Combosquatting: when attackers add a keyword to your real brand
Combosquatting is brand impersonation that keeps your brand name spelled correctly and simply bolts a plausible word onto it. Think acmebank-login.com, acmebank-support.com, or secure-acmebank.com. There is no typo to catch, which is exactly why it slips past the defenses most companies put in place.
What is combosquatting?
Combosquatting combines a target brand with one or more extra keywords to form a domain that looks official. The brand string itself is accurate, so the result reads like a legitimate product page or login portal rather than a fake. A victim who glances at acmebank-billing.com sees the words "acmebank" and "billing" together and assumes it belongs to the company.
This is the core difference from typosquatting. A typosquat relies on a fat-fingered mistake such as acmebnak.com or accmebank.com. Combosquatting does not depend on any error at all. The user can read the address carefully, confirm the brand is spelled right, and still land on an attacker-controlled site.
Why defensive registration does not help
A common reaction to lookalike risk is to defensively register the obvious misspellings of your domain. That is reasonable, but it does nothing against combosquatting. You cannot register every keyword combination that exists.
Misspellings are a bounded set. There are only so many ways to fumble "acmebank" on a keyboard, and a registrar can sell you the common ones in a bundle. Keyword combinations are effectively unbounded. An attacker can pick from thousands of nouns and verbs, stack two or three of them, swap the order, add a hyphen or remove it, and append any top level domain. The space is too large to pre-buy, so a purely defensive registration strategy cannot close it.
Why it converts so well for phishing
Combosquats are persuasive because they mimic the URL patterns people already trust. Real companies genuinely use addresses like login.acme.com, support.acme.com, or pay.acme.com. When a phishing email links to acme-login.com instead, the shape is familiar enough that the brain fills in the gap. The keyword even helps the lure: a message about a billing problem pairs naturally with acmebank-billing.com, and a password reset pairs with secure-acmebank.com.
Because the brand is spelled correctly, these domains can also pass a casual security awareness check. Staff are often trained to "look for misspellings," and combosquatting has none.
Common keyword patterns
Attackers reuse a small, predictable vocabulary because those words map to the moments when people expect to act on an account.
- Access words: login, signin, account, portal
- Trust words: secure, verify, verification, official
- Money words: billing, pay, payment, invoice
- Help words: support, help, service, care
- Product words: app, online, web, mobile
| Pattern | Example for "acmebank" | Lure it supports |
|---|---|---|
| brand-login | acmebank-login.com | Fake sign-in page |
| brand-support | acmebank-support.com | Fake help desk |
| secure-brand | secure-acmebank.com | Urgent security alert |
| brand-billing | acmebank-billing.com | Payment problem |
| verify-brand | verify-acmebank.com | Account verification |
How detection actually works
Since you cannot register the whole keyword space, the practical defense is to watch it. A combosquatting detector generates the keyword permutations of your brand the same way an attacker would, then checks those candidates against the real world.
Two signals matter most. The first is registration data: which of these brand-plus-keyword combinations have actually been registered, and when. The second is Certificate Transparency logs, which publicly record the TLS certificates issued for new hostnames. Because most phishing sites obtain a certificate before they go live, watching CT logs can surface a combosquat close to the moment it is being prepared, sometimes before any email is sent.
VigilDNS includes combosquatting keywords in its permutation engine alongside techniques like homoglyphs and TLD swaps, then scores each live result with an AI verdict so the handful that look like active threats rise above the noise. The goal is not to register everything, it is to see the dangerous combinations early enough to act.
Combosquatting and typosquatting together
These techniques are cousins, and serious attackers use both. Typosquatting catches accidental traffic; combosquatting earns deliberate clicks from people who think they are visiting a real subsection of your site. If you are mapping out your exposure, read our companion explainer on what typosquatting is and treat the two as a single monitoring problem rather than separate ones.
Frequently asked questions
Is combosquatting illegal?
Registering a domain that combines someone's brand with a keyword can violate trademark law and anti-cybersquatting rules, especially when it is used to deceive. Enforcement varies by country and depends on intent and use, so legal action is case by case. Detection and evidence gathering come first either way.
Can I just block these domains on my firewall?
You can block ones you know about, but you have to discover them first, and the list keeps growing as attackers coin new keyword combinations. Continuous monitoring is what keeps your block list current rather than a one-time snapshot.
How is this different from a real subdomain?
A real subdomain such as login.acme.com lives under the domain you control. A combosquat such as acme-login.com is a separate, independently registered domain that only looks related. The dot versus the hyphen is the whole difference, and most people do not notice it.
You can check your own brand for combosquatting and other lookalike patterns right now with our free typosquat checker, which runs the same permutation logic against live registrations in seconds.