03.03.2026 - The NCSC regularly receives reports from companies or associations whose abandoned websites have suddenly reappeared online. The content varies: sometimes, the original website is replicated almost identically, while in other cases, the reactivated website hosts pornographic material or dubious offers. What was behind these cases?
When a company closes down, an association is dissolved, a project comes to an end or a business changes its name, its old internet addresses (domains) are often simply abandoned. However, domains do not disappear. They are freely available again and they frequently become the target of domain catching: the fraudsters can use a familiar web address to impersonate the former company, deceive customers, or carry out phishing scams. This can seriously damage the reputation of the previous owners. It is especially problematic when the new owners of an expired domain present themselves as the successor organisation or even as the original, dissolved company. Because customers may still have the web address saved as a bookmark or listed on old invoices, the fraudsters benefit from a high level of unearned trust.
This trust is often exploited to stage fake liquidation sales. For example, users are told that remaining stock is being cleared out, prompting them to make advance payments to fake online shops. Fraudulent communication is also common, with former business partners or customers being contacted under the familiar domain name. Phishing scams are another risk. Criminals attempt to obtain login credentials by pretending that a system migration or account update is required following an alleged company takeover.
Dubious content and lasting reputational damage
The NCSC also frequently observes reputable domains, for example those of medical practices, law firms or associations, being repurposed for unrelated and dubious content after the domain has been abandoned. Suddenly, gambling sites, pornography, or fraudulent online shops appear under what was a trusted address. Because search engines often continue to rank these websites highly due to their history, they may still appear at the top of search results. As a result, people continue to visit these domains, unaware that the operator has changed. This can cause long-term reputational damage to the former owners, as the change in ownership is rarely obvious to outsiders.
Why search engines amplify the problem
Search engines assess domains not only on their current content, but also on their history. A domain that hosted legitimate content for years therefore continues to benefit from a trust bonus – even after its content or operator has changed. Cybercriminals deliberately exploit this by using familiar web addresses to promote abusive or illegal content that appears prominently in search results and reaches more people. For outsiders, the change in ownership can be difficult to detect.
Email takeover: A master key
The owner of a domain also controls its email traffic. New owners can receive all emails sent to old addresses using catch-all configurations. This enables them to reset passwords for online services (e.g. social media platforms, cloud storage services or business directories) where the old email address is registered, potentially giving them access to additional digital accounts belonging to the former organisation.
Recommendations
- Treat a domain like a brand. If a business closes, keep control of the domain and either point it to a simple information page explaining the closure or redirect it to the successor organisation.
- Make sure that important domains are not made available unintentionally due to administrative errors.
- Before your domain expires, change the email address on all accounts (banks, insurers, social media platforms and suppliers).
- Before giving up a domain, make sure you remove all references to it from newsletters, email signatures and partner websites that are still active.
- Be careful if a familiar website suddenly changes its design or content radically, or requests unusual payments, even if the web address looks correct.
- Before a domain expires, delete all associated DNS entries, such as MX records for email or TXT records used for verification, to prevent emails and other traffic from continuing to reach the domain.
Further information
Current statistics
Last week's reports by category:
Last modification 03.03.2026
