Businesses are increasingly receiving emails that claim an outside party is attempting to register a domain name that conflicts with their company name or trademark. These messages typically state that a registrar has received an application for a domain in a foreign top-level domain, often a .cn address, that matches the recipient’s brand. The sender then asks the recipient to confirm whether the registration is legitimate and warns that failure to act quickly could result in the loss of trademark rights. The goal is to create a sense of urgency so the recipient responds before verifying the claim.
The emails are written to appear professional and usually come from a fabricated network service provider or domain registration office. The messages are often addressed to executives, founders or legal departments to enhance the appearance of legitimacy. The sender may reference trademark protections or intellectual property guidelines to increase pressure. In many cases, the fraudster claims that the requesting party is attempting to purchase multiple domains using the company’s name, which is intended to make the threat seem more credible. However, investigation consistently shows that no such registration attempt exists and that the message comes from a fraudulent source.
Once a recipient engages, the fraudsters introduce the next stage of the scheme. They may suggest that the company should register defensive domains immediately to block the supposed applicant. These domains are typically sold at several times their true value and are often unnecessary. In other versions of the scam, the attacker registers the domain at standard cost and then attempts to resell it at an inflated price. The fraudster may frame this as a protective measure even though the threat was invented. Some victims are encouraged to purchase multiple domains that bear no strategic value to their business, resulting in recurring fees and unwanted contracts.
Financial gain is not the only objective of these operations. Initial engagement can lead to broader fraud attempts. Once contact is established, the scammer may request sensitive information, such as corporate contacts or administrative details, which can be used for future phishing. Some messages contain attachments or links that can install malware if opened. In these cases, the email acts as an entry point for identity theft or system compromise. Investigators report that attackers often use similar templates across regions and industries, which indicates a coordinated effort rather than isolated incidents.
The messages rely heavily on urgency and fear of losing intellectual property. The wording often implies that action must be taken within a short timeframe. They may also reference international regulations to intimidate the recipient. None of these warnings holds up to scrutiny because trademark and domain disputes follow regulated procedures and cannot be resolved through unsolicited email requests. Legitimate registrars do not pressure companies to register domains through unverified channels. Researchers say the consistent structure of these messages shows that the objective is to coerce a quick payment before the target confirms the facts.
An example of one of these emails is below:
Subject: –
– domain and keyword in CN
Dear Manager,
(If you are not the person who in charge of this, please forward this to your CEO, because this is urgent.Thanks)
We are a Network Service Company which is the domain name registration center in Shanghai, China. On June 17, 2024, we received an application from Shunkai Holdings Ltd requested “ – ” as their internet keyword and China (CN) domain names( -.cn/ -.com.cn/-.net.cn/ -.org.cn). After checking it, we find this name conflict with your company name or trademark. In order to deal with this matter better, it’s necessary to send an email to you and confirm whether this chinese company is your distributor or not?Best Regards
Wilson
============================
Mr.Wilson Liu |Senior Manager
No.572 Dongping South Road, Zhangyan,
Shanghai 201500, China
Tel: 0086 21 61 91 86 96
Fax: 0086 21 61 91 86 97
Mobi: 0086 134 828 191 47
————————————————–
Tip: Please Add mail sender account to your contacts to make sure our response does not end up in your spam folder.
How to recognise these fraudulent messages
Recognising the scam begins with understanding how legitimate domain registration works. Registrars do not notify businesses of third-party registration attempts unless the business has an established relationship with that registrar or is involved in an active dispute. A legitimate registrar will not request payment for domain protection without formal documentation. Messages that appear unexpectedly, reference unfamiliar providers or demand an immediate response are strong indicators of fraud. Recipients should be cautious of emails that rely on urgency rather than a verified process.
Another warning sign is the use of generic terms such as “network service company” or “domain registry office” without identifying a legally registered entity. Real registrars operate under clearly defined names and comply with regional requirements. Fraudulent messages often lack verifiable contact information or include phone numbers and email addresses that do not match established websites. Reviewing the sender’s domain can also reveal inconsistencies. Attackers frequently use recently created domains or addresses that imitate official institutions without matching known registrar information.
The content of the message often provides additional clues. Scammers typically claim that an unknown party is trying to register multiple versions of a company’s name. They may reference sibling domains such as .cn, .asia or .in with no evidence of actual registration. Recipients can independently check domain availability using established search tools. If the domain remains unregistered, the claim is clearly fabricated. Even when the domain is registered, it does not imply a trademark conflict and does not justify unsolicited payment requests from unverified entities.
Asking the recipient to confirm whether the registration request is authorised is another common tactic. The goal is to prompt engagement so the attacker can continue the conversation. Responding can signal that the email address is active, which increases the likelihood of further phishing attempts. Failure to follow standard procedures, such as formal dispute resolution through recognised channels, is a strong indicator that the email is illegitimate. Companies should avoid providing any information or clicking attachments until verifying the legitimacy of the message through trusted sources.
Employees responsible for domain administration or intellectual property protection should be trained to identify these indicators. Clear internal policies can help prevent accidental engagement with fraudulent messages. Businesses that maintain a portfolio of domains should periodically review their holdings and document which registrars manage them. This reduces the likelihood of confusion when an unexpected message arrives. If a company receives an email of this type, the safest approach is to verify the domain claim independently, ignore the sender’s instructions and report the message to internal security teams.