Have you ever received a message or email like this? It claims to be from a streaming service, government agency, or bank, stating that there’s an issue with your account, a failed payment, or a problem with your credit card. The message includes a link, urging you to click it to re-enter your login credentials or credit card number. By the time you realize something is wrong, it’s too late—you’ve been deceived by fake information.

In an age of information overload and scarce attention, how can you spot these threats in a split second and avoid falling into the traps of scams and phishing websites?

Launch Date and Time： September 22, 2025, 5:00 PM

Streaming Service：「CommonWealth Magazine Podcast “Taiwan School on Internet Governance”」,Youtube「 CommonWealth Magazine Video」

Host: Ethan Liu
Speakers：
Jo-Fan YU, Managing Director and CEO, TWNIC
Hao-Cheng OWN, Chairman,Hackers in Taiwan, HIT & CEO & Co-founder, DEVCORE

 

Meeting Minutes
Is That Link You Clicked Real? A Guide to Digital Self-Defense for Individuals and Businesses

The Truth About Domain Names: Your Digital Address and a Hotbed for Phishing Traps

In the digital age, a domain name is more than just a website address; it’s the “digital identity” for individuals and businesses. However, its ease of registration and variety have also created opportunities for scammers. This section provides a deep dive into the nature of domain names, the differences between various TLDs (Top-Level Domains), and how phishing attacks exploit human psychology and fraudulent URLs to steal user credentials and personal data, revealing the vast illicit ecosystem behind it.

Jo-Fan YU, Managing Director and CEO, TWNIC, points out that the vast majority of domain names (like .com and .tw) are available for anyone to register for a fee, forming the foundation of digital brand identity. However, this also means the barrier for scammers is low. She highlights several key phenomena:

1. Restricted Domains: Only a few domains, such as .gov.tw for government agencies or .edu.tw for academic institutions, have strict verification processes during registration, giving them a higher level of credibility.
2. Cost Considerations for Scammers: Due to their low cost, many emerging TLDs (e.g., .xyz) have become the top choice for scam operations. Additionally, registrars with lax management policies can easily become breeding grounds for fraud.
3. Risk of Brand Confusion: The CEO uses the popular messaging app LINE as an example. Its official URL is line.me, but line.com was once squatted by another party because it wasn’t registered by the company, creating a potential security risk. This underscores the need for businesses to incorporate “anti-phishing strategies” into their brand planning to prevent severe reputational damage from brand impersonation.

 

Hao-Cheng OWN, Chairman,Hackers in Taiwan, HIT & CEO & Co-founder, DEVCORE, details the most common URL-based scamming technique from a hacker’s perspective—Phishing:

1. The Attack Process: An attacker sends a fraudulent link that tricks the victim into clicking it. The link leads to a convincing fake login page. If the user enters their username and password without suspicion, these credentials are stolen.
2. Post-Breach Damage: After obtaining the credentials, hackers can not only use the account for fraudulent activities but also sell the stolen personal data (like purchase history and financial information) on the dark web and other underground markets for secondary profit, forming a complete black-market supply chain.
3. Ubiquity of Attacks: Phishing emails and messages are one of the most common attack vectors globally, targeting not only the general public but also serving as a primary method for hackers to infiltrate corporations. He stresses that wherever there’s profit to be made, hackers will find a way in.

 

Defending Digital Assets: Your Domain Name is Your Reputation

The core value of a domain name has evolved from a simple marketing tool to a “digital asset” critical to brand trust and business survival. This section explores how businesses and personal brands can proactively develop their domain strategies to avoid brand impersonation, reputational damage, and the significant risk of being held for ransom, using real-world case studies to highlight the severe consequences of neglecting domain management.

Jo-Fan YU, Managing Director and CEO, TWNIC emphasizes that a domain name is a “digital ID” and a “digital address,” making it far more important than a social media account. She presents the following points:

1. The Importance of Autonomy: Operating on social media is like being a “tenant”—you must abide by the platform’s rules. If the platform shuts down, all your hard work vanishes. Owning your domain name is the only way to truly control your digital presence.
2. Proactive Defense Strategy: Businesses should proactively register all relevant domains (e.g., .com, .tw, Chinese-character domains). Even if not used immediately, this prevents others from squatting on them for traffic hijacking or phishing, thereby protecting brand reputation. This low-cost measure is an essential form of insurance.
3. Principles for Domain Selection: In an era of rampant scams, domains should be “memorable” and “intuitive.” For example, the “104 Job Bank” uses 104.com.tw. Using Chinese-character domains or country-specific TLDs like .TW can increase trust among local consumers and improve search engine optimization.

