Someone registered a domain similar to mine: what to do

Finding a lookalike of your domain is unsettling, but most of them are not yet an active attack, and there is a clear sequence of steps that works. This guide walks you through assessment, evidence, reporting, and protecting your users, in the order that matters.

Step 1: Assess what you are actually dealing with

Before reporting anything, establish the facts. Three questions determine severity:

• Is it parked or serving content? Visit it from a browser you do not use for work (or a sandbox). A registrar parking page is low urgency. A clone of your login page is an emergency.
• Is it mail-capable? Check for MX records: dig MX suspicious-domain.com (or use any online DNS lookup). MX records mean the domain can send and receive email that impersonates you, which is the setup for invoice fraud and spear phishing even when the website shows nothing.
• Does it have a TLS certificate? A fresh certificate (visible in Certificate Transparency logs, searchable at crt.sh) suggests someone is preparing the domain for live use.

Screenshot everything now. Capture the site, the WHOIS/RDAP record, DNS responses, and any emails received, with visible timestamps. Attacker infrastructure changes fast, and every later step (registrar abuse reports, law enforcement, UDRP) depends on evidence of what the domain was doing and when. Save full-page screenshots and raw DNS output to a dated folder before you do anything else.

Step 2: Triage severity

Step 3: Report, in escalating order

1. Document evidence first (step 1). Every report below is stronger with screenshots and timestamps attached.
2. Report to the registrar's abuse contact. Look up the domain via RDAP or WHOIS (try rdap.org or ICANN's lookup tool); the record lists the sponsoring registrar and usually an abuse email or web form. Registrars can suspend domains that violate their terms, and clear phishing evidence often gets action. Be factual and concise: the domain, what it imitates, what it is doing, your evidence.
3. Report to the hosting provider. If the site serves content, identify the host from the IP address (a reverse lookup or any IP-info service shows the network owner) and file with their abuse contact. Hosts frequently act faster than registrars because the phishing content sits on their machines.
4. Report to browser and mail ecosystems. Submit phishing URLs to Google Safe Browsing and to Microsoft (SmartScreen report page). Once flagged, most major browsers and mail filters warn users away, which blunts the attack even before takedown.
5. Report fraud to authorities. If money was lost or customers were defrauded, file with IC3 (the FBI's Internet Crime Complaint Center) in the US, and notify CISA if you are critical infrastructure. Outside the US, use your national CERT or police cybercrime unit.
6. UDRP or court, as a last resort. The Uniform Domain-Name Dispute-Resolution Policy can transfer a bad-faith domain to you. Cost reality: filing fees start around $1,500 for a single-panelist case, plus attorney time, and decisions take months. It is the right tool for a valuable domain held in bad faith, not for a disposable phishing domain the attacker will abandon anyway.

An honest note: takedown timelines vary from days to never. Some registrars act within hours on clear phishing; others, especially in unresponsive jurisdictions, ignore reports entirely. This is exactly why early detection matters more than takedown speed: a lookalike caught at registration, before it has a certificate or content, gives you time to warn people and block it before anyone is harmed.

Step 4: Warn your customers and staff

Do not wait for takedown. Tell your team the exact lookalike domain so finance and support can spot it in email. Add it to your mail gateway blocklist. If customers are being targeted, a short notice ("we will only ever email you from acmebank.com") protects them and shows good faith.

Step 5: Tighten your own email authentication

Publish strict SPF and a DMARC policy of p=reject (or at least p=quarantine) on your real domain if you have not already. Understand the limit, though: DMARC protects your exact domain from spoofing. It does nothing about mail genuinely sent from the lookalike domain, because that mail authenticates as the lookalike, not as you. DMARC closes one door; it does not close this one. That is another reason MX detection on lookalikes matters.

Step 6: Make sure you see the next one early

One lookalike usually means more will follow; permutation tooling makes registering ten as easy as one. Continuous monitoring generates the permutations of your domain (see what is typosquatting for the techniques), watches DNS and Certificate Transparency logs, and alerts you at registration or first certificate, not after the phishing email lands. VigilDNS does this continuously, including MX detection and clone-detection screenshots, with plans from $79/mo on our pricing page. We do not do managed takedowns, but the evidence trail and early warning make every step above faster.

Frequently asked questions

Can I get a lookalike domain taken down if it is just parked?

Usually not. Parking is not abuse by itself, and registrars rarely act without evidence of phishing, malware, or trademark bad faith. Document it, monitor it for changes like new MX records or certificates, and act fast if it goes live.

Does owning the trademark guarantee I win a UDRP case?

No. You must show the domain is confusingly similar to your mark, that the registrant has no legitimate interest, and that it was registered and used in bad faith. Clear phishing evidence helps enormously, which is why timestamped documentation matters.

Will DMARC stop a lookalike domain from emailing my customers?

No. DMARC prevents spoofing of your exact domain. Mail sent from the lookalike authenticates as the lookalike, so it passes. Defenses against lookalike mail are detection, blocklisting, and warning recipients.

Find out whether other lookalikes of your domain already exist: run our free typosquat checker now.