What is typosquatting?
Typosquatting is the practice of registering domain names that look deceptively similar to a legitimate domain, usually to catch mistyped traffic or to impersonate a brand in phishing attacks. It is cheap for attackers, hard to spot by eye, and one of the most common starting points for credential theft and business email compromise.
Typosquatting, defined
A typosquatted domain differs from the real one by a small, easy-to-miss change: a swapped letter, a missing character, a lookalike glyph, or a different ending. The attacker registers the variant, points it at infrastructure they control, and waits for someone to type it, click it in an email, or trust it on a certificate. Because domain registration is nearly frictionless, a single attacker can register dozens of variants of one brand in an afternoon.
How attackers use typosquatted domains
- Phishing email: mail sent from the lookalike domain passes casual inspection because the sender address is almost right.
- Credential harvesting: the lookalike hosts a cloned login page; victims type real passwords into a fake form.
- Malware delivery: the domain hosts a fake software download or update prompt.
- Traffic monetization: mistyped visits get redirected to ads, affiliate offers, or competitors. Low harm per visit, but it proves the domain is actively operated.
- Business email compromise (BEC): an attacker impersonates an executive or supplier from the lookalike domain to redirect invoice payments. This is where lookalike domains do the most financial damage.
The main typosquatting techniques
Most lookalikes fall into a handful of permutation classes. Using the fictional brand acmebank.com as the target:
| Technique | How it works | Example |
|---|---|---|
| Homoglyph | Visually similar characters substitute for real ones | acrnebank.com (rn imitates m) |
| Character swap | Two adjacent letters are transposed | amcebank.com |
| Omission | One character is dropped | acmbank.com |
| Repetition | A character is doubled | acmmebank.com |
| Insertion | An extra character is added | acmnebank.com |
| Bitsquatting | A single bit flip in memory yields a nearby character | aceebank.com |
| TLD swap | Same name, different ending | acmebank.co |
| Combosquatting | The brand plus a plausible keyword | acmebank-login.com |
Homoglyph substitution deserves special attention because internationalized domain names allow Unicode characters that are pixel-identical to Latin letters. We cover that whole class in depth in our guide to homoglyph attacks. Combosquatting is also worth flagging: the domain is not a typo at all, which means defensive registration of misspellings does nothing against it.
Typosquatting vs cybersquatting vs brandjacking
The terms overlap but are not interchangeable. Typosquatting targets the mechanics of the domain string itself: typos, glyphs, and permutations. Cybersquatting is the broader practice of registering a domain containing someone else's trademark, often to resell it or extract payment, with no typo required. Brandjacking is broader still: any impersonation of a brand, including fake social media accounts, cloned apps, and fraudulent ads. Typosquatting is one tool inside both larger categories, and it is the one that is most systematically detectable, because the permutation space can be generated and checked.
Why parked lookalikes still matter
Most newly registered lookalikes resolve to a parking page or nothing at all. It is tempting to dismiss them, but a parked domain is a loaded weapon, not a dud. The attacker can add MX records and start sending mail, or stand up a cloned site, in minutes, often timed to a campaign. Many phishing operations deliberately let domains age quietly so they look less suspicious to reputation systems. This is why mature monitoring tracks dormant lookalikes and alerts on changes (new MX records, new TLS certificate, new content) rather than only judging a domain by what it serves today.
How typosquatting detection works
Detection is a pipeline, not a single lookup:
- Permutation generation: software generates the plausible variants of your domain across techniques like the eight above. For a typical brand this produces hundreds to thousands of candidates.
- DNS resolution: each candidate is checked for registration, A records, and MX records (mail capability is a strong risk signal).
- Certificate Transparency monitoring: CT logs publicly record every TLS certificate issued, so a lookalike often becomes visible the moment an attacker requests a certificate, frequently before any phishing email goes out. See our guide to Certificate Transparency monitoring.
- Content and risk analysis: live candidates are screenshotted and compared against the real site to catch clones, and scored so real threats surface above noise.
You can run pieces of this yourself with open source tools (see our dnstwist comparison), or use a continuous platform like VigilDNS, which runs an 11-technique permutation engine with live CT log monitoring and AI threat verdicts so the checking never stops.
What to do if you find a lookalike
If you have already found a domain impersonating yours, work the problem calmly: assess whether it is parked, serving content, or mail-capable, capture evidence, then escalate through the registrar and host. We have a full incident walkthrough in someone registered a lookalike of my domain.
Frequently asked questions
Is typosquatting illegal?
Registering a lookalike domain is not automatically illegal, but using it in bad faith against a trademark can violate laws like the US Anticybersquatting Consumer Protection Act, and using it for phishing or fraud is criminal nearly everywhere. Trademark holders can also pursue transfer through the UDRP process.
How many typosquat variants does a typical domain have?
It depends on the length of the name and the techniques considered, but most brands have hundreds to thousands of plausible permutations once homoglyphs, TLD swaps, and combosquatting keywords are included. That scale is why detection is automated rather than manual.
Should I just register all the variants myself?
Defensive registration of a few obvious variants is cheap and sensible, but the full permutation space is far too large to buy. Combosquatting alone is unbounded. Monitoring catches what you cannot own.
Want to see what is already registered against your domain? Run our free typosquat checker and get results in seconds.