Lookalike-Domain and Brand-Impersonation Monitoring for Law Firms
The costliest cyber threat to a law firm rarely starts with a breach. It starts with a domain that looks like your firm or the closing attorney, sending fraudulent wire instructions in a real-estate or settlement matter. VigilDNS continuously watches the internet for those lookalike domains, scores the risk, and gives you an evidence package you can act on. Self-serve, affordable, no sales call.
Business email compromise is the threat, and an impersonated domain is the weapon
Business email compromise is consistently the most expensive cyber loss for law firms, and the mechanism is almost always a domain. A criminal registers something close to your firm's name, or to the closing attorney's or a lender's, then emails the parties to a transaction with new wire instructions just before funds move. In real-estate closings and settlements the sums are large, the timing is tight, and once an IOLTA or escrow transfer goes out it is very hard to recover. The fake domain can also stand up a copy of your site to make the impersonation credible. Because the attack is email-driven, watching only for fake websites misses the half of the problem that actually moves money.
Your ethical duties already point here
ABA Model Rule 1.6(c) requires a lawyer to make reasonable efforts to prevent the inadvertent or unauthorized disclosure of, or unauthorized access to, information relating to a client. ABA Formal Opinion 477R frames that as a fact-specific reasonableness standard tied to the sensitivity of the information and the likelihood of disclosure. Rule 1.15 imposes a duty to safeguard client and escrow funds, including IOLTA accounts. A lookalike domain used to redirect a wire or harvest client data implicates both rules at once, and firms can face malpractice and disciplinary exposure even when they are the victim of the fraud. VigilDNS does not by itself satisfy these duties, but continuous monitoring for impersonation domains, with documented evidence, is a concrete reasonable effort that supports Rule 1.6(c) and helps protect the funds Rule 1.15 covers.
What VigilDNS watches for you
- Combosquat domains, your firm name plus a word like -law, -legal, -escrow, -closing, or -settlement. These look legitimate and are how most real impersonation works. See what combosquatting is.
- Mail-capable lookalikes. Roughly half of registered lookalike domains carry mail (MX) records and can send spoofed email. For a firm whose risk is fraudulent wire instructions, the mail-capable ones are the real danger. See SPF, DKIM, and DMARC.
- Live clone detection. We screenshot suspect sites and place them side by side with your real pages, so you can see when someone has copied your firm's site or client portal.
- Typosquats and homoglyphs through an 11-technique permutation engine, including look-alike Unicode characters.
- Certificate Transparency monitoring to catch a lookalike as soon as it gets an SSL certificate, often before the fraudulent email is sent.
- AI threat verdicts, risk scoring, and campaign clustering so you triage a short list of real threats, not a spreadsheet of registrations.
- Dormant-threat detection, RDAP ownership data, real-time alerts, team workspaces, and CSV export.
What we do not do
VigilDNS produces the detection and the evidence; it does not file managed takedowns for you, though the evidence package is built to hand to a registrar or to opposing parties and counsel. We do not monitor social media, the dark web, or counterfeit marketplaces. For background, see how domain takedowns work and what lookalike domains actually do.
Enterprise protection without the enterprise contract
Brand-protection has long been an either-or. Enterprise platforms like ZeroFox, BrandShield, Doppel, and Fortra are quote-only and commonly cost five figures a year (ZeroFox has averaged around $56,000 annually), with a sales cycle to match. Cheap tools at a few dollars a month do detection only, with no scoring and no evidence to act on. Almost nothing occupies the space between $100 and $5,000 a month with detection plus evidence plus risk scoring. VigilDNS does, self-serve, and a solo practice can start today. Starter is $79 a month for 5 domains and 3 seats; Team is $199 a month for 20 domains, 10 seats, and 12-hour scans. Annual billing includes two months free. See our ZeroFox alternative comparison.
| Option | Price | Detection | Risk scoring + evidence | Self-serve |
|---|---|---|---|---|
| Enterprise brand-protection suites | 5-figure, quote-only | Yes | Yes | No, sales call |
| Cheap typo checkers | ~$5/mo | Basic | No | Yes |
| VigilDNS | $79-$899/mo | 11-technique + CT + clone | Yes | Yes |
Frequently asked questions
How does domain monitoring help with wire fraud?
Most wire fraud in legal matters runs through a lookalike domain that impersonates the firm or the closing attorney. By detecting that domain early, often the moment it registers or gets a certificate, and flagging whether it can send email, VigilDNS gives you a chance to warn clients and counterparties and to verify instructions before money moves.
Does this satisfy ABA Rules 1.6 and 1.15?
No product satisfies an ethical rule by itself. Rule 1.6(c) and Rule 1.15 call for reasonable efforts to protect client information and funds. VigilDNS supports those duties with continuous impersonation monitoring and a documented evidence trail, which is a concrete and defensible reasonable effort. Your broader security practices still matter.
What if I only have one domain?
A solo or small firm with one domain still benefits, because the threat is the many lookalikes of that one domain, not the count of domains you own. Starter covers 5 monitored domains, which is room for your firm plus closely related names.
Can I see what is out there before I buy?
Yes. Run your firm's domain through the free checker with no account, and see the lookalikes that already exist.
Start with the free typosquat checker to see the lookalikes of your firm already registered, then visit pricing to turn it into continuous monitoring. Firms that handle closings should also see title company wire fraud protection, and if you found a lookalike already, read someone registered a lookalike of my domain.