ICANN’S WAP: The one dodgy-looking email you MUST click on

By Josanne Griffin-Mason, 4th September 2015

Undoubtedly, you’ve spent years warning your colleagues not to click on suspicious email links for fear of being phished, spammed, hacked, or infected with a business-killing virus.

Now, after all that hard convincing, you must go back to the office floor with your tail between your legs, and tell everyone that it’s imperative for them trawl through their spam folders and click on those email links they’ve spent their entire careers terrified of.

This isn’t a sick joke, and we’re not overreacting: this is ICANN’s Whois Accuracy Program (WAP).

The Internet Corporation for Assigned Names and Numbers (ICANN) is responsible for keeping the Internet’s technical infrastructure stable and secure, overseeing namespaces such as .com, .net, and .org, in line with various Law Enforcement Agencies. The Whois Accuracy Program (WAP) is the policy they are employing to ensure domain registrant records are accurate.

Simply put, whenever you register, transfer, or change any information associated with your domain, you’ll receive an email with a verification link that you must click on in order to confirm that your Whois details are correct. Likewise, if an administrative email or renewal reminder notice from your Domain Name Registrar (e.g. 123-reg, GoDaddy, etc.) bounces, you’ll be sent the same verification email prompt.

Failure to click on this link within 15 days will result in the suspension of your domain name.

Even once you’ve figured out how to verify your Whois information, which is a particularly difficult task as it’s possible you’ll lose your email access in the process, your domain will not be released for up to 48 hours. No one is exempt; to put this in perspective, just think about the losses Amazon would suffer if they were shut down for two days, simply for missing an email.

Phishers will have more terrain to roam whilst innocent website owners are punished.

On paper, the industry’s furious outcry over WAP appears unprecedented; after all, asking domain registrants to click on an email isn’t a completely outrageous or taxing request.

The problem is that yet another opportunity for phishers is being created. Once the verification email has made the rounds, phishers could easily duplicate it with sinister intentions, and website owners are likely to fall for the scam because they’re terrified their website will be shut down if they don’t comply.

Another qualm is that WAP is unforgiving of registered domain holders who have good reason not to click on the link. For instance, there’s no leeway for those who may have missed the email because it went to their junk folder, or because they were on holiday, or even those suffering from a debilitating illness.

There’s only one thing you can do to protect your domain…

Besides keeping an eagle eye on your inbox and junk folder, the best piece of advice we can give is to ensure that you use an email address that isn’t associated with your domain name when registering your Whois account details.

For instance, our website is www.plugandplaydesign.co.uk, so rather than registering with the correlating email address [email protected], we’d opt for [email protected] instead. This is a precautionary measure to ensure that we’d still be able to correspond with ICANN if the worst case scenario was to occur, safeguarding us from being locked out of our own website and email accounts.