What Lookalike Domains Actually Do: A Look at 44,000 of Them
Most advice about typosquatting talks in generalities. We can do better. VigilDNS continuously monitors the lookalike-domain space for the brands it protects, so we pulled the aggregate numbers from our own corpus: 44,934 lookalike permutations generated across 237 brands, and what the registered ones are actually configured to do. The single most important finding: half of the registered lookalikes can send email.
How to read this data
These figures are aggregate and anonymized. They come from the permutation sets VigilDNS generates and monitors for real brands, so the population skews toward names worth impersonating rather than a random sample of the internet. We are not naming any brand or domain. The point is the shape of the threat, not any individual case. Numbers are a snapshot in time and will drift as the corpus grows.
The funnel: from permutation to live threat
For every brand, an engine generates the plausible lookalikes, and only some of them turn out to be registered, fewer still are live, and fewer again are dangerous. Here is how 44,934 generated permutations narrowed down.
| Stage | Count | Share |
|---|---|---|
| Lookalike permutations generated (237 brands) | 44,934 | 100% |
| Actually registered | 24,539 | 55% of generated |
| Mail-capable (can send email) | 12,263 | 50% of registered |
| Serving a live web response | 8,038 | 33% of registered |
| Scored high-risk (70+ of 100) | 7,433 | 30% of registered |
Finding 1: half of registered lookalikes can send email
Of the 24,539 registered lookalike domains, 12,263 (almost exactly 50%) had mail servers configured. That matters more than the website numbers, because a mail-capable lookalike does not need a web page to do damage. It can send invoices, payment-change requests, and password-reset lures that appear to come from your brand. This is the infrastructure behind business email compromise, and it is why SPF, DKIM, and DMARC on your own domain are necessary but not sufficient: those protect your exact domain, while a lookalike authenticates perfectly as itself. The only way to catch this class is to watch for the lookalike domain. We explain the distinction in is someone spoofing my email domain.
Finding 2: a third are live, and a third are high-risk
About 33% of registered lookalikes returned a live web response, and about 30% scored 70 or above on our 0-100 risk scale. The two groups overlap but are not identical: a domain can be high-risk because it is mail-capable, newly registered, or hosted on suspicious infrastructure even without a live page. The takeaway is that a meaningful minority of registered lookalikes are not harmless parking, and the parked majority can be activated at any time, which is why we track them for change rather than dismissing them. See domain parking.
Finding 3: the techniques attackers actually use
Counting only registered lookalikes, the permutation techniques break down like this. Note how far down the list classic homoglyphs and character swaps sit: additions, TLD swaps, and character replacements dominate, which is consistent with attackers favoring plausible-looking names over obvious misspellings.
| Technique | Registered lookalikes |
|---|---|
| Addition (extra characters or words) | 7,890 |
| TLD swap (same name, different ending) | 4,467 |
| Replacement | 3,836 |
| Bitsquatting | 2,032 |
| Omission | 1,157 |
| Vowel swap | 1,096 |
| Insertion | 1,004 |
| Repetition | 1,003 |
| Homoglyph | 925 |
| Character swap | 792 |
This is the data behind a point we make often: detection built only on simple typos misses most of the space. The biggest buckets are additions and TLD swaps, the building blocks of combosquatting, where the brand is spelled correctly and a word or a new ending is bolted on. See what is typosquatting and bitsquatting for the techniques themselves.
Finding 4: where the infrastructure lives
By hosting country of the resolving IP, registered lookalikes concentrated in the United States (13,492), then Germany, Australia, Canada, the Netherlands, France, the United Kingdom, and the British Virgin Islands. The long tail of offshore hosting is a reminder that takedowns can be slow or impossible in some jurisdictions, which is the case for catching the domain early rather than relying on removal. See how domain takedowns work.
What this means for you
If you take one thing from this: a registered lookalike of your brand is more likely than not to be mail-capable, and that is true whether or not it ever serves a web page. Watching only for fake websites misses half the threat. Continuous monitoring that flags mail-capable lookalikes, captures live pages, and scores risk is what turns 44,000 raw permutations into the short list that actually needs your attention. That is what VigilDNS does, from $79 a month on the pricing page.
Frequently asked questions
Where do these numbers come from?
They are aggregate, anonymized figures from the lookalike permutations VigilDNS generates and monitors for real brands. No individual brand or domain is identified. The population skews toward brands worth impersonating, so it is not a random internet sample.
Why is the mail-capable number so high?
Email is the cheapest, highest-return use of a lookalike domain. It needs no website, evades exact-domain email protections like DMARC, and powers invoice and payment fraud. Attackers configure mail on lookalikes because it works.
Does a parked lookalike with no website matter?
Yes. A parked domain can be activated in minutes, and many are mail-capable while still showing no web page. That is why monitoring tracks parked lookalikes for change instead of dismissing them.
See how many lookalikes of your own domain are already registered, and which can send email, with our free typosquat checker.