Beware fake domain invoices

Thu, 15/03/2018 - 12:00 -- James Oakley
A fake invoice received by email

There are many scams doing the rounds. People must fall for them often enough to make it worth the criminals' time to keep trying. Here's one which you'll likely meet if you ever register a domain name. If you've just registered your first domain name, there's a risk that your lack of experience will make you vulnerable to panic and respond. So I'll post this to unpick how this works, and to put your mind at ease that you can safely ignore these emails.

The Email

So, one day you receive an email. It concerns a domain name that you've either just registered or that will shortly expire (if it's not renewed).

Here's what it looks like:

A fake domain invoice

What do you do?

Answer: Nothing. Delete the email. Do not reply or respond in any way. Do not pass Go. Don't waste any further time on it. Here are 8 reasons why

1. It's not from someone you know

The email is deliberately worded to sound like you already have an agreement with this company, and it's about to expire. The URGENT reminder that they have NOT received payment and you can pay NOW using a SECURE method are all the way through. You need to respond quickly, or you'll lose this valuable service.

In fact, this is not somebody you've ever had dealings with. The email is purely speculative. In fact, if you go to their website (we'll get to that) the $67 price is precisely what they'd charge someone who signs up with them for the very first time, which is in fact what you'd be doing if you went to pay. The language of pending cancellation is misleading you into thinking you have a prior arrangement.

In particular, this is not an email from your domain registrar, which is the next point.

2. This is not to do with your domain's registration

In particular, this email is not from the company you registered your domain with.

In my experience, if I register a new domain and don't use the "whois privacy" option, I will get an email like this in under a week. The people behind it must crawl directories of newly registered domains, and then send an email as soon as possible after registration.

The timing of that is designed to make you associate the email with the fact you just registered the domain. There is a connection. But the connection is someone deliberately exploiting the fact your brain might make the wrong link; the link is not that the email came from the registrar you used.

If you, subconsciously, associate this email with your domain registrar, you might be tempted to think that this is some vital extra service being offered by your registrar, provided you respond within a week of registration. In fact, you're just being deliberately dazzled into making that association.

But we can be more specific. Let's combined the two points just made. 1. The email is trying to trick you into thinking it's associated with your domain registrar. 2. The email is trying to trick you into thinking an existing service is about to be cancelled. Put those together. What service might be at risk of cancellation?

3. It confuses domain registration with SEO services

Why, you might be at risk of having your domain registration cancelled. What else could it be?

Making you think your domain could be at risk is a great way to induce fear. And fear induces panic. And panic makes you click the "pay now" link, because the inconvenience if you did lose the domain makes it worth ensuring this does not happen.

Now, the people behind this know that they will lose credit card chargebacks if they go too far on this one. So they've covered themselves.

We do not register or renew domain names. We sell traffic generator software.


We are a search engine optimization company. We do not register or renew domain names. We sell traffic generator software.

But by making you think this comes from your registrar, and that an existing service will also be cancelled, they are making you fear for your domain without actually saying as much.

Also note that "pending cancellation" sounds very like "pending deletion", which is the status a domain goes into between expiry and being made available for someone else to use.

4. SEO services don't work

What they're actually selling are "SEO Services". At best, these are a waste of money. At worst, they make your website harder to find on the internet.

There are businesses out there that do a genuine job at advising you on how to help visitors find your website in the crowded space of search engine results. The main thing you need to do is write good, fresh content, that is the kind of material people will want to read. Search engines attract customers when they succeed at sending people to the sites they were looking for, so they reward sites that have good, genuine information on them.

There are many more bad businesses who claim to help with this. Typically what they do is stuff links to your site in other people's comment sections, or on discussion forums, or they run botnets to trigger artificial traffic. This is an endless game of cat and mouse, but the search engines don't want to send people to sites that attempt to make themselves look more connected than they really are. In the short term, it may work. But in the long term, they'll uncover the tricks that have been used to boost your website, and penalise your site for trying to game the system.

That's why it does more harm than good. The reason they are a waste of money is that the threat in the email is totally false.

Failure to complete this order by 02/10/2018 . may result in the cancellation of this offer (making it difficult for your customers to locate you, using search engines on the web)

That's a load of rubbish. You can submit your website and its pages for free to all the major search engines. You will not be difficult to locate because you don't use these fake "SEO" services.

5. They're a fake business

If you visit any of their many websites, you'll find they call themselves Trendy Media Inc. The address given is 1451 W Cypress Creek Road, Suite 300, Ft. Lauderdale, FL 33309. A nice, respectable, US mailing address. Florida. That makes you feel like you're dealing with a genuine business.

You're not. It's what's called a "virtual office address". A US company runs a business that lets someone register a business, in this case in Florida, by providing them a mailing address they can use. There's nothing wrong with that, and doesn't automatically mean you're dealing with a fraudulent company. It does mean you don't know who you're dealing with because they've chosen to hide. They don't have to use their actual details on the business registration documents. And they get a respectable address to give out as their official location. The company formations service will then forward either all postal mail, or all mail from official agencies, to the actual location.

Which means they could be anywhere in the world (not just anywhere in the United States).

