What is typosquatting?
Typosquatting (also called URL hijacking or domain impersonation) is the practice of registering domain names that closely resemble a legitimate domain, betting on users mistyping the address or failing to notice subtle differences.
This is often used for targeted phishing campaigns against companies.
For yourdomain.com, attackers might register:
| Typosquat type | Example |
|---|---|
| Character substitution | y0urdomain.com (zero instead of O) |
| Character omission | youdomain.com |
| Character transposition | oyurdomain.com |
| Character addition | yourrdomain.com |
| Homoglyph (lookalike character) | yourḋomain.com (Unicode d) |
| Different TLD | yourdomain.net, yourdomain.co |
| Hyphen insertion | your-domain.com |
| Hyphen omission | yoursdomain.com (missing hyphen) |
| Combosquatting | yourdomain-login.com, yourdomain-support.com |
ExposureIndex monitors for registered domains matching these patterns and checks whether they are actively configured for email sending (have MX records) or hosting content — indicators that the domain is being weaponised.
How attackers use lookalike domains
- Phishing employees — Emails appearing to come from
hr@y0urdomain.comasking staff to log in to a fake portal. - Phishing customers — Emails appearing to come from
support@yourdomain-help.comtargeting your users. - Business Email Compromise (BEC) — Impersonating your CEO or finance team to redirect payments.
- Credential harvesting — Hosting a convincing clone of your login page.
- Malware delivery — Hosting downloads that appear to be your software.
A lookalike domain with a valid SSL certificate is indistinguishable from your real domain to an untrained eye.
What to do
Defensive registrations
Register the most obvious typosquats before attackers do. Priority candidates:
- Common one-character typos of your domain name
- Your domain under
.net,.org,.co, and country-code TLDs relevant to your market - Hyphenated variants (
your-domain.com) if your domain has no hyphen - Combosquats for your most common workflows:
yourdomain-login.com,yourdomain-support.com,yourdomain-secure.com
Point these registrations at your real domain (redirect) or to a parked page. This is relatively inexpensive — domain registration is cheap compared to the cost of a successful phishing campaign.
Configure DMARC at p=reject
If your own domain has DMARC at p=reject, it stops attackers from spoofing your exact domain. It does nothing for lookalike domains (they are different registrations), but it narrows the attack surface to domains that require more effort to register.
Monitor and report active threats
When ExposureIndex flags a lookalike domain that is actively sending email (has MX records) or hosting a phishing page:
- Collect evidence — Screenshot the site, record the IP, save email headers if available.
- Report to the hosting provider / registrar — Use the abuse contact in the domain's WHOIS record (
whois yourdomain-fake.com). Most registrars and hosting providers will suspend clearly abusive domains within 24–72 hours. - Report to Google Safe Browsing — safebrowsing.google.com/safebrowsing/report_phish — this gets the site flagged in Chrome, Firefox, and Safari.
- Report to your national CERT — Many countries have national CERTs with authority to act on phishing takedowns.
- Warn your customers — If a lookalike domain is actively targeting your users, a notification via your legitimate channels reduces victim count.
Train employees to verify sender domains
Employees should be trained to look at the full sender domain — not just the display name — before trusting an email. The "From" display name can say anything; the actual address is what matters.
Last updated: March 28, 2026