Beyond the Domain Name: Why Blaming ICANN Misses the Point of Rising Phishing Attacks

Recent reports paints a stark picture: phishing attacks are up nearly 40% in the last year, with a significant chunk of that growth attributed to new generic top-level domains (gTLDs) like .shop, .top, and .xyz. The narrative often follows quickly: these domains are cheap, lax on verification, and ICANN, the non-profit overseeing the domain industry, seems poised to introduce even more. It’s easy to point the finger at the system, at the regulators, at the fundamental infrastructure of the internet.

But as a cybersecurity lawyer who works to make robust defence accessible, I’d argue that while the data on gTLDs is concerning, focusing solely on ICANN or the domain name system misses the critical point for small and medium-sized enterprises (SMEs). Blaming the ‘supply chain’ of cybercrime is understandable, but it distracts from the most effective, immediate, and controllable defence mechanism available to every organisation: its people.

The GTLD Conundrum: A Symptom, Not the Root Cause

There’s no denying the appeal of new gTLDs for cybercriminals. They offer low-cost, low-scrutiny registration, making it easy to spin up fraudulent sites and email addresses for phishing campaigns. Research suggests these new gTLDs, despite being a small percentage of overall domains, account for a disproportionately high share of cybercrime domains. It’s a legitimate problem, and calls for stricter registration policies are valid.

However, relying on systemic changes at the ICANN level is a long game. Policy shifts are slow, complex, and often reactive. While we wait for potential improvements in domain registration oversight, the phishing attacks continue, and your business remains a target. For SMEs, time is of the essence, and proactive measures that are within your direct control are far more valuable than hoping for a global regulatory overhaul.

The Real Battlefield: Your Human Firewall

Phishing attacks succeed because they exploit human psychology, not just technical vulnerabilities. They bypass firewalls, antivirus software, and email filters by tricking employees into clicking malicious links, opening infected attachments, or divulging sensitive information. No matter how sophisticated your technical defences, a single click from an unsuspecting employee can compromise your entire network. This is where human risk management becomes paramount.

The rise of remote work has only amplified this challenge. Employees are often working outside traditional office perimeters, using personal devices, and potentially facing more distractions, making them even more susceptible to cleverly crafted phishing attempts. This underscores the urgent need for robust remote worker security training.

Empowering Your Team: The Proactive Solution

Instead of fixating on the source of the malicious domains, let’s focus on fortifying your internal defences. The most effective way to combat rising phishing attacks is to transform your employees from potential weak links into your strongest line of defence through comprehensive phishing training and security awareness training.

Beyond Basic Awareness: The Power of Simulation

• Realistic Phishing Tests: It’s not enough to tell people about phishing. They need to experience it in a safe, controlled environment. A well-designed phishing simulation exposes employees to realistic phishing email examples, allowing them to practice identifying threats without real-world consequences.
• Continuous Learning and Reinforcement: Cybersecurity isn’t a one-time lecture. Effective employee phishing awareness requires ongoing reinforcement. Look for solutions that offer a structured, continuous training loop. For instance, foundational courses followed by a phishing test. If an employee clicks, they receive an immediate, brief remedial lesson, followed by a retest to ensure mastery. This ensures true understanding and behavioural change.
• Tailored and Intelligent Training: Not all phishing attempts are created equal. The most effective phishing training software leverages AI phishing simulation to create highly relevant and believable lure templates. By studying public information about your organisation and industry, the system can craft scenarios that truly resonate with your employees, making the training incredibly realistic and impactful.

This kind of proactive staff cyber security training builds a resilient “human firewall,” drastically reducing your organisation’s vulnerability to email-borne threats.

Affordable, Accessible Cybersecurity for SMEs

Many SMEs believe that comprehensive cybersecurity, especially continuous training, is beyond their budget or requires dedicated IT personnel. This is a common misconception that modern solutions are designed to address. The need for cyber security for SMEs is critical, and solutions are now available that are both effective and easy to implement.

Imagine deploying an anti phishing platform that requires no software installation or mail server changes. A solution with simple onboarding that allows administrators to upload user email addresses and launch the first simulation in minutes, with no technical skills required. That’s the promise of plug and play phishing training designed for businesses like yours.

With affordable phishing simulations priced on a per-seat subscription, costs are predictable and accessible. Managers can track improvement at a glance with a clear management dashboard showing click-through rates, individual and team risk scores, and training progress. This empowers you to actively manage your human risk, leading to significant phishing prevention.

While the conversation around domain name regulation is important, for the immediate and tangible protection of your business, the focus must shift inwards. Empowering your employees with effective phishing training and continuous email security education is the most direct and impactful strategy for mitigating the rising tide of phishing attacks. Don’t wait for ICANN to fix the internet; secure your organisation from within.