Changes are on the way to Australian domain names. For the first time, businesses and organisations will be able to register second level domains. That means, it will be possible to register .au domains that are shorter and simpler than the currently available domains.
However, opening up second level domains also opens up opportunities for cyber-criminals to engage in business identity theft. This could expose your organisation to a much higher risk of scams, such as Business Email Compromise.
In this blog, we explore the new .au domains, the security risks they pose, and how you can stay secure.
Until now, any Australian business or organisation that wanted to establish a website needed to register a third level domain name.
Third level domain names took the form: name.com.au, name.org.au or name.net.au.
That’s all about to change.
For the first time, Australian businesses and organisations will be able to register second level domains. Second level domain names remove the need for the ‘.com’, ‘.org’ or ‘.net’.
Put simply, you will now be able to register: name.au
This may seem like a small change, but it will have big implications for how the world wide web is structured.
The introduction of .au domains means people can visit your website using shorter, simpler domain names. There are three main benefits to .au domains:
People, particularly Australians, like supporting local businesses. Having a .au domain lets people know that your organisation is an Australian entity. This helps you engage potential customers. In addition, members of the public who are looking for local service providers know they are interacting with an Australian organisation.
Having a .au domain name may also help your organisation rank higher in search engines, so people searching in Australia will be more likely to find your website.
Businesses and other organisations with an Australian domain name are more likely to be trusted and viewed positively than those with domain names that are not geographically specific.
Currently, there are strict requirements for any business or organisation wishing to register an Australian third level domain. Anyone wishing to register a third level domain must have a connection to the domain name, such as an ABN. This helps reduce the risk of third level domain names being used by cyber-criminals to send out phishing emails containing malware, when compared to generic non-geographic domains, such as ‘.com’.
However, auDA, the name of the organisation responsible for administering .au domains, has proposed changes to domain name eligibility requirements. There is a risk this change could make it easier to register .au domain names, opening the way for a range of cyber-crimes.
Existing businesses and organisations do not need to worry that they will lose their existing domain name. The introduction of .au registrations does not affect current domain registrations. All existing domain names will be maintained.
If you currently have a third level domain starting with ‘.com.au’, ‘org.au’ or ‘net.au’ you will be prioritised should you wish to register the equivalent second level domain.
It’s important to note that this priority status is only available for domain names that were registered prior to 24 March 2022. Additionally, the priority status only lasts for a six month period following the launch of second level domains.
If you plan to register the .au version of your domain name, you will need to apply for Priority Status before 9:59am (AEST) on 21 September 2022.
If you do not apply for Priority Status, the .au domain name will be available for registration by the general public from 8:00am (AEDT) on 4 October 2022.
As mentioned, auDA, the organisation responsible for administering .au domains, has proposed changes to domain name eligibility requirements, which will make it easier to register .au domain names in the future.
At present, auDA requires businesses or organisations applying for an Australian domain name to have a ‘connection’ with the domain name, such as an ABN.
However, moving forward this won’t be necessary for a second level domain.
All that will be required is a ‘presence’ in Australia. This will allow entities to register any .au domain name at the second level, subject to the priority rules for entities that have existing domain registrations.
By only requiring a presence in Australia, rather than an explicit connection to the domain name, it will be easier for people to acquire .au domain names. The risk is that a cyber-criminal may register a .au domain in the name of a legitimate entity, and then use that domain name to engage in criminal activities.
For example, cyber-criminals could engage in business identity theft. This is a major risk for businesses, as cyber-criminals could take out loans or apply for credit in the name of a legitimate entity.
Even more concerning is the possibility that cyber-criminals could spoof an organisation’s domain in order to carry out Business Email Compromise (BEC) attacks.
In short, YES.
If cyber-criminals have the ability to easily acquire a second level domain that is equivalent to an existing third level domain (for example, a legitimate organisation has ‘name.com.au’, but a cyber-criminal acquires ‘name.au’), there will be a significant risk of BEC attacks increasing.
Common scams could include the following:
These are serious risks that are likely to escalate over coming months. All organisations need to be extra vigilant to ensure they do not become victims of these scams.
All businesses and organisations should take steps to reserve second level domains that are equivalent to their existing third level domains during the priority period (before 21 September 2022).
If you are unable to reserve your second level domain name before this date, the domain will become available to the general public on a first come, first served basis.
You can reserve your .au domain name by visiting an auDA accredited registrar.
The opening up of .au domains, as well as the easing of the rules around obtaining a .au domain, will inevitably create many opportunities for cyber-criminals. Even if you manage to reserve your domain before the cut-off date, you could still be impacted by cyber-crime. For example, your suppliers may not reserve their equivalent second level domain, making you more susceptible to a Vendor Email Compromise attack.
That’s why it’s critical to have Eftsure sitting on top of your accounting processes.
Eftsure’s proprietary database comprises over 90% of active Australian corporate entities. Whenever your Accounts Payable team processes an outgoing payment, the payment details are cross-matched in real-time against the database. This gives you unparalleled assurance that you are sending funds to the intended recipient.
Eftsure is a critical line of defence against cyber-criminals who may be using new .au domains to defraud Australian organisations.
Contact Eftsure today for a full demonstration.
CFOs, beware: cybercriminals are exploiting DocuSign’s legitimate business tools to deliver fraudulent invoices directly through trusted channels. This scheme is particularly dangerous …
Because LinkedIn is used as a professional networking platform, account holders don’t use the same caution as they would on Facebook or …
US construction and government sectors lost $7.7 million in BEC scams. Learn how fraudsters exploited financial controls and how finance leaders can protect their organisations.
End-to-end B2B payment protection software to mitigate the risk of payment error, fraud and cyber-crime.
