How to Stop Typosquatting Domains Targeting Your Brand

People searching for ways to stop typosquatting often expect a single button that makes the problem go away. That button does not exist. What exists is a repeatable loop: detect lookalikes early, evaluate which ones are dangerous, file abuse reports on the genuinely malicious ones, and, for the narrow set of domains that actually matter, register them yourself before an attacker does.

This post walks through each step in practical terms, with concrete thresholds and templates you can copy.

Step 1: Generate the variant set once, then monitor it forever

A typical brand has a few thousand lookalike domain variants. You never want to generate that list by hand. Domain-monitoring tooling produces it automatically from your base domain using permutation, homoglyph substitution, TLD swap, and keyboard-adjacency rules. The output is a static list that you then check against the DNS system daily to see which variants have been registered.

Registration alone does not mean danger. Many typosquats are parked by domain speculators who hope to resell the name. Others are registered defensively by legitimate unrelated businesses. You need signals beyond registration to prioritize, which leads to the next step.

Step 2: Prioritize by signals, not names

The question is not which domains look similar to yours. It is which ones are weaponized. A good prioritization model combines four signals:

DNS resolves. The variant has an A record and points somewhere.
MX configured. The variant can receive email, which means it can be used for reply-chain phishing.
SSL certificate issued. Certificate Transparency logs show a cert has been issued, meaning an attacker is setting up HTTPS to impersonate you.
Live HTTP with brand mentions. The site responds and references your brand, which strongly suggests impersonation intent.

A variant with all four signals is worth immediate action. A variant with only DNS registered is worth monitoring but rarely worth a report.

Step 3: File a registrar abuse report on the dangerous ones

Every domain registrar has an abuse contact email address, published in the RDAP record for the domain. When a lookalike is clearly impersonating your brand (live site, cloned login form, or active phishing campaign observed), the abuse report is the fastest takedown path. See our registrar abuse report guide for the template.

Registrars typically respond within 24 to 72 hours for clear-cut cases. Include a screenshot, the URL, your protected brand, and any evidence of customer-facing phishing. The report succeeds far more often when it is short, factual, and includes a working link to the malicious content.

Step 4: For the narrow set of must-own variants, register defensively

You do not need to buy every possible variant. That is expensive and unnecessary. The variants worth registering defensively share a few properties: they are easy to mistype, they share your TLD or a very common TLD, and they carry active business impact if used in a phishing campaign. For most brands, the list is fewer than a dozen.

Priority order: TLD variants of your exact domain, common typos a customer would plausibly make, and any variant that appears in your own support tickets or bounce logs as a misspelled inbound address.

What to avoid

Two common mistakes. First, filing WIPO or UDRP complaints as a default response. UDRP is a legal process that takes months and costs money; it is the right tool for a stubborn cybersquatter who refuses takedown requests, not the default first response. See our UDRP guide for when it is the correct move.

Second, trying to buy every lookalike. The math does not work: for a seven-character brand there are thousands of variants, and registering them all would cost tens of thousands of dollars per year. Monitor everything, own the few that genuinely matter, report the ones that are actively abused, and let the rest sit.