Typosquatting: The Cheapest Attack That Still Works

A customer types your domain name slightly wrong. Instead of google.com, they hit gooogle.com. Instead of amazon.com, they land on arnazon.com.

If an attacker has registered that misspelled domain, your customer lands on a convincing replica of your site. They enter their credentials. They never realize anything went wrong. You never get a support ticket. The attacker walks away with a username and password.

This is typosquatting. It has been around for decades, and it still works.

The Techniques

Attackers use predictable patterns to generate hundreds of variations of a target domain. The most common:

Character substitution replaces visually similar characters. The number 1 looks like a lowercase l in many fonts. The Cyrillic letter a is indistinguishable from the Latin a in a URL bar, but they are entirely different Unicode code points. This is called a homoglyph attack, and browsers have gotten better at flagging them, but coverage is inconsistent.

Omission and insertion exploit the way people type. Dropping a single letter from a long domain (gogle.com) or adding one (amazone.com) creates variants that pass a quick visual check.

Adjacent key errors target common typos. The letters i and o are next to each other on a QWERTY keyboard. gmial.com instead of gmail.com is a real example that has been exploited.

TLD swaps register the same brand under a different top-level domain. If you own yourcompany.com, an attacker registers yourcompany.co or yourcompany.net. These are particularly dangerous because the brand name itself is identical.

Why It Matters More Than You Think

The common assumption is that typosquatting only catches people who mistype URLs. That was true in 2005. Today, most typosquatting is used in phishing emails, where victims never type anything. They click a link.

The link text says yourcompany.com, but the actual URL points to yourcompany-secure.com. On a phone screen, the full URL is often hidden entirely. The victim sees a familiar login page, enters their credentials, and the attacker captures them.

Add a valid SSL certificate (free from Let's Encrypt, takes 30 seconds), a cloned login page (right-click, Save As), and MX records for receiving email replies, and the lookalike domain becomes nearly indistinguishable from the real thing.

The Numbers

For a typical 8-character domain, basic permutation techniques generate over 10,000 possible variants. Add homoglyph substitution, internationalized domain name (IDN) abuse, and TLD variations across the 1,500+ available extensions, and the attack surface grows to tens of thousands of possible lookalike domains.

Registering one costs less than $10 per year. Setting up a phishing page takes less than an hour. The return on investment for attackers is enormous.

Most businesses have never checked whether any of these variants are registered. Many discover the problem only after a customer reports credential theft or a partner asks why they received a suspicious invoice from what appeared to be a legitimate address.

Practical Steps

Monitor continuously. Running a one-time scan is better than nothing, but attackers register new domains constantly. Monitoring needs to be ongoing, not a quarterly exercise.

Register the obvious variants. The most common misspellings, the .co and .net versions of your domain, and any hyphenated variants should be under your control. It costs a few dollars per year per domain, and it eliminates the most obvious attack vectors.

Implement DMARC. Even if an attacker registers a lookalike domain, DMARC, SPF, and DKIM prevent them from sending emails that impersonate your actual domain. This does not stop them from sending email from the lookalike domain, but it protects against direct spoofing.

Respond quickly. When a malicious lookalike is found, file an abuse report with the registrar immediately. The longer a phishing site stays online, the more credentials it collects. Hours matter.