Proofpoint Domain Fraud Report Finds Millions of New Fraudulent Domains; Over 90 Percent Remain Active

Leading cybersecurity company cautions organizations to protect their domains and safeguard their brand, customers, and employees

Sunnyvale, Calif.—June 24, 2019 -- Proofpoint, Inc., (NASDAQ: PFPT), a leading cybersecurity and compliance company, today released its 2019 Domain Fraud Report, which uncovers the latest trends shaping the domain landscape and the tactics and activity of threat actors. The report provides in-depth analysis of data collected from Proofpoint’s Active Domains Database, which contains over 350 million domains and represents virtually all domains on the web, over a twelve-month period.

“Similar to many of today’s top attack methods, domain fraud targets individuals rather than infrastructure by using social engineering to trick users into believing the domains they are accessing are legitimate,” said Ali Mesdaq, director of Digital Risk Engineering for Proofpoint. “Due to the relatively low barrier to entry of domain registrations and ease of execution, it is critical that organizations remain vigilant of suspicious and infringing domains that might pose a risk to their brand and customers.”

The growth of fraudulent domains corresponds to the growth of the overall domain landscape. Between Q1 and Q4 2018, registrations of fraudulent domains grew by 11 percent. Nearly all fraudulent domains detected by Proofpoint remain active and positioned for attack, with more than 90 percent associated with a live server. Of these fraudulent domains, more than 15 percent have Mail Exchanger (MX) records, indicating that they send and/or receive email. One-in-four also have security certificates – far more than appear in the aggregate domain landscape – which many internet users mistakenly equate with legitimacy and security.

Fraudulent domains leverage many of the same top-level domains (TLDs), registrars, and web servers as legitimate domains to impersonate brands and manipulate users. These factors, as well as the high proportion of live web servers, many with valid SSL certificates, increase the perceived legitimacy of fraudulent domains, increasing the potential for a wide range of attacks, including wire transfer fraud, phishing, counterfeit good sales and other scams.

This year’s Domain Fraud Report key findings also include:

  • More than 85 percent of top retail brands found domains selling counterfeit versions of their products. In fact, the average retail brand had more than 200 such detections. In addition, domains selling counterfeit goods have security certificates at a significantly higher rate than other types of fraudulent domains, making them seem legitimate to customers.
  • Ninety-six percent of organizations found exact matches of their brand-owned domain with a different TLD (e.g. “.net” vs “.com”) and 76 percent observed had “lookalike” domains posing as their brand. This impacted most industries and geographies.
  • Fraudulent domains are using email for highly targeted attacks. For 94 percent of organizations observed, Proofpoint identified at least one fraudulent domain posing as their brand and sending email. Many fraudulent domains sent low volumes of email, which is behavior typically associated with highly targeted and socially engineered attacks. Attackers impersonating highly recognizable retail brands (especially those with complex supply chains), sent much higher volumes of email, suggesting more broad-based attacks against customers and partners.
  • Market factors, such as the introduction of new TLDs, create opportunity for threat actors. In 2018, the introduction of new TLDs, such as .app and .icu, provided new opportunities for the registration of fraudulent domains. Proofpoint found that attackers leveraged these new TLDs to register names that resembled “.com” domains already owned by top brands.

To identify domain squatters and phishing campaigns and stop them from targeting brands, customers, and employees, organizations worldwide trust Proofpoint Digital Risk Protection to protect their domains. Using machine learning and artificial intelligence, Digital Risk Protection analyzes a vast body of domain data to uncover domain fraud and infringing domains. Real-time alerts also inform brands when domains and SSL certificates are expiring to help keep brand-owned domains secure.

To download Proofpoint’s 2019 Domain Fraud Report, and see a full breakdown of results, please visit: For more information on Proofpoint Digital Risk Protection, please visit

About Proofpoint, Inc.

Proofpoint, Inc. (NASDAQ: PFPT) is a leading cybersecurity company that protects organizations’ greatest assets and biggest risks: their people. With an integrated suite of cloud-based solutions, Proofpoint helps companies around the world stop targeted threats, safeguard their data, and make their users more resilient against cyber attacks. Leading organizations of all sizes, including more than half of the Fortune 1000, rely on Proofpoint to mitigate their most critical security and compliance risks across email, the cloud, social media, and the web. More information is available at

Connect with Proofpoint: Twitter | LinkedIn | Facebook | YouTube


Proofpoint is a registered trademark or tradename of Proofpoint, Inc. in the U.S. and/or other countries. All other trademarks contained herein are the property of their respective owners.