Securing your domain registrar account requires enabling two-factor authentication (2FA), activating domain lock at the registrar level, and implementing registry lock at the domain registry. These three foundational controls stop the vast majority of domain hijacking attempts, where attackers either compromise your registrar login credentials or social engineer registrar support staff into transferring your domain. A single compromised registrar account grants an attacker the ability to redirect your website traffic, intercept your email, and lock you out of your own domain—consequences that can persist for weeks or months even after you regain control. The threat is not theoretical.
Approximately 1.5 million malicious domains were registered during the first five months of 2026, and the top four registrars handled more than one-third of attacker-created domains. The FBI’s Internet Crime Complaint Center reported U.S. cybercrime losses reached $20.9 billion in 2025, with domain hijacking sitting at the intersection of business email compromise and account takeover schemes. Small businesses have become increasingly attractive targets because they typically lack the security infrastructure of larger enterprises.
Table of Contents
- WHY TWO-FACTOR AUTHENTICATION IS YOUR FIRST LINE OF DEFENSE
- UNDERSTANDING HOW ATTACKERS HIJACK DOMAINS AT THE REGISTRAR LEVEL
- DOMAIN LOCK AND REGISTRY LOCK—LAYERED PROTECTION AT TWO LEVELS
- WHOIS PRIVACY AND CONTACT INFORMATION—VISIBILITY AND VULNERABILITY
- AUTHENTICATING YOUR DOMAIN WITH SPF, DKIM, AND DMARC RECORDS
- DNSSEC—PREVENTING DNS SPOOFING AND REDIRECTION ATTACKS
- REAL-WORLD ATTACK PATHS AND HOW DEFENSE-IN-DEPTH STOPS THEM
WHY TWO-FACTOR AUTHENTICATION IS YOUR FIRST LINE OF DEFENSE
Two-factor authentication reduces account compromise by 99.9%—making it the single most effective security measure available to domain registrar account holders. In late July 2022, Verisign mandated that its 2,000+ accredited registrars provide time-based one-time password (TOTP) authentication to log into registrar account portals. If your registrar claims it does not yet support 2FA, that registrar is operating outside Verisign’s requirements and you should consider switching to a compliant alternative. Not all 2FA methods are equal.
Hardware security keys using U2F or FIDO2 standards provide the strongest protection because they are resistant to phishing and SIM swapping attacks. Authenticator apps (like Google Authenticator or Authy) are more secure than SMS-based one-time passwords, which can be intercepted through SIM swap attacks—where an attacker convinces your mobile carrier to transfer your phone number to a device they control. If your registrar offers only SMS 2FA, enable it, but prioritize migrating to an authenticator app or hardware key if available. The difference between these methods is meaningful: a criminal with your password but without access to your authenticator app is still locked out of your account. A criminal with your password and a cloned SIM may gain full access within minutes.
UNDERSTANDING HOW ATTACKERS HIJACK DOMAINS AT THE REGISTRAR LEVEL
Attackers exploit the human element by forging identity documents and impersonating domain owners to convince registrars to transfer domain control or modify account settings without ever needing your password. This social engineering attack is particularly effective against registrars with weak verification procedures or understaffed support teams who process requests quickly without thorough identity checks. When attackers successfully control your registrar account, they alter DNS records—including NS (nameserver), MX (mail exchange), A (address), and CNAME (canonical name) records—to redirect your domain traffic to malicious servers they control. The scope of damage from a compromised registrar account extends beyond simple redirection.
Attackers can roll back DNSSEC (Domain Name System security Extensions) keys and remove DNSSEC protection entirely, exposing your domain to DNS spoofing attacks. They can change your domain’s registrant contact information, making it appear that someone else legally owns your domain. They can set your domain to auto-renew and then ignore renewal notices, creating an opening to let the domain expire and re-register it themselves. The longer an attacker maintains control before detection, the more damage they can cause to your reputation, your users’ trust, and your ability to conduct business.
DOMAIN LOCK AND REGISTRY LOCK—LAYERED PROTECTION AT TWO LEVELS
Domain lock is a registrar-level control that prevents unauthorized transfers of your domain to another registrar. Even if an attacker compromises your registrar account, domain lock blocks them from initiating the transfer process. However, domain lock alone is insufficient because a compromised registrar account holder can still modify DNS records, change contact information, and perform other destructive actions without initiating a transfer. Registry lock provides an additional layer of protection by adding security controls at the domain registry level itself—the central authority that manages all domains within a top-level domain (TLD) like .com or .org.
When registry lock is enabled, changes to your domain’s registrant information, nameservers, and DNSSEC settings all require additional verification steps outside of your registrar’s normal interface. An attacker with control of your registrar account cannot unilaterally change your nameservers if registry lock is active. The tradeoff is administrative friction: legitimate changes to your domain’s DNS configuration may require contacting the registry directly or waiting for additional verification, making routine maintenance slightly slower. Most security-conscious organizations consider this a worthwhile tradeoff given the cost of domain recovery after a hijacking.
