Combosquatting registers a domain that combines a correctly-spelled brand name with an extra word or a different TLD — for example acmebank-secure.com, login-acmebank.net, or acmebank-support.com. Unlike typosquatting, the brand is not misspelled, which is exactly what makes combosquatting look legitimate and evade typo-based detection.
The added keyword is usually something reassuring drawn from a small abuse vocabulary: secure, login, support, verify, wallet, pay, account. Research has found combosquatting to be more prevalent than typosquatting and often long-lived.
Because the keyword-and-TLD space is effectively infinite, defensive registration cannot cover it — the durable defense is monitoring plus takedown. See the guide on combosquatting.