Threat Trends

Industry threat trends

Cross-customer intelligence from every domain PhishFence monitors. Which TLDs are hosting the most typosquats right now, which registrars keep them alive, which industries are drawing the heat. Anonymized and refreshed every 15 minutes.

Alerts detected

225

Across every monitored brand, last 90 days.

Top TLD

.com

188 variants detected.

Top registrar

MarkMonitor Inc.

139 lookalikes registered here.

Volume over time

Peak 97 alerts / day

Stacked by confidence. A tall red bar is a phishing wave you would have wanted to know about.

0 24 48 73 97 2026-03-31 · Suspected impersonation: 3 2026-03-31 · Registered lookalike: 19 2026-03-31 · Other: 3 2026-04-01 · Suspected impersonation: 2 2026-04-01 · Registered lookalike: 5 2026-04-01 · Other: 5 2026-04-09 · Registered lookalike: 27 2026-04-09 · Other: 7 2026-04-10 · Registered lookalike: 20 2026-04-10 · Other: 77 2026-04-11 · Registered lookalike: 1 2026-04-11 · Other: 1 2026-04-15 · Registered lookalike: 1 2026-04-19 · Registered lookalike: 2 2026-04-19 · Other: 1 2026-04-20 · Registered lookalike: 17 2026-04-20 · Other: 34 01-24 02-02 02-11 02-20 03-01 03-10 03-19 03-28 04-06 04-15 04-23
Confirmed phishing Likely phishing Suspected impersonation Registered lookalike

Top abused TLDs

Where lookalike domains are being registered. Legacy TLDs dominate by volume; cheap new gTLDs dominate by attacker cost efficiency.

  • .com 188
  • .net 9
  • .cloud 5
  • .org 4
  • .app 4
  • .io 3
  • .co 2
  • .info 2
  • .xyz 2
  • .dev 2

Top abused registrars

The registrars attackers use most. A high number doesn't mean the registrar is complicit; it correlates with low price, permissive policies, and market share.

  • MarkMonitor Inc. 139
  • GoDaddy.com, LLC 9
  • NameCheap, Inc. 4
  • Dynadot Inc 3
  • Namecheap Inc. 2
  • Sav.com, LLC 2
  • PT Biznet GIO Nusantara 2
  • Alpine Domains Inc. 2
  • Squarespace Domains II LLC 2
  • NameSilo, LLC 2

Targeted industries

Which sectors are absorbing the most attention. Customers tag their protected brand on onboarding; unclassified rows bucket under "Unclassified".

  • Unclassified 225

Detection source mix

How each alert was caught. CT-log monitoring catches certificates issued for lookalikes before the domain is live; DNS scans catch what's already resolving.

  • DNS scan 225 (100%)

Risk level distribution

Our scoring across every alert this window. Critical and high are the ones worth paging on; low captures speculative registrations that may not be used for anything.

  • Critical 74 (33%)
  • High 27 (12%)
  • Medium 121 (54%)
  • Low 3 (1%)

Confidence mix

Our judgement of what each alert actually is. Confirmed phishing is fetched-and-verified; registered lookalike is just a squatting registration without active content.

  • Other 128 (57%)
  • Registered lookalike 92 (41%)
  • Suspected impersonation 5 (2%)

Updated . Data aggregated across every brand monitored by PhishFence. No customer identifiers or per-brand counts leave this page.