Lookalike-Domain and Brand-Impersonation Monitoring for Accounting and CPA Firms
Attackers register domains that look like your firm to phish your clients for tax documents, redirect refunds, and send fraudulent invoices. VigilDNS watches the open internet for those lookalike domains continuously, scores the risk, and hands you a ready-to-act evidence package. Self-serve, affordable, no sales call.
The threat to a CPA firm is email, not just a fake website
Your clients trust mail that appears to come from your firm. A criminal who registers a domain like yourfirm-portal.com or yourfirm-tax.com can stand up a fake client login page, email your clients pretending to be you, and ask them to upload W-2s, K-1s, or bank details. With those documents, the attacker can file fraudulent returns and reroute refunds. The same lookalike domain, if it carries mail records, can send a convincing invoice or a change of payment instructions to a client or to your own staff. This is business email compromise, and accounting firms are a high-value target because they hold Social Security numbers, EINs, and financial records for many clients at once.
Tax season makes it worse. Every January through April there is a predictable surge in fake-IRS and fake-firm phishing as criminals exploit the volume of legitimate document exchange. The domains are often registered weeks ahead, which is exactly the window continuous monitoring is built to catch.
This is now a professional duty, not just IT hygiene
Two requirements have moved domain-based impersonation from a nuisance to a compliance concern. The AICPA Statements on Standards for Tax Services, revised effective January 1, 2024, added an explicit data-protection standard requiring members to make reasonable efforts to safeguard taxpayer data. Separately, the FTC Safeguards Rule under the Gramm-Leach-Bliley Act requires any firm that prepares returns to maintain a Written Information Security Plan (WISP) covering risk assessment and ongoing monitoring of threats, and the IRS ties WISP attestation to PTIN renewal. VigilDNS does not make you compliant on its own, but continuous lookalike monitoring with documented evidence supports the "reasonable efforts" and "ongoing monitoring" your WISP and the SSTS expect, and gives you a record you can point to.
What VigilDNS watches for you
- Combosquat domains, your brand plus a keyword like -secure, -portal, -tax, -irs, or -login. Most real impersonation uses these, not simple letter swaps. See what combosquatting is.
- Mail-capable lookalikes. About half of registered lookalike domains carry mail (MX) records and can send spoofed email. Watching only for fake websites misses half the threat, and for a CPA firm the email half is the dangerous half. Learn how SPF, DKIM, and DMARC fit in.
- Live clone detection. We take real screenshots of suspect sites and compare them side by side with your real pages, so you can see when someone has copied your client portal or login.
- Typosquats and homoglyphs across an 11-technique permutation engine, including look-alike Unicode characters.
- Certificate Transparency monitoring to catch a lookalike at the moment it gets an SSL certificate, often before any phishing email goes out.
- AI threat verdicts, risk scoring, and campaign clustering so a long list of registrations becomes a short list of what actually matters.
- Dormant-threat detection, RDAP ownership data, real-time alerts, team workspaces, and CSV export.
What we do not do
We are honest about scope. VigilDNS produces the detection and the evidence package; it does not file managed takedowns on your behalf, though our evidence is built to hand to a registrar or your counsel. We do not monitor social media, the dark web, or counterfeit marketplaces. If you need takedowns, see how domain takedowns work.
Enterprise-grade detection without the enterprise price
Brand-protection has been split in two for years. Enterprise platforms like ZeroFox, BrandShield, Doppel, and Fortra are quote-only and routinely run into five figures a year (ZeroFox has averaged roughly $56,000 annually). At the other end, sub-$10 tools do detection only, with no scoring and no evidence. Almost nothing sits between $100 and $5,000 a month with detection plus evidence plus risk scoring. VigilDNS does, self-serve, and you can start today. Starter is $79 a month for 5 domains and 3 seats. Team is $199 a month for 20 domains, 10 seats, and 12-hour scans. Annual billing includes two months free. Compare us on our ZeroFox alternative page.
| Option | Price | Detection | Risk scoring + evidence | Self-serve |
|---|---|---|---|---|
| Enterprise brand-protection suites | 5-figure, quote-only | Yes | Yes | No, sales call |
| Cheap typo checkers | ~$5/mo | Basic | No | Yes |
| VigilDNS | $79-$899/mo | 11-technique + CT + clone | Yes | Yes |
Frequently asked questions
Will this make my firm WISP or SSTS compliant?
No single tool makes you compliant. The WISP requirement and the revised SSTS data-protection standard call for reasonable efforts and ongoing monitoring of threats. VigilDNS supports those duties by continuously monitoring for impersonation domains and documenting what it finds, so you have monitoring in place and a record to show. The rest of your program, like MFA and training, is still yours to maintain.
What is the difference between a typosquat and a combosquat?
A typosquat is a misspelling of your domain, like yuorfirm.com. A combosquat keeps your name and adds a word, like yourfirm-secure.com. Combosquats are more common in real attacks because they look legitimate. VigilDNS detects both, plus homoglyphs. More on what typosquatting is.
Why does it matter whether a lookalike domain can send email?
A domain with mail records can send spoofed messages that pass basic checks and reach your clients or staff. Because attacks on accounting firms are usually email-driven, a fake-website-only tool misses the part that costs money. VigilDNS flags mail-capable lookalikes specifically.
Can I try it before paying?
Yes. Run your firm's domain through the free checker, no account needed, and see what is already out there.
Start with the free typosquat checker to see the lookalikes of your firm that are already registered, then see pricing to turn that one-time look into continuous monitoring. If you also handle real-estate closings, see our title company wire fraud protection page.