Typosquatting Explained

What it is

Typosquatting is the deliberate registration of domain names that look almost identical to a legitimate one. The classic examples are familiar to anyone who has worked in security:

• goog1e.com instead of google.com (the lowercase L replaced with the digit 1)
• paypa1.com instead of paypal.com
• amaz0n.com instead of amazon.com
• microsft.com instead of microsoft.com (a missing letter)
• bankofamerca.com instead of bankofamerica.com

The variations come from a small number of patterns:

1. Character swaps that look the same in most fonts (l vs 1, O vs 0, rn vs m)
2. Missing letters (microsft, amzon)
3. Doubled letters (gooogle, twitterr)
4. Adjacent keys (gooogle becomes ggogle if your finger slips)
5. Wrong TLD (yourcompany.co instead of yourcompany.com)
6. Hyphenation (your-company.com when the real domain has no hyphen)
7. Subdomain confusion (paypal.com.login-secure.net, where the actual domain is login-secure.net)

There is also a separate technique called homograph attacks, which uses non-Latin characters that look identical to Latin ones. We cover those in their own article.

Why it matters

Typosquatting works because reading is automatic. Your eyes do not check every letter of every word. They guess based on shape and context, and most of the time they guess right. That guess fails on a typosquat, but only if you actively look for it.

The business impact is real:

• Credential phishing. A fake login page on paypa1.com collects passwords from anyone who types the URL slightly wrong, clicks a malicious link, or trusts an autocomplete suggestion that points to the wrong place.
• Payment fraud. Invoices arriving from acccme-supplier.com instead of acme-supplier.com redirect payments to attacker-controlled bank accounts. This is a major component of business email compromise (BEC) fraud.
• Malware distribution. Software download pages on lookalike domains push trojanised installers.
• Brand damage. Customers who get phished via a lookalike often blame the real brand, even though the real brand had nothing to do with it.
• SEO theft. Some typosquats just run cheap ads or affiliate links and live off your typo traffic.

There is no shortage of public examples. The FBI's IC3 reports show BEC losses of several billion dollars per year, and lookalike domains are a recurring component. Major incidents involving Microsoft, Google, Facebook, and many financial institutions have all featured typosquats prominently.

How attackers do it

Setting up a typosquat is cheap and fast. The workflow looks something like this:

1. Pick a target. Often the attacker is going after a single brand (a bank, a popular SaaS company, an enterprise vendor). Sometimes they buy a portfolio of typosquats across many brands and pick the most valuable target later.
2. Generate variants. There are open source tools (dnstwist is the most well known) that generate hundreds of variations from a single domain in seconds.
3. Filter for available domains. Most variants are already registered. The attacker keeps the ones that are not.
4. Register cheaply. A .com registration costs around ten dollars per year. Some attackers use stolen credit cards or cryptocurrency to register through anonymous registrars.
5. Set up infrastructure. Either point the domain at a clone of the legitimate site, set up a redirect to a phishing kit, or simply park it for later use.
6. Distribute. Push the link through email, SMS, malicious ads, or social media. If the typosquat is a common typo, traffic will arrive on its own with no distribution effort at all.

The economics are attacker-friendly. A single successful credential theft, BEC redirect, or malware install pays for thousands of typosquat registrations.

How to detect typosquats

You cannot register every possible variation of your domain. Even for a short brand name, the number of plausible typosquats runs into the hundreds. So detection has to be ongoing, not a one-off exercise.

Here is what good detection looks like:

• Generate the variant list. Use a tool like dnstwist, urlcrazy, or an equivalent service to generate the full set of plausible typosquats. Include character swaps, deletions, additions, adjacent-key errors, and wrong TLDs.
• Monitor newly registered domains. Most typosquats appear in the WHOIS or certificate transparency logs within hours of registration. Daily monitoring catches them early.
• Check certificate transparency logs. When a typosquat operator gets a TLS certificate (which they almost always do, because browsers warn on plain HTTP), the certificate is publicly logged. Services like crt.sh expose this in real time.
• Score for risk. Not every variant is dangerous. A registered variant pointing nowhere matters less than one with active TLS, a clone of your homepage, and a login form. Risk scoring focuses your team on the ones that need a takedown today.
• Check for active hosting. Is the domain serving content? Is that content a clone of your site? Is there a credential form? Each of these raises the priority.

How to remediate

When you find a malicious typosquat, the goal is to remove it before it can be used at scale. There are a few paths:

1. Registrar abuse complaint. Most registrars have an abuse process for clearly malicious domains. Submit evidence (screenshots of cloned content, phishing forms, malware) and request takedown.
2. Hosting provider abuse complaint. If the registrar is slow, the hosting provider often acts faster. Cloudflare, AWS, Google, and others all have well-defined abuse processes.
3. TLS certificate revocation. Reporting the certificate to the issuing CA can get it revoked, which makes browsers display a security warning when users try to load the page. Let's Encrypt and other major CAs accept abuse reports.
4. UDRP filing. For trademark infringement, the Uniform Domain-Name Dispute-Resolution Policy lets you file a formal complaint to seize the domain. Slower (typically weeks to months) but permanent.
5. Defensive registration. For the highest-risk variants, just register them yourself. Cheap insurance for popular typos that have not yet been taken.
6. Browser blocklists. Submit malicious URLs to Google Safe Browsing, Microsoft SmartScreen, and PhishTank. This protects users even if the domain stays online.

Speed matters. A typosquat that lives for two hours can phish thousands of users. A typosquat that gets taken down within thirty minutes of being weaponised does much less damage.

Best practices

• Register the obvious variants up front. The dozen or so most likely typos and the most relevant alternative TLDs (.net, .org, plus relevant country codes). Cost is low. Friction at the moment of an incident is also low because you already own them.
• Set up a continuous monitoring pipeline. Manual checks miss things. Automation catches new registrations within hours.
• Document your takedown playbook. Who files the abuse complaint? What evidence package do they send? Where do you escalate? Having this written down before an incident saves hours.
• Monitor for executive impersonation too. Lookalike domains used in BEC attacks often target a specific executive's email pattern, not just the corporate domain.
• Train staff on the threat. Most users have never thought about this. A short awareness piece showing real examples of typosquats used against your brand goes a long way.

A note on what is realistic

You will never own every variant. You will never catch every registration on day one. The goal is not zero typosquats. The goal is to find the dangerous ones (active phishing, cloned content, weaponised in campaigns) fast enough that they get taken down before they cause significant damage.

That is the difference between a brand protection programme that works and one that just generates reports.