'%3e%3cpath%20d='M0,0%20v30%20h60%20v-30%20z'%20fill='%23012169'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23fff'%20stroke-width='6'/%3e%3cpath%20d='M0,0%20L60,30%20M60,0%20L0,30'%20stroke='%23C8102E'%20stroke-width='4'%20clip-path='url(%23s)'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23fff'%20stroke-width='10'/%3e%3cpath%20d='M30,0%20v30%20M0,15%20h60'%20stroke='%23C8102E'%20stroke-width='6'/%3e%3c/g%3e%3c/svg%3e)
UK
%20--%3e%3cuse%20href='%23s'%20x='0'%20y='0'/%3e%3cuse%20href='%23s'%20x='494'%20y='0'/%3e%3cuse%20href='%23s'%20x='988'%20y='0'/%3e%3cuse%20href='%23s'%20x='1482'%20y='0'/%3e%3cuse%20href='%23s'%20x='1976'%20y='0'/%3e%3cuse%20href='%23s'%20x='2470'%20y='0'/%3e%3cuse%20href='%23s'%20x='247'%20y='210'/%3e%3cuse%20href='%23s'%20x='741'%20y='210'/%3e%3cuse%20href='%23s'%20x='1235'%20y='210'/%3e%3cuse%20href='%23s'%20x='1729'%20y='210'/%3e%3cuse%20href='%23s'%20x='2223'%20y='210'/%3e%3cuse%20href='%23s'%20x='2717'%20y='210'/%3e%3cuse%20href='%23s'%20x='0'%20y='420'/%3e%3cuse%20href='%23s'%20x='494'%20y='420'/%3e%3cuse%20href='%23s'%20x='988'%20y='420'/%3e%3cuse%20href='%23s'%20x='1482'%20y='420'/%3e%3cuse%20href='%23s'%20x='1976'%20y='420'/%3e%3cuse%20href='%23s'%20x='2470'%20y='420'/%3e%3cuse%20href='%23s'%20x='247'%20y='630'/%3e%3cuse%20href='%23s'%20x='741'%20y='630'/%3e%3cuse%20href='%23s'%20x='1235'%20y='630'/%3e%3cuse%20href='%23s'%20x='1729'%20y='630'/%3e%3cuse%20href='%23s'%20x='2223'%20y='630'/%3e%3cuse%20href='%23s'%20x='2717'%20y='630'/%3e%3cuse%20href='%23s'%20x='0'%20y='840'/%3e%3cuse%20href='%23s'%20x='494'%20y='840'/%3e%3cuse%20href='%23s'%20x='988'%20y='840'/%3e%3cuse%20href='%23s'%20x='1482'%20y='840'/%3e%3cuse%20href='%23s'%20x='1976'%20y='840'/%3e%3cuse%20href='%23s'%20x='2470'%20y='840'/%3e%3cuse%20href='%23s'%20x='247'%20y='1050'/%3e%3cuse%20href='%23s'%20x='741'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1050'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1050'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1050'/%3e%3cuse%20href='%23s'%20x='0'%20y='1260'/%3e%3cuse%20href='%23s'%20x='494'%20y='1260'/%3e%3cuse%20href='%23s'%20x='988'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1260'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1260'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1260'/%3e%3cuse%20href='%23s'%20x='247'%20y='1470'/%3e%3cuse%20href='%23s'%20x='741'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1235'%20y='1470'/%3e%3cuse%20href='%23s'%20x='1729'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2223'%20y='1470'/%3e%3cuse%20href='%23s'%20x='2717'%20y='1470'/%3e%3cuse%20href='%23s'%20x='0'%20y='1680'/%3e%3cuse%20href='%23s'%20x='494'%20y='1680'/%3e%3cuse%20href='%23s'%20x='988'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1482'%20y='1680'/%3e%3cuse%20href='%23s'%20x='1976'%20y='1680'/%3e%3cuse%20href='%23s'%20x='2470'%20y='1680'/%3e%3c/g%3e%3c/svg%3e)
USA
What to do if…
your domain registrar shows a transfer or ownership change you did not request
Short answer
Treat this as urgent: contact your registrar’s security/abuse team immediately and ask them to lock the domain and your account and to stop or reverse any unauthorised transfer or change of registrant if possible.
