When it comes to choosing a domain name, businesses should always practice patience. Regardless of how carefully businesses approach the topic, however, most will eventually change domains or abandon old domains from previous ventures. While it seems like a benign decision, this is when domain name security issues arise. Failure to secure the “old” domain can put your business’s digital assets at risk.

How Domain Name Security Issues Arise

A domain name can mean everything to a business, but many different scenarios could necessitate a domain name change. These scenarios can include anything from a company merger, refocus, or simply a better idea coming along. While it may seem harmless at first to let your ownership of the old domain lapse, if not protected, these recently expired domains hold vital private information that can be used to access your business’s digital records from the inside.

Recently Expired Domain Names: What’s at Risk

One of the major domain name security issues that can result from allowing a prior domain to expire or lapse is access to any email address that uses the expired or dropped domain name. The purchaser of your old domain name acquires direct access to any attached email account you have set up through the domain. This would allow them to receive emails sent to that address. In other words, the new domain owner has an open door to intercept emails sent to your prior email addresses.

Beyond access to emails, the new owner of your old domain may also gain access to private information tied to the old domain. For example, employees often register other professional or personal online accounts using their work email. The new owner of your former domain could potentially gain access to those accounts as well.

Capturing and recording pertinent business information for competition or long term data-gathering are not the only possible risks. Your former domain might be purchased by someone who then uses it for spammy advertising or link-building. Or, in a worst-case scenario, the new domain owner could impersonate your business, potentially ruining your reputation while taking advantage of consumer trust.

How Domain Names Become Points of Entry

Domain names can be captured without doing anything illegal if owners fail to properly protect themselves from domain name security issues. Anyone can simply purchase an expired domain, a process called domain drop catching or domain sniping. Contracts for domain ownership between one and ten years. When an owner allows a contract to run on a claimed domain, the domain name often goes right back to the marketplace for sale. With some clever maneuvering, anyone who purchases the remarketed domain name can capture important private data and cause mischievous or intentional damage.

Even worse, domain snipers don’t actually have to do the planning and research themselves for recently expired domain names. They can even claim them in advance via bid or software. Reputable domain name registrars enhance access to domain sniping as a service. For example, popular domain registrar GoDaddy.com offers a claim on expiring domain names in advance of a lapse in ownership, a service it calls a domain backorder. If a domain backorder is contested, GoDaddy puts the domain name up for auction to the highest bidder. Along with this, other less reputable sites also track potentially valuable and expiring domain names via an online expired domain list, placing them up for public auction with a countdown timer for the owner’s contract term.

Attackers can also use illegal means to cause domain name security issues by hacking the email used to register the domain and then changing all information and transferring it to themselves. From here, hackers can use a domain in many damaging ways, most directly by redirecting traffic from the stolen domain to dangerous sites for purposes like phishing or counterfeiting. One entrepreneur experienced this exact domain security issue in 2015, losing all access to its online marketing platform. While the entrepreneur eventually recaptured the domain through a lengthy court process, extensive damage had already been done.

How to Defend Against Domain Sniping

Given the apparent legality of domain sniping and the resulting access to information, defending against domain sniping is entirely about prevention. After a domain is captured, there is little a business can do to protect from further damage if the attacker obtained the domain through legal channels. In fact, one freelance writer learned about domain sniping the hard way when someone hijacked a Google business apps account. Even contacting Google directly to prove domain ownership and verify his private information wasn’t enough to stop the domain sniper. As the legitimate owner of the domain, the sniper was able to requesting all personal information connected to the prior owner’s business simply by proving active domain ownership.

How to Prevent Domain Name Security Issues

To prevent domain sniping, businesses need to track the domains they purchase and renew ownership. If a business prefers to relinquish ownership of a domain, it should strip the expiring or lapsing domain of all personal information.

While this practice protects businesses from domain name security issues on the legal side, another practice must be used to protect businesses from potential cyber criminals. This practice is to separate domain registering emails from private business activity. Simply put, if a business isn’t willing to directly publish information connected to a domain registering email, that information should be kept away from said email address.

When businesses practice proper domain security techniques, they can avoid crippling financial and reputational damages. It all comes down to awareness, understanding, and prevention of one of the most volatile and potentially legal areas of cyber attack.