Domain Watch-ing for phishers

16th May 2019

Eleanor Bradley

Eleanor Bradley
MD Registry Solutions

In just a few years, phishing has moved from an odd tech term to something we are all familiar with and wary of. Unfortunately, that familiarity is largely the product of pain: in the first half of 2018, over £500m was stolen from UK banking customers, some of which was swiped via phishing scams. Corporate attacks are rife too, with 83% of global cyber security professionals admitting to having experienced phishing attacks in 2018, up from 70% in 2017.

Some of the phishing emails you may have spotted in the last year include GDPR-related mail, fake bank verification requests, or too-good-to-be-true emails about World Cup tickets. There has also been a rise in phishing via text, with a recent warning of a hoax message from ‘InfoHM’, with a phisher posing as HM Revenues and Customs and luring people to fill in a form to claim a tax rebate. And while there is much reporting of phishing scams and the cost, not enough is said about the progress being made to reduce incidence of phishing across the UK internet namespace.

At the National Cyber Security Centre’s (NCSC) recent CyberUK 2019 event, Jeremy Fleming, Director of GCHQ, highlighted in his speech how the UK is making great strides to clamp down on would-be phishers. “In 2016, HMRC was the 16th most phished brand globally, accounting for 1.25% of all phishing emails sent,” he said. “Today, it is ranked 146th and accounts for less than 0.1% of all phishing emails.”

Such dramatic reduction is due to a range of campaigns by various parties, one of which is Nominet’s Domain Watch. This anti-phishing initiative was introduced in July 2018 with an aim to further increase the security of the .UK domain zone and protect end users from malicious phishing activity by looking to suspend domains at the point of registration.

By using a mixture of automated and manual processes, Domain Watch identifies which domains are likely to be used for phishing. Those that reach a score threshold via our algorithm are reviewed manually and the registrations may be put on hold. The registrant is informed and invited to validate their request, at which point the criminals disappear and the legitimate registrant will prove their authenticity and we can allow the domain to be registered. A benefit of Domain Watch is that the business impact is minimal, as the domains are only just being created so suspending them initially causes little to no disruption for a legitimate business or user. My colleague Cath Goulding, our CISO, wrote more about this in her blog on The Endless Challenge of Cyber Security in November.

The initiative has been successful and, since its launch, Domain Watch has suspended 475 domains intended for phishing. Our reports show that 150 of these were targeting the public sector including, ‘’, ‘’, and ‘’. There were also 139 domains suspended that targeted the private sector, often targeting brands such as Amazon, Google and Microsoft. The scheme has also suspended 186 domains targeting the financial services sector, such as Metro Bank, HSBC or PayPal.

Domain Watch is just one of the ways in which Nominet works constantly to keep the .UK domain safe and secure, with all our processes being reviewed and refined as threats and technologies evolve. Another cornerstone of our work is working with law enforcement to suspend domains that are being used for criminal activity, such as sites selling counterfeits. The collaborative efforts are proving successful, and our most recent criminality figures reported that we suspended 32,000 domains being used for criminal activity in the year October 2017 to November 2018.

This was a doubling of the previous years’ suspensions, which had been a double compared to the figures of the year before that. Such a distinctive upward trend in suspensions shows not only that criminals continue to seek the .UK domain as a place for their pernicious activity, but also that our processes in identifying and suspending them is strengthening year on year.

Brand protection is something we also consider, aware that many businesses trade on the .UK Domain, and this informs any decisions we make about the namespace. For example, a number of years ago we decided to open up .uk to registrations at the second level – e.g. – in addition to existing third level names available, such as and However, to give brands and businesses time to secure their equivalent second level domain if they wanted it before general availability, we reserved the right to corresponding second level domains for certain third level domain name holders for a period of five years. This period is soon to come to an end, after which any reserved domains that have not been registered will be available to all. Find out more about this in our blog.

It is understandable that people are alarmed by the news of cyber breaches and threats, and the proliferation of scams and ‘fake news’ across the internet, but there are so many reasons to feel confident that our country’s internet namespace is monitored and protected robustly, by some of the top talent across the cyber security sector. Nominet’s work in this area, in addition to the many others across the country, supports the national aims to ‘make the UK the safest place to do business online’ and will help to reinforce our position as a Cyber Power, as outlined by GCHQ at the recent CyberUK.

In his speech, Jeremy Fleming listed three ways to maintain Cyber Power status, the first of which was ‘securing the digital homeland’. This is something that Nominet is proud to contribute to, and Domain Watch is just one of the pieces of the puzzle in our work to combat cyber criminals for the health of .UK domain and the safety of the people, businesses and organisations that rely on it every day.

Find out more about our work keeping the .UK domain secure on our website, or read more about Nominet’s cyber security services.