Cyber crime

New .au Domains Increase Your Risk

Niek Dekker
6 Min

Changes are on the way to Australian domain names. For the first time, businesses and organisations will be able to register second level domains. That means, it will be possible to register .au domains that are shorter and simpler than the currently available domains.

However, opening up second level domains also opens up opportunities for cyber-criminals to engage in business identity theft. This could expose your organisation to a much higher risk of scams, such as Business Email Compromise.

In this blog, we explore the new .au domains, the security risks they pose, and how you can stay secure.

What Are Second Level Domains?

Until now, any Australian business or organisation that wanted to establish a website needed to register a third level domain name.

Third level domain names took the form: name.com.au, name.org.au or name.net.au.

That’s all about to change.

For the first time, Australian businesses and organisations will be able to register second level domains. Second level domain names remove the need for the ‘.com’, ‘.org’ or ‘.net’.

Put simply, you will now be able to register: name.au

This may seem like a small change, but it will have big implications for how the world wide web is structured.

What Are the Benefits Of .au Domains?

The introduction of .au domains means people can visit your website using shorter, simpler domain names. There are three main benefits to .au domains:

  • Local

People, particularly Australians, like supporting local businesses. Having a .au domain lets people know that your organisation is an Australian entity. This helps you engage potential customers. In addition, members of the public who are looking for local service providers know they are interacting with an Australian organisation.

Having a .au domain name may also help your organisation rank higher in search engines, so people searching in Australia will be more likely to find your website.

  • Builds Trust

Businesses and other organisations with an Australian domain name are more likely to be trusted and viewed positively than those with domain names that are not geographically specific.

  • Secure

Currently, there are strict requirements for any business or organisation wishing to register an Australian third level domain. Anyone wishing to register a third level domain must have a connection to the domain name, such as an ABN. This helps reduce the risk of third level domain names being used by cyber-criminals to send out phishing emails containing malware, when compared to generic non-geographic domains, such as ‘.com’.

However, auDA, the name of the organisation responsible for administering .au domains, has proposed changes to domain name eligibility requirements. There is a risk this change could make it easier to register .au domain names, opening the way for a range of cyber-crimes.

Will .au Domains Replace .com.au?

Existing businesses and organisations do not need to worry that they will lose their existing domain name. The introduction of .au registrations does not affect current domain registrations. All existing domain names will be maintained.

When Will .au Domains Be Available?

If you currently have a third level domain starting with ‘.com.au’, ‘org.au’ or ‘net.au’ you will be prioritised should you wish to register the equivalent second level domain.

It’s important to note that this priority status is only available for domain names that were registered prior to 24 March 2022. Additionally, the priority status only lasts for a six month period following the launch of second level domains.

If you plan to register the .au version of your domain name, you will need to apply for Priority Status before 9:59am (AEST) on 21 September 2022.

If you do not apply for Priority Status, the .au domain name will be available for registration by the general public from 8:00am (AEDT) on 4 October 2022.

What Are the Risks With .au Domains?

As mentioned, auDA, the organisation responsible for administering .au domains, has proposed changes to domain name eligibility requirements, which will make it easier to register .au domain names in the future.

At present, auDA requires businesses or organisations applying for an Australian domain name to have a ‘connection’ with the domain name, such as an ABN.

However, moving forward this won’t be necessary for a second level domain.

All that will be required is a ‘presence’ in Australia. This will allow entities to register any .au domain name at the second level, subject to the priority rules for entities that have existing domain registrations.

By only requiring a presence in Australia, rather than an explicit connection to the domain name, it will be easier for people to acquire .au domain names. The risk is that a cyber-criminal may register a .au domain in the name of a legitimate entity, and then use that domain name to engage in criminal activities.

For example, cyber-criminals could engage in business identity theft. This is a major risk for businesses, as cyber-criminals could take out loans or apply for credit in the name of a legitimate entity.

Even more concerning is the possibility that cyber-criminals could spoof an organisation’s domain in order to carry out Business Email Compromise (BEC) attacks.

Are BEC Attacks Likely to Increase?

In short, YES.

If cyber-criminals have the ability to easily acquire a second level domain that is equivalent to an existing third level domain (for example, a legitimate organisation has ‘name.com.au’, but a cyber-criminal acquires ‘name.au’), there will be a significant risk of BEC attacks increasing.

Common scams could include the following:

  • Cyber-criminals may use the second level domain to launch Executive Email Compromise attacks. They may impersonate an organisation’s CEO or CFO by sending out fake emails that impersonate these executives. These fake emails may instruct Accounts Payable staff to process illegitimate payments to bank accounts controlled by the scammers.
  • Cyber-criminals could also impersonate one of your suppliers by using the second level domain to send you emails with updated bank account details. Known as Vendor Email Compromise, this attack could see you inadvertently send funds to a fraudulent bank account next time you process an invoice for the supplier.

These are serious risks that are likely to escalate over coming months. All organisations need to be extra vigilant to ensure they do not become victims of these scams.

How can Eftsure help?

All businesses and organisations should take steps to reserve second level domains that are equivalent to their existing third level domains during the priority period (before 21 September 2022).

If you are unable to reserve your second level domain name before this date, the domain will become available to the general public on a first come, first served basis.

You can reserve your .au domain name by visiting an auDA accredited registrar.

The opening up of .au domains, as well as the easing of the rules around obtaining a .au domain, will inevitably create many opportunities for cyber-criminals. Even if you manage to reserve your domain before the cut-off date, you could still be impacted by cyber-crime. For example, your suppliers may not reserve their equivalent second level domain, making you more susceptible to a Vendor Email Compromise attack.

That’s why it’s critical to have Eftsure sitting on top of your accounting processes.

Eftsure’s proprietary database comprises over 90% of active Australian corporate entities. Whenever your Accounts Payable team processes an outgoing payment, the payment details are cross-matched in real-time against the database. This gives you unparalleled assurance that you are sending funds to the intended recipient.

Eftsure is a critical line of defence against cyber-criminals who may be using new .au domains to defraud Australian organisations.

Contact Eftsure today for a full demonstration.

The Essential Cyber Security Guide for CFOs
Understand the risks that cyber-crime pose to your organisation and what you can do to safeguard your financial assets from cyber-criminals.

Related articles

The new security standard for business payments

Eftsure provides continuous control monitoring to protect your eft payments. Our multi-factor verification approach protects your organisation from financial loss due to cybercrime, fraud and error.