web analytics

Watch Out for This Fake ICANN Verification Email Targeting Domain Owners

icann-phishing-email-dns

A new phishing email is making the rounds, and it’s using the ICANN name to scare domain owners into giving up their login credentials. The message claims you must “verify your email within 48 hours” or lose access to DNS services. It looks official enough to fool a lot of people, but the email is a complete fake.

I’ve worked with domain names and security for decades, and this one checks all the boxes for a classic phishing attack. It uses urgency. It pretends to reference ICANN policy. It includes your domain name in the message. And of course, it sends you to a completely different website when you hover over the verification link.

The Email Claims to Come from ICANN—but That’s Your First Red Flag

ICANN does not email registrants directly about DNS suspension, account verification, or login credentials. That type of communication comes from your domain registrar. If a message claims that ICANN will shut down your DNS unless you take immediate action, you can safely assume it’s a scam.

Legitimate verification emails always link back to your registrar’s official website. They don’t use third-party hosting services and they don’t threaten domain disruption as a scare tactic.

Why This Email Was an Obvious Fake in My Case

The attackers sent the message to a public-facing email address that I never use for any accounts. It’s an address meant for general inquiries only. No registrar accounts, hosting accounts, or billing accounts are tied to it. So any attempt to claim it’s associated with a domain registration is an automatic giveaway.

This is why I always recommend using a separate email address for public contact forms and website listings. Keep your registrar login email private. That way, when a phishing attempt lands in your public inbox, you’ll recognize it instantly.

The Link Tells the Whole Story

Hovering over the “Verify Your Email Now” button exposes the scam completely. Instead of pointing to ICANN or your registrar, the link goes to a GoogleAPIs Firebase URL. Attackers love using these temporary hosting platforms to stand up fake login pages. If you click, you’re met with a page that looks like your registrar’s login screen, designed to steal your username and password.

Once attackers get your credentials, they can transfer your domain name out, change DNS records, or lock you out of your own account. It only takes one click.

Why ICANN Would Never Threaten Your DNS Access

ICANN sets global domain name policies, but it doesn’t manage your DNS, your registrar account, or your login verification. ICANN does not email domain owners demanding action. It does not threaten DNS suspension. And it does not run verification programs that require you to click urgent links.

If a message claims otherwise, delete it.

How to Protect Yourself from Attacks Like This

  • Use one private email address exclusively for registrar logins.
  • Use a different public-facing email address for contact forms and website listings.
  • Always hover over links before clicking. Check where they really go.
  • Log in to your registrar directly by typing the URL—never through an emailed link.
  • Turn on two-factor authentication for your registrar account.

If You Receive a Suspicious Email

Don’t click anything. Don’t reply. Instead, log in to your registrar directly and look for notices in your dashboard. If the registrar isn’t warning you about anything, the email you received is simply a phishing attempt.

Domain theft is still a growing issue, and scammers are getting better at mimicking legitimate messages. Staying aware of these tactics—and separating your public and private email addresses—will make it much harder for attackers to fool you.

Scroll to Top