Reference Brand protection

Typosquatting vs. Combosquatting: Two Attacker Patterns You Need to Know

Typosquatting tricks people who misspell URLs. Combosquatting tricks people who think the URL looks legitimate. The detection logic for each is different. Here's how attackers use both and how monitoring catches them.

May 19, 2026 · 6 min read

TL;DR

  • 1 Typosquats are misspellings (acmme.com); combosquats add legitimate words to your brand (acme-secure-login.com).
  • 2 Combosquats often defeat naive monitoring because they're not edit-distance close — they need lexical pattern matching.
  • 3 Defense for both: continuous monitoring across multiple algorithms, scoring on active infrastructure, fast takedowns.

What it does

Typosquatting and combosquatting share a goal — impersonate your brand to phish your users — but use different naming patterns and exploit different user behaviors. A defense built only for one misses the other entirely.

Typosquats are character-level deviations from your real domain: a missing letter, a swapped letter, a doubled letter, an adjacent-key substitution. Generic and detectable: edit-distance algorithms surface them reliably. The attack vector is the mistyped URL or the carelessly-read link.

Combosquats add legitimate words around your brand: -login, -secure, -account, -support, -portal. They aren't character-distance close to your real domain, so edit-distance-only monitors miss them. The attack vector is the phishing email link — the user reads <code>yourbrand-secure.com</code> as your brand because the cognitive load of email triage doesn't trigger careful URL inspection.

How it works

  1. 1

    <strong>For typosquats: edit-distance generators.</strong> Generate variants by character omission, transposition, doubling, adjacent-key substitution, and homoglyph substitution. Most variant generators (DNSTwist included) do this well.

  2. 2

    <strong>For combosquats: lexical pattern matching.</strong> Generate variants by adding a list of attack-anchor words (-login, -secure, -verify, -account, -support, -portal, -pay, -billing) to your brand. Match a brand-string-containment regex against new domain registrations, not just edit distance.

  3. 3

    <strong>Layer both checks on every scan.</strong> A monitoring tool that only runs edit-distance algorithms misses combosquats; one that only runs lexical match misses typosquats. PhishFence runs nine attack patterns in parallel.

  4. 4

    <strong>Score on active infrastructure.</strong> Combosquats are more likely to be parked or used for non-phishing purposes than typosquats. Higher false-positive rate; signal-based scoring (live HTTP + SSL + brand-in-content) helps separate threats from noise.

  5. 5

    <strong>Take down both with the same workflow.</strong> Registrar abuse report works identically for either pattern. The evidence (cloned content, brand impersonation) is what matters; the variant pattern doesn't change the takedown path.

Common pitfalls

  • <strong>Detecting only one pattern.</strong> Pure edit-distance tools miss combosquats. Pure brand-string-match tools miss typosquats. You need both.

  • <strong>Treating all combosquats as phishing.</strong> Many are legitimate (your-brand-fan-site, your-brand-review). Triage on infrastructure signals before escalating.

  • <strong>Underestimating combosquats because they look longer.</strong> Users on mobile read truncated URLs and don't notice the extra words. The attack vector is link-click, not URL-inspection.

  • <strong>Only watching the .com.</strong> Combosquats on .net, .io, .co, and country TLDs are common — the variant generator should cover the TLD axis too.