What is Typosquatting? How Attackers Use Fake Domains, and How to Stop Them

In 2023, researchers identified over 700 typosquat domains targeting the top 20 cryptocurrency exchanges, registered in the weeks following a major market event when search traffic for those exchanges spiked. Most of the fake domains were running active phishing pages, harvesting login credentials from users who mistyped a URL by a single character.

This is typosquatting at scale. But the threat is not limited to high-profile targets or dramatic market events. Any organisation with brand recognition, customer-facing web presence, or valuable login credentials is a potential target. And unlike most security threats, typosquatting attacks your customers directly. The reputational damage lands on you, even though you are the victim.

What is Typosquatting?

Typosquatting, also called URL hijacking or domain impersonation, is the practice of registering internet domains that closely resemble the domain of a legitimate organisation. The registrant's goal is to intercept traffic from users who make typographical errors, click misleading links, or are deceived by the visual similarity of the fake domain.

Domain registration is cheap (often less than $10/year), the process is instantaneous, and the damage a single convincing fake domain can cause is substantial. Typosquatting requires no technical sophistication: just a credit card, a domain registrar, and a basic phishing page template.

Common Typosquatting Techniques

Attackers use a range of techniques to create domains that look plausibly legitimate:

Character Substitution

Replacing one character with a visually similar one: `rn` instead of `m` (acme.com becomes acrrne.com), `0` (zero) instead of `o`, `1` (one) instead of `l`. These substitutions are often invisible at a glance in a browser address bar, particularly on mobile devices.

Adjacent Key Errors

Substituting characters that are adjacent on a keyboard (gogle.com, amazno.com) to catch common typing errors. These domains see genuine organic traffic from users who simply mistype.

Homograph Attacks

Using characters from other alphabets that are visually indistinguishable from Latin characters. The Cyrillic `a` looks identical to the Latin `a` in most fonts. An attacker can register apple.com (Cyrillic a), a domain that renders identically to apple.com in a browser but resolves to an entirely different server.

TLD Variation

Registering the same name under a different top-level domain: company.net, company.org, company.co, company.io. When users type a domain from memory, TLD errors are common. Some TLD variations have also been used for country-specific phishing campaigns.

Added Words

Adding common words before or after the legitimate domain: support-acme.com, acme-login.com, secure-acme.com, acme-helpdesk.com. These are frequently used for credential phishing. The "support" or "login" framing gives users a plausible reason to enter their credentials.

Subdomain Abuse

Registering a domain like acme.maliciousdomain.com, where the subdomain is the target's legitimate brand name. When displayed in a browser or shortened URL, the brand name appears prominent and legitimate.

How Attackers Use Typosquat Domains

Registering a fake domain is just the first step. What attackers do with it varies significantly:

Credential Phishing

The most common use. A phishing page replicates your login portal. Users who land on the page (via a mistyped URL, a phishing email, or a social media link) enter their credentials into a form that captures them for the attacker. These credentials may then be used immediately to access corporate accounts, or sold to other threat actors.

Malware Distribution

Fake domains are used to serve drive-by downloads. Visitors who land on the page have malware silently installed on their device. These domains are often distributed through email links that mimic software update notifications or document download requests.

Financial Fraud

In Business Email Compromise (BEC) attacks, attackers register domains similar to a supplier or customer's domain and use them to send convincing invoices or payment redirection requests. The email arrives from [email protected] rather than the legitimate [email protected], a difference most recipients do not catch.

Customer Interception

Some typosquat domains are not used for active attacks. They simply serve competitor ads or redirect to competitor sites, intercepting customers who mistype your URL and delivering them to a rival. This is brand damage without a security incident.

SEO Poisoning

Fake domains optimised for search terms related to your brand can appear in search results, intercepting customers searching for your organisation before they reach your legitimate site.

Why Detection is Difficult Without Automation

The challenge with typosquatting is the sheer volume of possible variations. For a domain like "scrutex.ai", there are thousands of plausible typosquat variations across character substitutions, adjacent keys, TLD variations, and added words. Manually monitoring for all of these (checking domain registration records, WHOIS data, and web content across thousands of variations) is not operationally viable.

The problem is compounded by the speed of registration. New typosquat domains are typically registered within hours or days of a brand announcement, product launch, or news event that increases search traffic. The attacker's goal is to be live before your team is aware the threat exists.

The detection window that matters: The average time between a typosquat domain going live and a company's security team becoming aware of it (through customer complaints, manual checks, or security research) is measured in weeks to months. In that time, the domain may have processed thousands of credential captures or malware installations.

How Typosquat Detection Works

Automated typosquat detection works by continuously monitoring domain registration data, specifically new domain registrations, and comparing them against a generated list of plausible variations for your protected brand.

Domain Generation

The first step is generating the full universe of plausible typosquat domains for your brand. A good detection system generates thousands of variations: character substitutions, adjacent key errors, TLD variations, additions, homographs, and subdomain combinations.

