How to Stop Typosquatting Domains Targeting Your Brand

TL;DR

• 1 Run a continuous lookalike scan against your brand to catch new registrations within hours, not weeks.
• 2 Register the highest-risk variants yourself (top 5-10 typos, the .co/.io/.net of your .com) for under $200/year.
• 3 When an active lookalike turns up, file a registrar abuse report first (24-72 hour resolution); reserve UDRP for stubborn cases.

What it does

Stopping typosquatting requires two parallel tracks: prevention (register the highest-risk variants yourself) and detection (continuously monitor for new registrations, especially CT-logged ones). Either alone leaves a gap; together they cover the realistic threat surface without trying to register thousands of domains.

The prevention track is finite work: identify the 15-20 highest-risk variants for your brand, register them at a wholesale registrar, configure them not to send mail or serve content, and set up auto-renew with calendar reminders. Cost: ~$200/year per portfolio. Ongoing burden: 30 minutes per year.

The detection track is continuous work: monitor DNS + Certificate Transparency for new lookalike registrations, triage each detection on active-infrastructure signals (DNS / SSL / MX / HTTP), and act fast on confirmed phishing. Manual review is feasible for small brands; larger brands need tooling that filters noise and pre-fills takedown reports.

How it works

1. 1

   <strong>Register the obvious variants defensively.</strong> Top 5-10 typos, your .com's .co/.io/.net/.app, common combosquats. See the <a href="/learn/defensive-registration" class="text-brand-600 hover:underline">defensive registration guide</a> for the curation rules.

2. 2

   <strong>Publish DMARC enforcement (<code class="font-mono text-xs bg-slate-100 px-1 rounded">p=reject</code>).</strong> Even a perfectly registered defensive portfolio doesn't help if attackers can spoof your real domain. DMARC is the email half; lookalike registration is the brand half — both are required.

3. 3

   <strong>Start continuous lookalike monitoring.</strong> Use PhishFence (or any equivalent) to scan hundreds of variants per scan on every monitored domain. Configure CT-log monitoring so you catch infrastructure within minutes of cert issuance.

4. 4

   <strong>Triage detections on multi-signal scoring.</strong> DNS + SSL + MX + HTTP + threat-intel feeds. Don't act on "newly registered" alone — most never become active. Do act on "new registration + active HTTP + cloned login form" — that's a live phishing campaign.

5. 5

   <strong>Submit takedowns in parallel to browser blocklists + registrar.</strong> Google Safe Browsing + Microsoft SmartScreen + Netcraft + Cloudflare for browser coverage in hours; registrar abuse report for domain suspension in days. See <a href="/learn/report-phishing-site" class="text-brand-600 hover:underline">how to report a phishing site</a>.

Common pitfalls

• <strong>Defense-by-registration alone.</strong> Even a 50-domain portfolio leaves thousands of variants unregistered. Monitoring catches what registration can't.

• <strong>Monitoring without takedown execution.</strong> A detection that doesn't trigger action is just spam in your inbox. Have the takedown workflow ready before turning on monitoring.

• <strong>One-shot scans instead of continuous monitoring.</strong> A quarterly scan misses 95% of phishing campaigns (most lifetimes are days, not months). Continuous monitoring is the only approach with operational value.

• <strong>Not registering the TLD swap.</strong> The single highest-value defensive registration for most .com brands is the .co — most common typo, most common phishing TLD swap, registers for under $30/year at wholesale.

Related tools & guides