific email addresses for registrar accounts, separate from your general marketing or admin email
- Treat all unsolicited domain-renewal notices as unverified until you have confirmed status in your own registrar account
- Never click links in renewal emails — access your registrar only by typing their official URL directly
- Set calendar reminders for domain expiry dates as a secondary check independent of email notices
Evidence to preserve
- The original notice email with full headers, or the physical letter with envelope
- Screenshots of the fraudulent company's website if accessible
- Your real registrar's records showing the actual domain status
- Payment confirmation records if a payment was made
- Any transfer confirmation emails received
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do I know who my real registrar is?
Log into the account where you registered your domain, check your original registration confirmation email, or use an official WHOIS lookup tool from your country's domain registry. Renewal notices from companies you don't recognise — especially with urgent deadlines — should be verified against your own registrar records.
I paid a renewal notice and nothing happened. What do I do?
Log in to your real registrar to confirm your domain is still in your account and properly renewed. Contact your bank or card issuer to report the payment as potentially fraudulent and request a chargeback. Report the incident to your national consumer protection authority.
Can I lose my domain by completing a form in a renewal notice?
Yes. Some fraudulent notices include forms that, when completed, are designed to trigger or authorise a domain transfer request. Never complete forms sent to you by an organisation that is not your verified registrar.
What is a domain transfer and how is it used in fraud?
A domain transfer moves your domain registration from one registrar to another. Legitimate transfers require you to request an authorisation code and confirm the move. Fraudulent notices may trick you into authorising a transfer to the scammer's registrar, giving them control of your domain.
How does domain lock protect me?
Registrar lock (or domain lock) is a security setting that prevents your domain from being transferred without you explicitly unlocking it in your registrar account. With it enabled, even if a scammer tricks you into 'confirming' a transfer, the lock will block it until you remove it yourself.
Why do these notices sometimes show my correct domain name and expiry date?
Domain registration data including expiry dates was historically public via WHOIS lookups. Even with increased privacy protections, scammers can access this data through third-party tools, purchased lists, or by scraping websites directly.