Domain Age in Supplier Verification: The 180-Day Rule

Why Fraudsters Need New Domains

Every supplier fraud attack that involves a website, an email address, or an invoice has one structural constraint: the attacker needs a domain. Whether they are creating a fictitious supplier, impersonating a legitimate one, or redirecting payments for an existing vendor relationship, a domain is the foundation of the fraud infrastructure.

That domain has a registration date. And because fraud operations are inherently short-lived — the goal is to collect one payment and disappear before detection — fraudulent domains are almost always recently registered. They have no established certificate history, no aged web presence, no history of legitimate email traffic. Domain age is therefore one of the most reliable leading indicators of supplier fraud risk available through automated verification.

The 180-Day Threshold

Six months — 180 days — is the threshold that emerges consistently from fraud pattern analysis. This is long enough that a legitimately new business might have registered their domain, but short enough that the vast majority of fraud operations have already concluded. A supplier presenting invoices on a domain registered in the past 180 days is not certainly fraudulent — but the combination of a young domain with any other anomaly (no DMARC, GST not registered, no ASIC record) should trigger immediate additional scrutiny.

The 180-day threshold also appears in ABN risk assessment for similar reasons: an ABN registered less than six months ago indicates a new business, and new businesses — particularly those presenting large invoices early in the relationship — warrant additional verification steps before payment is made.

The Australian .au Domain Problem

Australian WHOIS data has a well-known limitation: auDA (the .au domain authority) does not expose domain registration dates through RDAP (Registration Data Access Protocol), the modern replacement for WHOIS. For domains ending in .com.au, .net.au, .org.au, or the newer .au — which covers the majority of legitimate Australian business domains — the standard RDAP lookup will confirm a registrar and DNSSEC status, but will not reveal when the domain was registered.

This is not an insurmountable problem, but it requires a workaround. The most reliable approach is certificate transparency logs. Every time an SSL/TLS certificate is issued for a domain, a record of that issuance is written to a public Certificate Transparency log — a requirement under RFC 6962 that applies to all certificate authorities. Crt.sh, operated by Sectigo, aggregates these logs and makes them queryable by domain.

The date of the first certificate issued for a domain provides a reliable proxy for the domain's earliest active date. A domain with a first certificate from 2018 has been in active use for at least seven years. A domain with a first certificate from three weeks ago has not.

What Certificate Transparency Tells You Beyond Age

Certificate transparency logs also reveal the total number of certificates issued for a domain. This is a useful signal in its own right: a domain with 40 or 50 certificates issued over several years has been actively maintained, renewed, and secured. A domain with one certificate issued last month has not.

Certificate transparency logs also surface subdomains. If a supplier's domain has mail.supplier.com.au, portal.supplier.com.au, and api.supplier.com.au in the certificate records, that is consistent with an operating business. A domain with no subdomains and a single recently-issued certificate is consistent with a hastily assembled fraud infrastructure.

Domain Age vs. Business Age

It is worth being precise about what domain age tells you and what it does not. Domain age tells you when a domain was registered — not when the underlying business started trading. A legitimate business that has operated as a sole trader for ten years may have only recently registered a domain. A business that was incorporated in 2005 may have changed domain names in 2023.

This means domain age should never be used as a single disqualifying factor. It is most useful as one signal among several. A supplier with a 20-year ABN, a matching ASIC record, an active GST registration, and a domain registered three months ago is a much lower risk than a supplier with a six-month ABN, no ASIC record, no GST registration, and a three-month domain. The domain age signal should be read in the context of the full verification picture.

Checking Domain Age in Practice

For non-.au domains (.com, .net, .org), registration dates are available through standard RDAP queries to Verisign and other registry operators. For .au domains, certificate transparency logs are the most reliable proxy. Both approaches can be automated and integrated into a supplier verification workflow.

Gumshoe checks RDAP for non-.au domains and falls back to certificate transparency data for .au domains, presenting the effective domain age in the WHOIS check result and flagging any domain under 180 days as a FAIL. The certificate count and earliest certificate date are surfaced in the check detail — giving your team the data to make an informed judgement, not just a pass/fail score.

A Note on Domain Age for Established Suppliers

One practical implication of using domain age as a verification signal is that it is most useful at the point of onboarding a new supplier — not for ongoing monitoring of long-established relationships. A supplier you have been paying for five years without issue has an established domain, and re-verifying domain age annually adds minimal value.

Where domain age becomes valuable again for established suppliers is in the context of banking detail changes. If an established supplier requests new banking details, and the verification reveals that the email requesting the change came from a domain registered two months ago — even if the email appeared to come from the supplier's legitimate address — that domain age signal is a critical red flag that should stop the payment process immediately.