I don’t typically get a lot of mail; all of my major bills and alerts are sent to me via email. The bulk of the physical mail I get is comprised of newsletters, catalogues and mail for people who’ve previously lived at my place. When I received a light beige envelope resembling those the government uses for their notices, I was a little curious. Was the government sending me news that I was eligible for a new tax credit?

Not quite.

The sender’s address was Domain Registry of Canada and it looked very official with an image of a maple leaf next to their address:

Domain Registry of Canada Scam Envelope

One thing stood out to me about my address; I noticed that my last name was misspelled – and not just the usual all-one-word mistake, either.

I opened up the letter and found this:

Domain Registry of Canada Scam Letter

I have to say, I was pretty confused. Why was I getting a domain renewal notice from someone other than my registrar? Why was I being contacted – by mail, no less – about a domain that’s due to be renewed in December of this year? And why oh why was the renewal price $40.00 when the cost is typically around $11?

The domain in question is one I use for testing purposes and one I haven’t used in some time. I wondered how Domain Registry of Canada obtained my mailing address and then I realized my mistake: I likely did not set the WHOIS information on that domain to the privacy settings that I usually do.

A quick search confirmed my suspicions; my forgetfulness had resulted in my information being made public, letting Domain Registry of Canada (and others like them) harvest my address to send me their letters.

I logged into the necessary account and updated the WHOIS information for that domain to ensure that my information was no longer visible. I then visited the Domain Registry of Canada website. (I won’t be linking to them from here so as not to send them any traffic.)

Their website is pretty simple and has the usual pages you would expect a registrar to have – Register a domain, Renew your domain, Search Engine submission, amongst others. With the red colours and Canadian flag as part of their header, I can see why people would think they were an official government site.

I then did a Google search for “Domain Registry of Canada” + “scam” and sure enough, there were several results. Most of the them were blog posts and articles from people who had lost money as a result of receiving a letter similar to the one I got today. Other articles outlined the stories of people who lost their websites because they unknowingly transferred the site to Domain Registry of Canada. The Better Business Bureau also had a listing for the registrar and not surprisingly, there have been a number of complaints against the company.

What really made me pause when I first read the letter was that I thought it had to do with the domain for this site – which is, as you can see, .ca. All Canadian domains (.ca) are managed by the Canadian Internet Registration Authority (CIRA).  When I received the quasi-offical looking envelope, I assumed that it was from CIRA. Of course, that’s what Domain Registry of Canada hoped for, that i would be unsure and make a decision without fully checking things out.

The company itself is a legitimate – albeit a very expensive – registrar. They’re providing services at triple the price they typically are elsewhere. They even included a self-addressed envelope to facilitate the payment reaching them quickly. It was a very thorough and well done direct mail attempt at scamming me.

How can you avoid falling for this type of scam?

  • Online or offline – be vigilant. If you get a notice like this out of the blue, don’t be afraid to question it. If someone else maintains your site, reach out to them to get their opinion.
  • Keep the WHOIS information for your site private. This will ensure that your information isn’t available to be found by companies like this.
  • Keep your domain locked. This will help prevent a company like Domain Registry of Canada from transferring it away from you.
  • Don’t be afraid to do a little research. A quick Google search can help you gauge what kind of company it is.
  • Don’t pay the invoice just because it looks like an official invoice.
  • Remember – an average domain renewal ranges from $11 – $14 depending on the extension. Anything beyond that is suspicious.

Got any other tips on how to handle scammers like this online? Leave a comment below or shoot me a message.