Fake Domain Hosting Renewal Scam
Unofficial companies send invoice-style notices mimicking a domain registrar, warning that a domain or hosting plan is about to expire, to trick owners into paying inflated fees to the wrong company or handing over control of the domain.
Last reviewed: 5 July 2026
What this scam is
Domain names and hosting plans have public expiry dates that anyone can look up through standard registration records, which makes it possible for unrelated companies to send targeted, official-looking renewal notices to domain owners who never asked to hear from them. This scam relies on that public information to send an invoice or notice that closely mimics a real registrar's renewal billing, often for a substantially inflated price, timed to arrive before the domain owner's actual registrar sends its genuine renewal reminder.
The notice typically emphasises urgency around losing the domain entirely, which is a serious concern for any business relying on that domain for its website or email, and this fear is what drives quick payment without checking whether the sender is actually the domain's real registrar. In milder cases, the target simply overpays a legitimate-seeming but unrelated company for a service they did not need. In more serious cases, paying or responding to the notice can result in the domain's management being transferred away from the real registrar entirely, risking loss of control over the domain and any associated email or website.
This scam specifically targets domain and hosting renewals rather than other subscription categories, and its effectiveness comes from the technical unfamiliarity many domain owners have with how registration, renewal, and transfer actually work.
How it works
The scammer or the unrelated company obtains a list of domains nearing their public expiry date through routine registration lookups, then sends an invoice-style letter or email to each domain's registered contact. The notice is formatted to resemble an official renewal bill, often including the domain name itself, a near-term deadline, and a fee considerably higher than typical market rates.
Some versions are simply overpriced but functionally legitimate renewal services from an unrelated registrar, relying on the domain owner not noticing that the sender is not their existing provider. Other versions are structured so that paying the invoice or responding to it initiates an actual registrar transfer request, moving the domain's management away from the owner's real registrar without them realising that is what occurred.
Businesses that pay the inflated invoice may find the payment has gone to an unrelated company that provides no real ongoing service, and if a transfer was inadvertently triggered, the domain owner may lose direct control over their domain settings, including where their website and email are hosted, until the transfer is identified and reversed.
Why this scam works
The scam works because the underlying threat is genuinely serious for anyone relying on a domain for a business website or email, and because most domain owners rarely think about renewal until prompted, making an urgent-looking notice from an unfamiliar source easy to mistake for a routine bill from their actual provider. The technical process of domain registration and transfer is unfamiliar enough to most non-technical owners that a professional-looking invoice does not immediately raise suspicion.
A typical pattern
A small business owner who registered their domain name years ago receives an official-looking invoice by post or email warning that their domain is due to expire and must be renewed immediately to avoid losing it, along with a substantially higher renewal fee than they previously paid. The invoice is not from their actual registrar but from an unrelated company that has looked up the domain's public expiry date. Believing the domain is genuinely about to lapse, the owner pays the inflated invoice. Their real registrar sends a separate, legitimate renewal notice weeks later, and the owner realises they paid an unrelated third party for a service their real registrar would have provided directly at a much lower price.
Common red flags
- Renewal notice from a company name that does not match your actual registrar
- Fee significantly higher than your registrar's standard renewal price
- Urgent warning that the domain will be lost within days
- Notice arrives by post or email with no prior relationship to the sender
- Request to click a link or call a number rather than log into your existing registrar account
- Poor print quality or generic formatting inconsistent with a known registrar's branding
Sanitized example messages
Illustrative, sanitized examples. Personal details are replaced with placeholders such as [phone number] and [fake link].
Domain expiration notice: [yourdomain.com] is due to expire on [date]. Renew now for [inflated amount] to avoid losing your domain.
Final notice: your domain registration will lapse unless payment is received within 5 days.
Your hosting plan for [yourdomain.com] requires immediate renewal. Pay [amount] to continue service.
We have been unable to reach you regarding your domain renewal. Please contact us immediately at [number].
Common variations
- Overpriced but functionally real renewal service from an unrelated registrar
- Notice structured to trigger an unauthorised domain transfer if paid or responded to
- Fake hosting renewal notice for a web hosting account rather than the domain itself
- Postal invoice mimicking an official government or registry renewal notice
- Phone call impersonating the real registrar's support line to 'process' a renewal
How to verify before you act
Check the domain's actual registrar by looking up the registration record through a public WHOIS lookup or by logging directly into the account with the registrar where the domain was originally purchased. Compare the sender of any renewal notice against that confirmed registrar name, and never pay or respond to a renewal notice from a company that does not match the domain's actual registrar of record.
Payment methods used
- Card payment to invoice
- Wire transfer
- Cheque
Who is usually targeted
- Small business owners managing their own domain and hosting
- Domain owners nearing a public renewal date
- Non-technical staff responsible for paying business invoices
- Organisations without a dedicated IT department to verify technical notices
What to do immediately
- Do not pay or respond to the notice until you confirm your domain's actual registrar
- Look up the domain through a public WHOIS record to identify the genuine registrar
- Log directly into the account with the confirmed registrar to check the real renewal date and price
- If payment was already sent, contact your card issuer or bank to dispute the charge
- Check whether any transfer request was initiated and contact your real registrar immediately if so
- Report the notice as a scam to your national consumer protection body
How to prevent it
- Confirm the domain's actual registrar through a public WHOIS lookup before responding to any renewal notice
- Renew domains and hosting only by logging directly into the account with the confirmed registrar
- Enable auto-renewal and registrar lock with your genuine registrar to prevent unauthorised transfers
- Treat any renewal notice from an unfamiliar company name as suspicious, regardless of how official it looks
- Compare any requested renewal price against your registrar's known standard pricing
- Keep registrar account contact details current so genuine renewal reminders are received reliably
- Consult a colleague or IT contact before paying an unexpected domain or hosting invoice
Evidence to preserve
- Copy of the renewal notice, letter, or email received
- WHOIS lookup results showing the domain's actual registrar
- Any payment confirmation or receipt if payment was made
- Correspondence with the unrelated company or with your real registrar
- Screenshots of your real registrar account showing actual renewal status
Where to report it
- Action Fraud (UK) — UK national fraud & cybercrime reporting centre
- FTC ReportFraud (US) — US Federal Trade Commission fraud reports
- FBI IC3 (US) — US Internet Crime Complaint Center
- Scamwatch (Australia) — Australian competition & consumer reporting
- Your bank's fraud line — Use the number on the back of your card or in your banking app — never a number the caller gives you
Always verify reporting routes and emergency contacts on the official government or agency website for your country.
Frequently asked questions
How do I find out who my domain's real registrar is?
Use a public WHOIS lookup tool to search your domain name, which will show the registrar of record. Alternatively, log into the account you used when you originally purchased or last renewed the domain.
I already paid an unfamiliar company's renewal invoice — did I lose my domain?
Not necessarily. Check your domain's status through a WHOIS lookup and log into your real registrar account to confirm it is still under their management. If a transfer was initiated, contact your real registrar immediately, as transfers can sometimes be halted or reversed within a limited window.
Is it ever legitimate to renew through a company other than my original registrar?
You can transfer a domain to a different registrar deliberately, but this should only happen through a process you initiate yourself, with full awareness of the transfer, rather than in response to an unsolicited renewal notice from a company you did not choose.