WHOIS PRIVACY AND CONTACT INFORMATION—VISIBILITY AND VULNERABILITY
WHOIS privacy protection hides your personal or business details from the public WHOIS database, making you a less attractive target for attackers conducting reconnaissance. Without WHOIS privacy, anyone can look up your domain and discover your name, mailing address, phone number, and email address—information that attackers can use to forge identity documents, impersonate you to your registrar, or conduct targeted phishing attacks against you or your organization. Enabling WHOIS privacy is a low-friction security improvement available from virtually every registrar and costs only a few dollars per year.
Paradoxically, while WHOIS privacy protects you from reconnaissance, you must maintain current and accurate contact information in your registrar account’s private records—the information that is hidden from public view but visible to the registrar. Your registrar uses this contact information to send renewal reminders, security alerts, and verification emails. If your contact information is outdated, you will not receive warnings when someone attempts to access or modify your account, and you may miss renewal deadlines that create opportunities for hijacking. A practical approach is to use WHOIS privacy to obscure your information from public view while ensuring your registrar has an email address and phone number that you actively monitor.
AUTHENTICATING YOUR DOMAIN WITH SPF, DKIM, AND DMARC RECORDS
Beyond registrar account security, your domain’s email authentication infrastructure must be hardened to prevent email spoofing and account takeover attacks. SPF (Sender Policy Framework) records tell receiving mail servers which IP addresses are authorized to send email on behalf of your domain. DKIM (DomainKeys Identified Mail) adds a cryptographic signature to outgoing emails to verify they originated from your domain. DMARC (Domain-based Message Authentication, Reporting, and Conformance) ties together SPF and DKIM, specifying what receiving servers should do with emails that fail authentication checks. These three email authentication methods do not protect your registrar account itself, but they protect your domain from being weaponized by attackers.
When an attacker hijacks your domain and modifies your MX records to redirect email to their own mail servers, SPF/DKIM/DMARC records help prevent them from sending emails that appear to come from your domain and fooling your users, partners, or employees. Configure your SPF record to list only the mail servers you actually use. Configure DKIM signing on all outgoing mail servers. Set your DMARC policy to reject emails that fail authentication rather than simply flagging them as suspicious. These configurations take one to two hours to implement correctly and eliminate entire categories of abuse that would otherwise follow a domain hijacking.
DNSSEC—PREVENTING DNS SPOOFING AND REDIRECTION ATTACKS
DNSSEC adds a cryptographic verification layer to DNS records, preventing attackers from redirecting your domain’s DNS lookups to fraudulent servers even if they compromise DNS servers or intercept DNS traffic on the network. When DNSSEC is enabled, authoritative DNS servers sign your domain’s records with a private key, and recursive resolvers verify those signatures using the corresponding public key. If an attacker modifies your DNS records without the correct cryptographic signature, clients using DNSSEC-validating resolvers will reject those records as invalid. Enabling DNSSEC requires coordinating between your registrar and your DNS hosting provider.
Your DNS hosting provider generates DNSSEC keys and signs your zone file. You then add the corresponding public key (the Delegation Signer or DS record) to your domain at your registrar. This configuration is permanent once enabled, meaning an attacker with a compromised registrar account cannot remove DNSSEC protection without additional authentication. The limitation is that DNSSEC adoption remains incomplete: not all recursive resolvers validate DNSSEC signatures, and misconfigured DNSSEC can break email delivery or web access if your DNS provider makes errors during key rotation.
REAL-WORLD ATTACK PATHS AND HOW DEFENSE-IN-DEPTH STOPS THEM
Attackers typically follow one of two attack paths. The first is credential compromise: they obtain your registrar password through phishing, password reuse, or a data breach, then use it to log into your account and modify DNS records. 2FA stops this attack immediately—the attacker has your password but cannot access your account without your second factor. The second attack path is social engineering: they contact your registrar’s support team, forge identity documents claiming to be you, and request that support staff transfer your domain or reset your account password. Domain lock and registry lock stop this attack by requiring additional verification steps that exist outside of the social engineering interaction itself.
A practical example: in 2025, attackers targeted a mid-sized e-commerce business by calling the registrar’s support line, providing forged identity documents, and claiming they had lost access to their registrar account. Because the domain lacked registry lock, the attacker was able to change the domain’s nameservers to point to malicious DNS servers controlled by the attacker. For three hours, users attempting to reach the business’s website were redirected to a phishing page that harvested credentials. If the business had enabled registry lock, the registrar’s support staff would have been unable to approve the nameserver change without contacting the registry’s verification team—an additional step that would have required credentials or authorization the attacker did not possess. The business recovered its domain after contacting the registrar, but the downtime cost them thousands of dollars in lost sales and required significant effort to notify affected customers about the credential compromise.
- —