In this case, the domain they used to collect your "secure payment" is domainaim.win. It's registered to an email address that (at the time of writing) has been used to register 152,393 domains! Phew!

Where is that domain's registrant based? Not Florida, but China!

Registrant Name: liwenming
Registrant Organization: liwenming
Registrant Street: tongrenshidejiangxianqinglongzhengyuxilu196fu3hao
Registrant City: TongRenShi
Registrant State/Province: BJ
Registrant Postal Code: 565200
Registrant Country: CN
Registrant Phone: +86.18675428226
Registrant Fax: +86.18675428226
Registrant Email: kefu@now.cn

That address doesn't look like a postcard would actually reach them, does it? If you visit domainaim.win, you're redirected to godomainseolifter.org.

Registrant Name: dong xiao yong
Registrant Organization: dong xiao yong
Registrant Street: xiangzhouqucuixiangjiedao9322hao
Registrant City: ZhuHai
Registrant State/Province: GD
Registrant Postal Code: 519000
Registrant Country: CN
Registrant Phone: +86.75633417485
Registrant Fax: +86.75633417485
Registrant Email: quentinatorres522@mail.com

Also in China. A different address. Equally incomplete.

There is an organisation in the US called the Better Business Bureau. They exist to encourage businesses to work with best business practices, and to serve their customers. US-registered businesses can register with them, and members of the public can leave positive or negative feedback, to encourage the company to up their game.

The entry for Trendy Media Inc has an "F" rating, the lowest possible to achieve. They've received 6 negative reviews and no positive ones. Two complaints have been filed. The low score is largely because they have not responded or addressed the complaints.

This is a fake business, that presents itself as being a respectable US corporation, whilst in fact being located in China. The addresses we can find out are probably fake, and they further hide by using tens of thousands of different domains. Avoid!

6. They used harvested data

In these days of the General Data Protection Regulation, your instinct should be to ask where this company got your email address, and who gave them permission to contact you.

They got your email address from the public whois entry for your domain. The whois database exists so that people can look up who is behind a domain name that you might visit online. They used that data to look you up, and then get in contact. In fact, anyone who accesses it agrees to the terms of use. These include the following section:

You are specifically prohibited from using the Whois Service (i) as part of a commercial service or product, including the solicitation and servicing of your, or your employer's, customers, even if additional data not derived from the Whois Service is incorporated or (ii) for advertising, direct marketing, marketing research or similar purposes.

So their email goes against the explicit terms that apply to the whois data.

Quite apart from the legality of that, consider their ethics. If a company is going to ignore the terms for using the whois database, they cannot be trusted to honour any other agreement that someone may enter into with them. If someone pays them $67, they may get the services they've paid for (which may not be what they think they've paid for), but I wouldn't trust them even to that.

7. This is technically spam

The footer of the email says this:

This message is CAN-SPAM compliant. … This message contains promotional material strictly along the guidelines of the CAN-SPAM act of 2003. We have distinctly mentioned the source mail-id of this email and also disclosed our subject lines. They are in no way misleading.

So, they quote some US legislation governing the sending of bulk email, and make the claim that this is compliant with that.

What CAN-SPAM does is legislate how someone may send spam within the laws of the United States. So they may technically be correct that this is legal spam, but it remains spam. There are various dictionary definitions of spam, but they almost universally revolve around email being unsolicited. Here's the Oxford English Dictionary:

1. Irrelevant or unsolicited messages sent over the Internet, typically to a large number of users, for the purposes of advertising, phishing, spreading malware, etc.

2. trademark A tinned meat product made mainly from ham.

Their email may be compliant with the law that lets them send spam, but it is spam nonetheless. Spam is a huge nuisance on the internet. Personally, no matter how attractive the offer, I would never buy from someone I learnt of because I received their spam. Again, I simply don't trust them.

(And, for what it's worth, I wouldn't click the link to unsubscribe. There are two things they'll do in response. 1. Stop sending any further messages to that email address from any of their associated businesses, within 10 days as required. 2. Conclude that your email address is real and reaches someone who reads the message, and crank up their sending accordingly. I've no idea which applies. I don't intend to find out.)

8. Unable to respond to messages sent to this address

That's the final line of the email:

Please do not reply to this email, as we are not able to respond to messages sent to this address.

Too right they aren't.

Sometimes businesses put that because they use an address only for outgoing email. They want you to use official channels to contact them, that creates an entry in their helpdesk system so they can keep track of all requests.

In this case, they aren't able to respond because it wasn't sent from their address. I won't even paste the domain name that the email came from, as I've looked it up and I'm convinced it's an innocent third party. They picked another domain name at random, made up an email address on it, and sent their email from there.

Which means the poor owner of that domain will receive any bounce messages for when these fake emails don't get through. Charming.

Don't collect £100

There are 8 reasons to do nothing. If you respond, you won't collect £100 from your newly popular website. You'll only lose the money you pay them. And get more spam as a way to say thank you.

So don't pass "Go!". Just move on, and don't feel at all fazed to ignore this urgent final cancellation notice.

Blog Category: 

Add new comment

Additional Terms