Are Top-Level Domains (TLDs) like .Law & .CPA More Secure?

A friend who is the marketing director for a New Orleans-based accounting firm asked my thoughts on the new hot topic in the CPA community – the launch of the .CPA domain suffix. Top-level domains like .law, .bank, and .car provide organizations new domain opportunities that may be more relevant and easier to brand because it is difficult to obtain one of the original domain suffixes (.com, .org, .net, .edu, .gov, & .mil).

Additionally, industry-specific domains allow organizations to easily state their primary topic and use their exact name without worrying about being confused with similarly named companies in different markets. For example, an accounting firm named Johnson & Miller [a fictional company] may have to settle for www.johnmill.com or www.johnson-miller-cpa.com because another Johnson & Miller exists in a different industry like law or architecture.

My friend and I discussed the impact it could have on an accounting firm’s brand image, web rankings, and email addresses. He specifically reached out to me asking if .cpa would be more or less secure from a cybersecurity perspective. The promoters of this new top-level domain (TDL for short) state the .cpa domain is more secure because this new domain requires vetting and cybercriminals cannot purchase a fake .cpa domain and spoof a legitimate accounting firm to phish the firm’s employees and clients.

Let’s first define spoofing and phishing to make sure we’re on the same page.

• Spoofing – a cybercriminal pretends to be someone they are not by impersonating a domain (also known as typosquatting). For example, a hacker may use domain impersonation and purchase Mlcrosoft.com or D!sney.com to spoof those legitimate organizations.
• Phishing – a tactic a cybercriminal uses to lure information from the target or get them to do an action, like clicking a link, which can lead to downloading a virus or providing login information on a spoofed login page.

Back to the root question – is that true a .cpa will reduce spoofing & phishing attempts? Yes, but… The fact that the .cpa domain requires vetting does drastically limit a hacker’s ability to obtain a similar email to spoof. But other, similar top-level domains can still fool targets including .cab (typosquatting), .accountant, .finance, .money, and even .partners, which may not be vetted like .cpa. (Full list of top-level domains.)

Secondly, the security of top-level domains requires educating the general public of the domain’s usage and credibility. Most web users default to the original domains like .com, .org, and .gov and everything else looks odd, or, at the very least, appears like a new company. For decades, marketers have noted driving traffic to different websites because they’re promoting a .net domain and the potential buyer goes to the .com website by mistake. The .net domain has been around for decades already, so an industry-specific domain will probably have a similar fate.

If CPA firms want the cybersecurity benefit of using a top-level domain, they must inform their employees, clients, vendors, and prospective buyers that is the official firm domain. Retraining the general public to accept and look for top-level domains will likely take generations.

Do I recommend your firm getting an industry-specific top-level domain? Yes, I do, especially if it helps you rebrand your domain to something more specific to your name. If your company does not have a branding benefit to the industry-specific domain, I would redirect the web traffic and emails and not make it my primary domain.

Do I think an industry-specific top-level domain is more secure? No.