Registration Monitoring

New domain registrations are published in real-time in datasets called zone files (for most TLDs) and WHOIS feeds. Automated monitoring compares new registrations against the generated variation list and flags any matches.

Content Analysis

Not all matching domain registrations are malicious. Some are defensive registrations by the legitimate brand, and some are simply coincidental. Content analysis visits the flagged domain, assesses whether it is serving content that impersonates your brand, and classifies the risk level.

Alert and Triage

Confirmed or suspected typosquat domains are surfaced to the security team with context: when registered, where hosted, what content is being served, and a recommended action (monitor, escalate, or takedown).

How to Take Down a Typosquat Domain

Once a typosquat domain is identified, removal options depend on the type of infringement and the urgency of the threat:

Registrar Abuse Reporting

All domain registrars have abuse reporting mechanisms. Submitting a report with evidence of trademark infringement or phishing activity is the first step. Response times vary from hours to weeks depending on the registrar and the strength of the evidence.

Hosting Provider Abuse Reporting

If the registrar is unresponsive, the hosting provider for the phishing page is an alternative escalation route. Many hosting providers take down phishing content quickly when presented with clear evidence.

ICANN Uniform Domain-Name Dispute-Resolution Policy (UDRP)

For trademark-infringing domains where registrar abuse reports fail, the UDRP provides a formal dispute resolution mechanism. It is slower and more expensive than abuse reporting but can result in domain transfer to the legitimate trademark holder.

National Cyber Security Authorities

Many countries' national cybersecurity agencies (NCSC in the UK, CISA in the US) operate takedown services for phishing domains targeting citizens or critical infrastructure. These are particularly effective for domains actively serving malware or credential phishing pages.

Brand Protection Platforms

Automated brand protection platforms (like CyberInsights Brand Insights) manage takedown requests on behalf of customers, reducing the time from detection to removal from days or weeks to hours.

Defensive Domain Registration

A complementary strategy to monitoring and takedown is defensive registration: proactively registering the most plausible typosquat variations of your domain before attackers do. Key variations to consider:

• Common TLD variations (.net, .org, .co, .io, country-specific TLDs relevant to your markets)
• The most obvious adjacent-key-error variants of your domain name
• Hyphenated versions and common word additions (support-yourdomain.com, login-yourdomain.com)
• Plural and singular variations if applicable

Defensive registration is not a complete solution (the universe of possible variations is too large to register comprehensively) but it is a cost-effective supplement to continuous monitoring. At under $10 per domain per year, registering 20-30 key variations is a low-cost control with meaningful impact.

The Bottom Line

Typosquatting is a threat that scales with your brand's reputation. The more traffic and trust your domain commands, the higher the return on a convincing fake. For organisations with customer-facing web presence, e-commerce, or any kind of authenticated user portal, the question is not whether typosquat domains will be registered against you. It is whether you will know about them before your customers become victims.

The good news is that detection and response are both well-understood problems with effective automated solutions. The window between registration and exploitation, typically 24 to 72 hours for active phishing campaigns, is long enough to detect and act if monitoring is continuous. The organisations that suffer the most damage from typosquatting are those that find out from a customer complaint rather than from their own monitoring.

Frequently Asked Questions

What is typosquatting and how do you prevent it?

Typosquatting is the registration of domains that closely resemble a legitimate organisation's domain, designed to intercept users who mistype a URL or click a deceptive link. Prevention requires a combination of defensive domain registration (securing the most obvious variations of your domain) and continuous automated monitoring that detects new typosquat registrations within hours. No single measure eliminates the risk entirely, but automated detection combined with rapid takedown processes reduces the window attackers have to exploit fake domains.

How do attackers use typosquat domains?

The most common use is credential phishing: replicating your login portal to harvest usernames and passwords from users who land on the fake page. Attackers also use typosquat domains for malware distribution, Business Email Compromise (sending fraudulent invoices from domains resembling your suppliers), customer interception (redirecting traffic to competitors), and SEO poisoning to capture search traffic intended for your brand.

Can typosquatting affect mobile users?

Yes, and mobile users are disproportionately vulnerable. Browser address bars on mobile devices display fewer characters, making character substitutions like "rn" for "m" or "0" for "o" nearly impossible to spot. Mobile users also encounter typosquat links through SMS phishing (smishing), messaging apps, and QR codes where the full URL is not visible before clicking.

How does automated domain monitoring detect typosquatting?

Automated monitoring generates thousands of plausible typosquat variations of your protected domain (character substitutions, adjacent key errors, TLD variations, homograph attacks, added words). It then continuously compares new domain registrations from zone files and WHOIS feeds against this variation list. When a match is found, content analysis determines whether the domain is serving impersonation content, and confirmed threats are escalated to the security team with hosting details and recommended takedown actions.