Reference Brand protection

Typosquatting: The Cheapest Attack That Still Works

Attackers register domains that look almost identical to yours, then use them to steal credentials from your customers. It takes less than a minute to set up, and most businesses never find out until the damage is done.

April 1, 2026 · 6 min read

TL;DR

  • 1 Typosquats register lookalike domains (acmme.com, gooogle.com) and exploit a single mistyped letter or a clicked phishing link.
  • 2 Most domains have thousands of plausible variants under $10 each to register; very few owners check.
  • 3 Defend with continuous monitoring, registering the obvious variants yourself, and DMARC enforcement on your real domain.

What it does

Typosquatting is the practice of registering domains that look or sound nearly identical to a target brand's real domain, then using them to phish credentials, distribute malware, or intercept email. The attack is cheap (a domain costs under $10/year), the variant space is huge (thousands of plausible permutations per brand), and the conversion rate is high (a single misclick or mistype lands the victim on the attacker's page).

Modern typosquatting goes beyond the simple typo. Attackers use homoglyph substitutions (a Cyrillic <code>а</code> that looks identical to a Latin <code>a</code>), TLD swaps (<code>yourbrand.co</code> when your real domain is <code>yourbrand.com</code>), hyphen insertions (<code>your-brand-secure.com</code>), and combosquats (<code>yourbrand-login.com</code>). Each pattern catches a different class of victim — the typo catches mistypes, the homoglyph catches visual scans, the combosquat catches phishing-link clicks.

The economics favor attackers heavily. Most brands have never checked which variants are registered, let alone monitor for new ones. A campaign can run for weeks before the victim brand even notices, by which point credentials have been harvested and the attacker has moved on.

How it works

  1. 1

    <strong>Character substitution.</strong> Swap one letter for a visually similar one. <code>arnazon.com</code> for <code>amazon.com</code>; <code>gooogle.com</code> for <code>google.com</code>. Browsers don't flag these; they're real ASCII.

  2. 2

    <strong>TLD swap.</strong> Same brand name, different TLD. <code>yourbrand.co</code> looks legitimate, especially in a phishing email where the user doesn't see the full URL on mobile.

  3. 3

    <strong>Homoglyph (IDN) substitution.</strong> Replace one character with a Unicode lookalike from another script (Cyrillic, Greek). The URL bar shows the punycode but only if the browser is configured to do so.

  4. 4

    <strong>Hyphen insertion.</strong> Split your brand name with a hyphen. <code>your-brand.com</code> registers as a distinct domain but reads as your brand to users.

  5. 5

    <strong>Combosquat.</strong> Add a contextual word: -login, -secure, -account, -verify, -support. Most successful in phishing emails where the link text matches the user's expectation.

  6. 6

    <strong>Subdomain spoofing.</strong> Register <code>yourbrand-portal.com</code> and put login under <code>account.yourbrand-portal.com</code>. The visible part to a hurried user is just <code>account.yourbrand-portal</code>, which scans as legitimate.

Common pitfalls

  • <strong>Believing typosquatting is mostly mistypes.</strong> Most modern typosquat damage happens via phishing-link clicks, not URL bar mistypes. Defense has to assume the user never sees the URL.

  • <strong>Registering all typos defensively.</strong> The variant space is too large. Register the 15-20 highest-risk variants; monitor the rest.

  • <strong>Assuming MX-less lookalikes are harmless.</strong> A registered domain with no email infrastructure can still host a phishing site. MX is a signal, not a precondition.

  • <strong>Trusting browser-level homoglyph protection.</strong> Modern browsers warn on mixed-script labels but coverage is inconsistent, especially on mobile. Don't rely on the browser as the last line of defense.