Skip to main content
How-to Brand protection

How to Find Lookalike Domains Impersonating Your Brand

Worried about fake versions of your brand? Here is how to find lookalike and typosquat domains yourself for free, using Certificate Transparency logs and crt.sh, and what to do next.

You can find lookalike domains impersonating your brand for free by listing the obvious variations and checking which are registered, by searching Certificate Transparency logs at crt.sh for your brand string, and by setting up Google Alerts. CT-log monitoring is the highest-signal method because every fake site needs a TLS certificate, and that certificate is logged publicly the moment it is issued.

What lookalike domains are

A lookalike domain is one registered to resemble yours closely enough to fool a person who is moving fast. They come in a few recognizable shapes:

  • Typosquats: a misspelling or a swapped, doubled, or dropped letter, the kind of slip a real person makes typing your name.
  • Homoglyphs: characters that look identical but are not, such as a Latin letter replaced by a Cyrillic one, or a lowercase L standing in for a capital I.
  • TLD swaps: your exact name on a different extension, like .net, .co, .io, or a country-code domain.
  • Added-word or cousin domains: your name with a plausible suffix, such as yourbrand-support or yourbrand-login.

The reason these matter is that an attacker who owns a lookalike does not need to spoof your real domain at all. Your DMARC policy protects your exact domain and never sees mail sent from a different one. So even a domain locked down at p=reject is wide open to a convincing cousin domain. Finding those domains is a separate discipline, and you can do a lot of it yourself.

How to find them yourself, for free

There are three free methods, and they stack. The middle one is the differentiator most people never try.

1. Search registration of the obvious variations

Write out the predictable permutations of your name, the misspellings, swapped letters, added words, and the same name on other TLDs, then run each through a registrar search or a WHOIS lookup to see which are registered and when. A name registered recently, hidden behind privacy protection, and parked or pointing at a copy of your site is a red flag worth investigating.

2. Watch Certificate Transparency logs via crt.sh

This is the highest-signal free method. Certificate Transparency is a public, append-only record of every TLS certificate issued, and a convincing phishing site needs a certificate to show the padlock that makes it look legitimate. So the certificate for a lookalike domain is logged publicly the moment it is issued, often before the fake site is even live. The free crt.sh service is the easiest way to query the logs. Search your brand string with a wildcard:

https://crt.sh/?q=%yourbrand%

The % is a wildcard, so this returns every certificate whose name contains your brand string, surfacing TLD swaps and added-word domains you might never have thought to guess. Scan the results for names you do not own. Because certificates are issued continuously, this is a source you want to re-check regularly, not just once.

3. Set up Google Alerts

Create Google Alerts on your brand name and key product terms. It is the weakest of the three signals because it only fires once a lookalike page is indexed, but it is free, takes a minute, and occasionally catches sites the other two methods miss.

As a checklist, the full DIY sequence is:

  1. List the obvious variations: misspellings, swapped or doubled letters, added words, and other TLDs.
  2. Search the registration of each variation with a registrar or WHOIS lookup.
  3. Search Certificate Transparency logs at crt.sh for %yourbrand% and re-check it regularly.
  4. Set up Google Alerts on your brand and product terms.
  5. Act on the malicious ones (next section).

What to do when you find one

Speed matters, because malicious sites are often moved or taken down quickly, so capture the evidence the moment you find it: a screenshot of the site, the WHOIS record, and the DNS and hosting details. Then escalate on every front available:

  • Registrar abuse contact: every registrar publishes an abuse address. Report the domain with your evidence.
  • Hosting provider: the host (found via the IP / DNS) also has an abuse process and can pull the content fast.
  • Google Safe Browsing: report the phishing URL so Chrome, Firefox, and Safari warn visitors before they load it.
  • Trademark / takedown: for clear infringement, a UDRP complaint or a formal takedown can recover or kill the domain.

If you want the abuse-report wording done for you, the abuse report generator drafts a registrar and host complaint from the details of the offending domain.

How PhishFence automates this

The DIY methods work, but they are manual and they go stale the day after you run them, while attackers register continuously. PhishFence runs the same playbook on a schedule: it monitors Certificate Transparency logs for certificates issued against lookalikes of your brand, generates the typosquat and homoglyph permutations for you, captures screenshots of live impersonation sites, risk-scores what it finds, and produces ready-to-send takedown reports for the registrar and host. You get the early CT-log signal without having to re-query crt.sh by hand every week. Start by grading your domain, which runs a lookalike scan alongside your DMARC, SPF, DKIM, and TLS posture, or read more about continuous brand protection.

Lookalike domain FAQ

What is a lookalike domain?

A lookalike domain is one registered to resemble yours closely enough to fool a person at a glance. Common forms are typosquats (a misspelling or a swapped, doubled, or dropped letter), homoglyphs (characters that look identical, such as a Latin and a Cyrillic letter, or a lowercase L next to a capital I), TLD swaps (your exact name on a different extension like .net or .co), and added-word or cousin domains (yourbrand-support, yourbrand-billing). Attackers use them for phishing and spoofing because they do not need to spoof your real domain, they own a different one.

How do I find lookalike domains for free?

Three free methods cover most of it. First, list the predictable variations of your name and run each through a registrar or WHOIS search to see which are registered. Second, and most useful, search Certificate Transparency logs at crt.sh for your brand string with a wildcard (for example %yourbrand%), because every TLS certificate is logged publicly, so a lookalike's certificate appears there, often before the phishing site goes live. Third, set up Google Alerts on your brand to catch lookalike pages once they are indexed.

What are Certificate Transparency logs?

Certificate Transparency is a public, append-only record of every TLS certificate issued by participating certificate authorities, which today is effectively all of them. Because a convincing phishing site needs a valid certificate to show the padlock, the certificate for a lookalike domain is logged the moment it is issued. Searching those logs (the free crt.sh service is the easiest front end) lets you spot a lookalike at certificate-issuance time, which is usually earlier than any other signal. This is the single best free method for catching impersonation domains early.

What do I do when I find a lookalike domain?

First gather evidence: a screenshot of the site, the WHOIS record, and the DNS and hosting details. Then file an abuse report with the domain's registrar and its hosting provider, both of which publish abuse contacts. Report the phishing URL to Google Safe Browsing so browsers warn visitors. For clear trademark infringement you can also pursue a UDRP complaint or a formal takedown. Speed matters, so capture the evidence the moment you find it, because malicious sites are often taken down or moved quickly.