Do not do these things
- Don’t “wait to see if it fixes itself” or assume it’s a harmless admin update.
- Don’t keep trying to log in over and over if you suspect compromise—stop after one attempt and switch to password reset + support escalation.
- Don’t delete emails, support tickets, invoices, or registrar notifications related to the change.
- Don’t pay unsolicited “domain recovery” messages or anyone who claims they can “release” your domain for a fee.
- Don’t make lots of DNS/website changes while ownership is unclear (it can complicate recovery and evidence).
What to do now
-
Open an urgent ticket and use any real-time support channel your registrar offers.
- Say: “unauthorised transfer” and/or “unauthorised change of registrant.”
- Ask them to confirm: what changed (registrar? registrant contact? nameservers? auth/EPP code?) and exactly when.
-
Ask for immediate locks/holds the registrar can apply right now.
- Request registrar lock on the domain (and any “transfer lock” options) plus an account-level lock if they offer it.
- If you’re told the domain is already “in transfer,” ask what stop/cancel options exist and what evidence they need to act quickly.
-
Secure the accounts attackers commonly use to take domains (start with email).
- Change passwords for: the registrar account, the email inbox used for the domain contact, and any DNS/hosting provider accounts.
- Turn on MFA everywhere you can.
- In your email account, check for: forwarding rules, new mailbox delegates, and changes to recovery email/phone.
-
Collect proof and a clean timeline (this helps your registrar/registry act).
- Save screenshots/PDFs of: registrar alerts, account activity logs, WHOIS/registration details, invoices/receipts, and older registration/renewal confirmations.
- Write down exact timestamps (UK time), ticket numbers, and who you spoke to.
-
If it’s a .UK domain, ask about Nominet’s registry-level protections.
- For .uk / .co.uk / .org.uk, your registrar can work with Nominet on registry status.
- Ask specifically whether Nominet Domain Lock (a paid, registrar-provided service) is relevant once you regain control, and whether any registry-side action is needed now.
-
Check for immediate harm: DNS and email routing changes.
- Check whether nameservers changed and whether key DNS records changed (especially MX for email).
- If you suspect phishing/impersonation, warn colleagues/customers through an alternate trusted channel and treat emails “from you” as untrusted until control is restored.
-
Report as cyber crime/fraud if there’s money loss, extortion, or customer impact.
- If you live in England, Wales or Northern Ireland, report via Report Fraud.
- If you live in Scotland, report via Police Scotland (101 unless it’s an emergency).
What can wait
- You do not need to decide today whether to sue, rebrand, or move registrars.
- You do not need to “fix security everywhere” right now—focus on the registrar account, the domain-contact email, and DNS/hosting access first.
- You do not need to publish a public statement unless there is clear customer risk (for example, phishing from your domain).
Important reassurance
This happens to competent people and organisations, often through email compromise or social engineering. Acting quickly and keeping good records can materially improve the chance of stopping further changes and recovering control.
Scope note
This is first-step guidance to stabilise the situation and preserve your ability to recover the domain. Later steps (formal disputes, complaints, legal action) may need specialist support.
Important note
This is general information, not legal advice. Registrar and registry processes vary by provider and domain type; follow your registrar’s security escalation process and keep evidence in case you need to prove ownership.
Additional Resources
- https://www.ncsc.gov.uk/guidance/managing-public-domain-names
- https://www.ncsc.gov.uk/collection/using-online-services-safely/protecting-your-public-domain-name
- https://nominet.uk/uk-registry/security-and-protection/
- https://registrars.nominet.uk/uk-namespace/security-tools-and-protection/domain-lock/
- https://www.reportfraud.police.uk/
- https://www.gov.uk/government/news/report-fraud-new-service-from-city-of-london-police