Hao-Cheng OWN, Chairman,Hackers in Taiwan, HIT & CEO & Co-founder, DEVCORE uses a real-world case study to reveal the catastrophic consequences of losing control over a domain name:

1. Domains as Core Assets: He fully agrees that domain names should be treated as “digital assets that require regular auditing.” Businesses should systematically manage all their registered domains, ensuring timely renewals to prevent them from being squatted on after expiration. Many hackers monitor expiring domains to immediately seize them for resale at a high price or for criminal use.
2. The Terror of Social Engineering: He shares the classic 2014 case of a Twitter account with the single-letter handle “N” being stolen. The hacker didn’t use advanced techniques but instead relied on social engineering: first, by calling PayPal to trick them into revealing the last four digits of the victim’s credit card, and then using that information to call the domain registrar, GoDaddy, to successfully reset the account password and take over the victim’s domain name.
3. The Cascade Effect: Once a domain is hijacked, the hacker can control all associated email accounts. From there, the hacker can use the email to receive password reset links and take over the victim’s accounts on all major social media and financial platforms. Ultimately, the victim was forced to “surrender” their extremely valuable Twitter handle to the hacker to prevent further losses. This case is a powerful cautionary tale, proving that losing your domain is equivalent to opening the floodgates to all your digital assets.

 

Practical Defense: Digital Protection Strategies for Individuals and SMBs

Faced with rampant online threats, how can individuals and small-to-medium businesses (SMBs) without dedicated cybersecurity teams protect themselves? This section provides concrete and actionable defense measures, from registrar services and account management technologies to future trends. It covers how to choose secure services, leverage multi-factor authentication to strengthen account security, and look ahead to the era of passwordless technology, all aimed at reducing users’ risk of being attacked.

Jo-Fan YU, Managing Director and CEO, TWNIC explains the value-added services offered by TWNIC to enhance the security of .TW domains:

1. Domain Lock Service: To counter domain theft like that in the case study, TWNIC offers a “System Lock” service. Once enabled, any request involving domain transfers or major data changes must be directly confirmed with a pre-approved contact, rather than being authorized by a mere phone call or partial personal information. This eliminates such scams at a systemic level.
2. Monitoring and Notification Service: For SMBs with limited resources, TWNIC helps monitor their account status. If any anomalies are detected, it proactively notifies the user to provide time to respond.
3. Green Domain (Blue Checkmark) Verification: TWNIC has introduced a verification mechanism similar to the “blue checkmark” on social media. Domains that have been specially vetted and whose registrant’s identity has been confirmed by TWNIC receive a mark. When users see this mark, they can be confident that the website has a high level of credibility and is highly unlikely to be a phishing site.

Hao-Cheng OWN, Chairman,Hackers in Taiwan, HIT & CEO & Co-founder, DEVCORE provides the most critical defense advice from the user’s perspective:

1. Choose Your Domain Registrar Carefully: The first step is to select a reputable registrar that offers robust security features.
2. Enable Multi-Factor Authentication (MFA): This is the most effective and simple way to protect an account. After entering a password, the system requires a second verification step, such as a code from your phone, to prove you are the legitimate user. Even if your password is stolen, hackers cannot easily log in. He stresses that high-privilege accounts, like those with domain registrars, must have MFA enabled.
3. The Passwordless Future: He acknowledges that remembering complex passwords goes against human nature. The future trend is “passwordless authentication,” using biometrics like Face ID or fingerprints, or confirming logins via a phone tap. This will significantly enhance both security and convenience. But until then, MFA remains an indispensable line of defense.

 

A Survival Guide for the Digital Age: Building Cybersecurity Awareness and Vigilance

Technical defenses are the foundation, but the final line of defense lies in the digital awareness of every user. This section summarizes survival tactics for the information age, from building the right mindset to applying practical skills. It emphasizes the importance of “slowing down and staying alert,” provides multiple verification channels, and educates the public on how to identify suspicious links and messages, making digital resilience a part of daily life.

Jo-Fan YU, Managing Director and CEO, TWNIC proposes a simple and effective “Three-Second Rule”:

1. Think Before You Click: Before clicking any link, pause for three seconds. Ask yourself: Is this a link I use often? Is the source legitimate (e.g., a tax-filing website should be a .gov.tw domain)?
2. Use Verification Tools: If you’re unsure, use resources like the 165 anti-fraud LINE account or government-provided query pages to check if the URL has been reported as a scam.
3. Cross-Reference and Verify: Use Google to search for reviews or use a WHOIS lookup service to examine the domain’s registration data (like the registrant and registration date). This can help determine if it aligns with the claimed brand. A legitimate brand’s registration data should be complete and consistent.

Hao-Cheng OWN, Chairman,Hackers in Taiwan, HIT & CEO & Co-founder, DEVCORE concludes with final advice for business owners and the general public:

1. For Business Owners: You must treat your “domain name as a digital asset.” Audit, register, and protect it diligently, and mandate MFA for all high-privilege accounts.
2. For the Public: Cultivate the habit of “slowing down.” The more urgent a message seems, the more calmly you should verify it. Don’t blindly trust the first result on Google, as scam groups buy keyword ads to place fake websites at the top. Always verify the official URL of a website before proceeding.
3. A Shared Responsibility: Personal cybersecurity isn’t just about you. In a corporate environment, a single person’s negligence can become a breach point for the entire organization. Therefore, building a nationwide culture of digital hygiene and awareness is the cornerstone of a digitally resilient society.