Learn

What is typosquatting? Lookalike domains explained

Typosquatting is when attackers register lookalike domains to phish your customers and staff or damage your brand. Learn the common patterns, the warning signs, and how to find lookalikes of your domain.

Typosquatting is the practice of registering domain names that closely resemble a legitimate brand’s domain — usually by exploiting common typos, visual look-alikes, or extra words — in order to deceive people who are looking for the real thing. The registered domains are often called lookalike domains, and they are one of the most common tools in phishing and brand-abuse attacks.

The economics favor the attacker. A domain costs a few dollars and takes minutes to register, while the brand owner often does not even know the lookalike exists until a customer is already being phished. That asymmetry is exactly why continuous monitoring beats reactive takedowns.

How typosquatting works

Attackers generate variations of a target domain using predictable techniques:

  • Misspellings and keyboard slipsexmaple.com, gogle.com: dropped, doubled, or transposed characters people type by accident.
  • Homoglyphs — characters that look alike, such as a lowercase “l” and the number “1”, or Latin letters swapped for near-identical Unicode characters from other alphabets.
  • TLD swaps — the same name on a different extension: example.co, example.net, example.io instead of example.com.
  • Hyphenation and insertionexam-ple.com, or adding characters that are easy to miss.
  • Combosquatting — the brand spelled correctly with extra words: example-login.com, secure-example.com, example-support.com.
  • Subdomain spoofing — putting your brand in a subdomain of an unrelated domain, like example.com.login-verify.net, so a glance at the start of the address looks legitimate.

What attackers do with lookalike domains

  • Phishing your customers. A lookalike hosts a fake login or payment page to harvest credentials and card details from people who think they are on your real site.
  • Business email compromise (BEC). With mail configured on a lookalike, an attacker emails your staff or suppliers as a “colleague” to redirect invoices and wire payments.
  • Malware delivery. The lookalike serves a fake “update” or document that installs malware.
  • Brand damage and ad fraud. Some lookalikes run scams, counterfeit storefronts, or pay-per-click pages that trade on your reputation.

Warning signs a lookalike is active

Not every registered lookalike is an immediate threat, but these signals mean one is being prepared or already in use:

  • A live website — especially one that copies your branding or hosts a login form.
  • A recently issued TLS certificate — attackers add HTTPS to make fake pages look trustworthy; a fresh certificate on a lookalike is a strong signal of intent.
  • MX records — mail servers configured on the domain mean it can send or receive email, the precursor to BEC.
  • Recent registration — newly registered lookalikes correlate strongly with active campaigns.

How to find and monitor lookalikes

Finding lookalikes manually means brainstorming variations and checking each one — workable for a handful, but attackers have far more combinations than you can track by hand. A better approach:

  • Generate variations systematically across all the patterns above, not just obvious typos.
  • Check which ones actually resolve in DNS — a registered domain that resolves is worth far more attention than a hypothetical one.
  • Prioritize by activity — live sites, fresh certificates, and mail-capable domains first.
  • Monitor continuously — new lookalikes are registered all the time, so a one-time check goes stale quickly.

The SCRYPEX Lookalike Domain Checker does the first three for free: enter your domain and it generates common typosquat variations and shows which are registered, live, or email-capable. Lookalike abuse is also one signal in the broader picture of external attack surface management — the same outside-in view that finds your exposed services and email-authentication gaps.

What to do when you find one

  • Document it — capture the domain, registrar, hosting, and any live content as evidence.
  • Report and request takedown through the registrar, host, and browser safe-browsing programs; trademark owners can also use UDRP/ACPA processes.
  • Warn the people at risk — customers and staff — if a lookalike is actively phishing.
  • Strengthen your own email authentication with SPF, DKIM, and DMARC so exact-domain spoofing is blocked even while you deal with lookalikes.

Frequently asked questions

Is typosquatting illegal?

Registering a confusingly similar domain in bad faith — to profit from or harm a brand — can violate trademark law and policies like the US ACPA and ICANN's UDRP, which let brand owners recover or take down infringing domains. But registration is fast and cheap while disputes are slow, so monitoring and early detection matter more than relying on takedowns alone.

What is the difference between typosquatting and combosquatting?

Typosquatting relies on small misspellings or keyboard slips (exmaple.com). Combosquatting keeps your brand spelled correctly but adds words around it (example-login.com, secure-example.com). Combosquatting is often more convincing because the brand name is intact, and there are effectively unlimited combinations.

How do I know if a lookalike domain is actually dangerous?

Look for signs it is being weaponized: an active website (especially a login page that mimics yours), a recently issued TLS certificate, and MX records that let it send or receive email for business email compromise. A registered-but-dormant lookalike is lower risk than one that is live with mail configured — but it can be activated at any time, so both are worth tracking.

How can I find lookalike domains of my brand for free?

You can run a free check with the SCRYPEX Lookalike Domain Checker: enter your domain and it generates common typosquat and lookalike variations and checks which ones actually resolve in DNS, flagging those that are live or email-capable.