Customer reports unauthorized account access or suspicious charges.
Security & FraudVerified: Jul 14, 2026
Resolution Steps
- Treat all security reports as urgent — do not place the customer on hold for extended periods.
- Verify the customer's identity using the standard verification protocol before discussing account details.
- Check the account login history for unfamiliar IP addresses, locations, or devices.
- Review recent account changes: email address changes, password changes, product purchases, DNS modifications.
- Immediately lock the account if unauthorized access is confirmed — use the Account Security tool.
- Advise the customer to change their password and enable 2FA from a secure device immediately.
- Check if any domains have had DNS records changed — this is a common attack vector.
- If unauthorized charges are present, flag for fraud review — do not process refunds until fraud team clears.
- Document all findings in the account notes with timestamps.
- Provide the customer with the GoDaddy Security incident reference number.
Say This
"I take this very seriously and I'm going to help you right now. First, let me verify your identity so I can access your account securely. [verify identity] Thank you. I'm looking at your account activity right now. [describe what you see — unfamiliar logins, changes, etc.] Here's what I'm going to do immediately: I'm locking your account to prevent any further unauthorized access. This means you won't be able to log in until we've secured it — I'll walk you through the recovery steps right now. I'm also flagging the [suspicious charges / account changes] for our security team to review. They'll be in touch within [timeframe]. While I have you: are you using the same password on other accounts? I strongly recommend changing those as well, as a precaution. And going forward, enabling two-factor authentication will prevent this from happening again."
Quick Links
Escalate When...
- Unauthorized access is confirmed — escalate to Trust & Safety immediately after locking account.
- Customer reports identity theft or their personal information was used to open the account.
- Domain hijacking is suspected — DNS changes made without authorization.
- Customer's site is actively serving malware — escalate to hosting security team.
- Law enforcement inquiry or legal hold request — escalate to Legal immediately.