Detection

Typosquatting Explained: How Lookalike Domains Attack Your Brand

What typosquatting is, the patterns attackers use, and how to detect lookalike domains before they are weaponized against your customers.

Updated 2026-06-17 · 4 min read

A customer means to type your domain, slips a finger, and lands somewhere else — a page that looks like yours and asks for a login. That is typosquatting: registering misspellings of a legitimate domain to intercept the traffic that human error sends their way. It is one of the oldest lookalike-domain attacks and still one of the most effective, because it exploits typing, not technology.

This guide covers the patterns attackers use, why the attack pays off, and how to detect typosquats of your own domain before they cause damage.

What typosquatting is

Typosquatting, sometimes called URL hijacking, registers domains that are plausible mistypings of a real one and uses them to monetize or weaponize the resulting traffic. A typosquat of acmebank.com might be acmebnk.com or acmebank.cm. The attacker is betting that a meaningful fraction of visitors will never notice the difference.

What sits on a typosquat varies:

  • A phishing page cloning your login screen to harvest credentials.
  • Malware or a drive-by download dressed up as your site.
  • A parking page of ads that earns the squatter pay-per-click revenue off your brand.
  • A redirect to a competitor, an affiliate link, or a scam.

The common typo patterns

Attackers don't guess randomly — they enumerate predictable classes of error. The main patterns for a brand like acmebank:

  • Omission — a dropped character: acmebnk.com, cmebank.com.
  • Transposition — two adjacent characters swapped: acmebnak.com.
  • Repetition / doubling — a character typed twice: accmebank.com.
  • Adjacent-key substitution — a neighboring keyboard key: axmebank.com (x next to c).
  • Insertion — an extra character: acmebankk.com.
  • TLD swap — the name is right but the extension is wrong: acmebank.co, acmebank.cm, acmebank.net.

Related but distinct attacks include homoglyphs (visually identical Unicode characters) and combosquatting (the brand spelled correctly with an added keyword). A complete monitoring program covers all three; this article focuses on the misspelling family.

Why it works

Typosquatting persists because the economics and the psychology both favor the attacker.

  • Typing is error-prone. Across millions of address-bar entries and links, a steady stream of mistakes is guaranteed, so a popular brand's typos carry real traffic.
  • Registration is cheap. A domain costs a few dollars a year; a single harvested credential set or a season of parking revenue covers it many times over.
  • The lookalike disarms suspicion. A name one character off from the real thing reads as correct at a glance, especially on mobile, in an email, or in a hurried moment.
The dangerous typosquat is not the parked one — it is the one that resolves to a live page with a login form or a mail server. Liveness and mail capability, not mere registration, are what make a lookalike an active threat.

How detection works

You cannot register every possible misspelling — the permutation space is large and an attacker only needs the one you missed. The durable approach is to generate the typo space and then verify which variants are real:

  1. Permute. From your domain, generate omissions, transpositions, repetitions, adjacent-key substitutions, insertions, and TLD swaps. This is what tools like dnstwist automate.
  2. Resolve. Check each candidate for a live host (an A/AAAA record), an MX record (mail-capable, so it can send phishing), and a TLS certificate in Certificate Transparency logs.
  3. Age and score. A freshly registered, live, mail-capable typosquat ranks far above a long-parked placeholder. Combine the signals into a risk score.

The output you want is not "every domain that resembles yours" — it is the short list that actually resolves and looks weaponized.

The false-positive problem

The reason raw permutation lists are unusable is that most matches are harmless: domains you own defensively, brand-adjacent names run by partners, or unrelated sites that happen to collide. A tool that alerts on all of them trains your team to ignore alerts — and the one real phishing domain slips through in the noise.

Suppression is the actual product. It depends on allowlisting your own and partner domains, decaying dead candidates, and scoring so that only credible impersonation reaches a human. This is the layer Brandfence is built around: it generates the typo permutations of your domain, enriches each with DNS, mail, and certificate signals, suppresses the benign majority, and routes only confirmed impersonations to human-reviewed takedown.

What to do about a typosquat

When a typosquat is confirmed and active:

  1. Capture evidence — screenshots, DNS, certificate records, timestamps — while the page is live.
  2. Report it to the registrar and hosting provider, leading with phishing or malware if present (the fastest abuse levers), and submit the URL to Google Safe Browsing to protect users immediately.
  3. Escalate to a UDRP filing when you need the domain transferred and you hold a trademark.
  4. Pre-register the highest-risk typos of your primary domain as cheap insurance — a supplement to monitoring, never a replacement.

Catch typosquats before your customers do

Brandfence generates the typo permutations of your domain, enriches them with DNS, mail, and certificate signals, suppresses the benign majority, and routes confirmed impersonations to evidence-backed, human-reviewed takedown. Get a free brand exposure report.

Frequently asked questions

What is typosquatting?
Typosquatting, also called URL hijacking, registers domains that are common misspellings of a real one — like gogle.com for google.com — to capture mistyped traffic and run phishing, malware, or ad fraud against people who think they reached the real site.
Is typosquatting illegal?
It can be. Registering a misspelling of a trademark in bad faith is actionable under the US Anticybersquatting Consumer Protection Act and through ICANN's UDRP process, but enforcement requires you to act — squatted domains are not removed automatically.
How is typosquatting different from combosquatting?
Typosquatting misspells your brand (amazn.com); combosquatting keeps the brand spelled correctly and adds a word (amazon-billing.com). Combosquatting is more common and evades typo-based detection.
How do I find typosquats of my domain?
Generate the typo permutations of your domain, then check which actually resolve, have mail records, or hold TLS certificates. Tools like dnstwist do the permutation; the hard part is suppressing benign matches and confirming real impersonation.
Keep reading
Free exposure report

See what's impersonating your brand

Send us a domain. We run a passive sweep — permutations, certificate logs, DNS — and send back what we find, free. No signup, no sales call to start.

Get a free exposure report