What is typosquatting?

Typosquatting is the registration of domains that visually or textually resemble a legitimate brand domain so users mistyping or misreading the URL land on the attacker's page. Common variants include letter substitution (acmme.com), TLD swaps (acme.co), prefix/suffix additions (acme-login.com), and homoglyphs (Cyrillic-a in аcme.com).

How does PhishFence detect typosquatting?

PhishFence runs a daily lookalike scanner that generates variants of your domain across nine attack patterns (levenshtein, homoglyph, TLD swap, prefix/suffix, keyboard adjacency, character addition/omission/doubling, IDN), then risk-scores each variant using registration date, DNS records, DMARC posture, visual similarity to your brand, and content classification.

What does PhishFence cost for typosquatting protection?

The Starter plan is $49/month for three monitored domains (suitable for a single brand). The Pro plan is $99/month for ten domains (suitable when you also monitor product subdomains, sub-brands, or international TLD variants).

Typosquatting Protection: Detect Lookalike Domains

The attacker pattern

An attacker registers a variant of your real domain — a missing letter, a doubled character, a different TLD, a homoglyph from another script. They point it at a server that hosts a fake login page or a re-skinned support flow, then drive traffic via phishing email, paid ads, or SMS. Misdirected traffic lands on the attacker's page believing it's yours.

Generic email security tools miss this because the message claiming to be from your brand is sent from a domain the attacker actually owns — SPF, DKIM, and DMARC all pass for the lookalike. The visible difference between [brand].com and [brand]1.com is one character; the technical difference is zero. Defense has to start at registration discovery, not at message filtering.

Anatomy of a typosquat

How PhishFence detects it

1

Variant generation across 9 attack patterns

Levenshtein 1–2 distance, character substitution, TLD swap, homoglyph (Cyrillic, Greek), addition, omission, doubling, keyboard adjacency, prefix/suffix (login-, secure-, -app). A scan typically generates 500–1,500 candidates per monitored domain.
2

Live DNS resolution for every candidate

A resolves, MX present, NS pattern, TLS certificate validity. The goal: separate the >90% of variants that are unregistered/parked from the small subset with real infrastructure behind them.
3

Risk scoring across multiple signals

Registration recency (newer = higher risk), MX present (email phishing capability), A record + valid TLS (active site capability), registrar reputation (some registrars host substantially more abuse than others), DMARC posture, visual similarity score against your brand, and content classifier output. Risk levels are critical, high, medium, or low.
4

Alerts on threshold, digests for the long tail

High & critical fire immediately via email, Slack, or webhook. Medium & low roll up into a daily digest so you don't drown in registered-but-parked noise.
5

Evidence capture for takedown

Each alert detail page collects WHOIS, hosting IP, registrar abuse contact, screenshot, and DNS records — everything you need to file a registrar abuse report without a second tab.

What it looks like in PhishFence

Screenshot: lookalike scanner dashboard

Risk-sorted variant list with per-domain signal breakdown

The lookalike scanner dashboard ranks every detected variant by risk level and shows which signals contributed to the score — registrar age, DNS posture, content classification, and visual similarity.

Screenshot: alert detail page

Per-variant signal breakdown with evidence capture

The alert detail page is the takedown work surface: WHOIS, registrar contact, hosting IP, TLS issuer, and screenshot are all captured at detection so you can file an abuse report without a second tab.

Screenshot: daily digest email

Low/medium-risk variants rolled up into a single morning summary

Low and medium-risk variants are batched into a daily digest so your inbox sees one summary per day rather than 40 individual alerts.

Common pitfalls to avoid

Treating every registered variant as a threat. Most typosquats are registered for resale, not active phishing. Risk scoring exists to separate the dangerous ~5% from the noisy 95%. Disable alerts that fire on registration-only signals.
Forgetting IDN homoglyphs. Cyrillic, Greek, and Armenian scripts contain characters visually identical to common Latin letters. A scanner that only generates ASCII variants misses an entire attack family.
Only monitoring the apex. Brand product subdomains (login.[brand].com, support.[brand].com) get their own typosquat sets. Add each one as a separately monitored domain on the Pro tier.
Scanning weekly instead of daily. Phishing campaigns frequently register, send, and decommission within 24–48 hours. A weekly scan misses the entire kill chain.

Which PhishFence tier?

For a single-brand domain, Starter at $49/month (3 monitored domains) covers typosquatting protection comfortably. If you also monitor product subdomains, sub-brands, or international TLD variants separately, step up to Pro at $99/month (10 domains). Both tiers include daily scans, risk scoring, alert routing, and the alert detail page with evidence capture.

Related tools & guides

/tools/phishing-link-check

Free domain check

/check — scan your domain now

Defensive registration guide

/guides/defensive-registration

Report to a registrar

/guides/report-registrar-abuse