Top Secret Service Official Warns of Overlooked Cybersecurity Weakness in Internet Domain System

A senior Secret Service official has raised alarms over a largely overlooked vulnerability in the global internet infrastructure that is being exploited by cybercriminals, particularly for phishing campaigns and business email compromise (BEC) scams.

Matt Noyes, speaking at the 2026 Identity, Authentication and the Road Ahead Policy Forum in Washington, D.C., highlighted the risks associated with the Internet Assigned Numbers Authority (IANA) and how domain registration practices leave companies and individuals exposed.

“It is staggering that domain registrars allow bulk registration of various spellings of major institutions’ brand names, creating URLs used in phishing and fraudulent advertising,” Noyes said. He noted that the problem stems from insufficient identity validation during domain registration and the decentralization of oversight after the U.S. relinquished control over IANA a decade ago.

Phishing attacks rely heavily on deceptive URLs, often distributed through email or SMS, and businesses like Microsoft and Google are frequently forced to pursue court-ordered takedowns to combat the abuse. Noyes emphasized that proactive measures from major internet companies could mitigate these risks more effectively than reactive enforcement.

“This is fundamentally a failure of internet governance,” he said, calling for identity checks during domain registration and monitoring for concentrated abuse in Autonomous System Numbers (ASNs), which direct internet traffic. He also suggested restricting certain ads or search results as a method to reduce fraud.

In addition to domain vulnerabilities, Noyes highlighted business email compromise as another under-addressed threat. BEC schemes exploit the assumption that an email account is controlled by the person it claims to represent, often resulting in substantial financial losses for organizations.

Cybersecurity experts note that these issues underscore the importance of stronger internet governance and collaboration between the private sector and government to protect online infrastructure. Noyes urged technology companies to take a more active role in cleaning up the domain system and reinforcing trust in digital communication.

As cyber threats evolve, gaps in domain registration oversight and email authentication remain critical targets for malicious actors, making proactive governance and robust identity verification essential tools in defending against fraud.