Fake domain registrar claiming the target's domain expires in 48 hours and they must click to renew now or lose it permanently — domain-slamming / registrar-transfer fraud or credential-harvest; real domain expiration notices come from the actual registrar where the domain is registered, not cold emails from unfamiliar domains threatening permanent loss.

Fake domain registrar notice (impersonating GoDaddy, Namecheap, Google Domains, Cloudflare, Network Solutions, or generic "domain registrar") claiming the target's domain is expiring within 48 hours and that they must click to renew now or lose the domain permanently — domain-slamming / registrar-transfer fraud or credential-harvest attack. Real domain expiration notices come from the actual registrar where the domain was registered (verifiable via WHOIS), on a predictable renewal calendar; cold emails from non-registrar domains claiming a 48-hour expiration window with "click to renew or lose it permanently" language are either domain-slamming (unauthorized registrar-transfer requests) or credential-harvest attacks capturing the target's registrar login. The "48 hours / lose permanently" urgency pair is the defining pressure pattern for this attack class. Distinct from domain-expiration-fraud-phish (general domain expiration slamming) — this targets the specific 48-hour / permanently-lose / click-to-renew-now urgency narrative. Detection: domain expires/expiring + 48 hours + lose permanently/renew now vocabulary + no List-Unsubscribe + no In-Reply-To + not protected sender. Trash score: +3. Source: GC1-R27; ICANN domain slamming policy; FTC domain name scams advisory; CISA domain registrar phishing alert 2025.