Home / Blogs

Customer Confusion over New(ish) gTLDs Targeting Financial Services

For the last decade and a bit, banking customers have been relentlessly targeted by professional phishers with a never-ending barrage of deceitful emails, malicious websites and unstoppable crimeware—each campaign seeking to relieve the victim of their online banking credentials and funds.

In the battle for the high-ground, many client-side and server-side security technologies have been invented and consequently circumvented over the years.

Now we’re about to enter a new era of mitigation attempts, but I can’t but help feel that they too will amount to nothing.

Since social engineering lies at the heart of so many phishing campaigns, it would seem that the multitude of businesses that constitute the financial sector vertical have departed on a journey of leveraging a growing spectrum of new generic top-level domain names (gTLDs) to prevent professional phishers from acquiring common business names (and misspellings) and using them in attacks.

New gTLDs

In the land rush of seeking to shutter out the phishers we’ve already seen new gTLDs such as .capital, .credit, .creditcard, .finance, .financial, .fund, .holdings, .insure, .investments, .loans and .tax become available.

And by Easter 2015 we can expect to see .bank, .banque, .buy, .creditunion, .gold, .insurance, .lifeinsurance, .loan, .market, .money, and .pay add to the pile and become available to organisations that want to secure their personal piece of the Internet.

Each of the new gTLDs have their own business justifications for existing and offer up mildly differentiated business proposals from one another.

While most individually tout the virtues of removing confusion for their financial services end customer, the collective gaggle of new gTLDs is clearly anything but.

There is little doubt in my mind that this growing cacophony of financial service’s gTLDs will only improve the odds of a phishing attack being successful.

From what I understand, several of these new gTLDs will ensure that only verified members of the banking and insurance communities will be able register a domain name, and suitable guarantees will be offered that only legitimate brands and trademark operators will be able to acquire them.

Enhanced security controls

A handful of new gTLDs (e.g. .bank and .insurance) will be going a step further and offering enhanced security controls to limit a consumer’s exposure to online fraud and attack—such as DNSSEC, email authentication, and multifactor authentication. That is comforting and generally quite appropriate given today’s threat landscape, but the general confusion of so many financial services gTLDs will persist—likely until some consumer consolidation occurs over the next couple of years. Until then these organisations will continue to sow in fertile grounds that the phishers will reap.

It’ll be interesting to see which of these new financial services gTLDs will percolate to the top and which will fade in to obscurity over the coming years—and how much money will be expended in the battle to reign supreme (if _any_ do survive).

Regardless of how this battle between competing gTLDs (and their phishing adversaries) unfolds, I’d like to ask just one thing from each of them—something that’ll help secure the customer of their clients. Please read and adopt the newly released .trust Technical Policy.


If you want to help make the Internet safer for your customers, embrace the .trust Technical Policy rather than invent a watered-down variant—phishers and other cyber adversaries will then have no choice but to move on to easier targets.

By Gunter Ollmann, CTO, Security (Cloud and Enterprise) at Microsoft

Filed Under


Comment Title:

  Notify me of follow-up comments

We encourage you to post comments and engage in discussions that advance this post through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can report it using the link at the end of each comment. Views expressed in the comments do not represent those of CircleID. For more information on our comment policy, see Codes of Conduct.

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

Co-designer of the TCP/IP Protocols & the Architecture of the Internet



New TLDs

Sponsored byRadix


Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign