Typosquatting protection
If you're a brand owner, you have lookalike domains pointed at your customers right now. PhishFence finds them, scores them, and tells you which ones matter before the phishing page goes live.
The attacker pattern
An attacker registers a variant of your real domain: a missing letter, a doubled character, a different TLD, a homoglyph from another script. They point it at a server that hosts a fake login page or a re-skinned support flow, then drive traffic via phishing email, paid ads, or SMS. Misdirected traffic lands on the attacker's page believing it's yours.
Generic email security tools miss this because the message claiming to be from your brand is sent from a domain the attacker actually owns. SPF, DKIM, and DMARC all pass for the lookalike. The visible difference between example.com and example1.com is one character; the technical difference is zero. Defense has to start at registration discovery, not at message filtering.
How PhishFence detects it
-
1
Variant generation across 9 attack patterns
Levenshtein 1 to 2 distance, character substitution, TLD swap, homoglyph (Cyrillic, Greek), addition, omission, doubling, keyboard adjacency, prefix/suffix (login-, secure-, -app). A scan typically generates 500 to 1,500 candidates per monitored domain.
-
2
Live DNS resolution for every candidate
A resolves, MX present, NS pattern, TLS certificate validity. The goal: separate the >90% of variants that are unregistered/parked from the small subset with real infrastructure behind them.
-
3
Risk scoring across multiple signals
Registration recency (newer = higher risk), MX present (email phishing capability), A record + valid TLS (active site capability), registrar reputation (some registrars host substantially more abuse than others), DMARC posture, visual similarity score against your brand, and content classifier output. Risk levels are critical, high, medium, or low.
-
4
Alerts on threshold, digests for the long tail
High & critical fire immediately via email, Slack, or webhook. Medium & low roll up into a weekly digest so you don't drown in registered-but-parked noise.
-
5
Evidence capture for takedown
Each alert detail page collects WHOIS, hosting IP, registrar abuse contact, screenshot, and DNS records, everything you need to file a registrar abuse report without a second tab.
What it looks like in PhishFence
| Signals | Variant Domain | Indicators | Detected | Review | Actions |
|---|---|---|---|---|---|
| 4 signals | examp1e.com |
DNS
SSL
MX
HTTP
Topic 53%
|
May 17, 09:42 | New |
|
| 3 signals | example-login.com |
DNS
SSL
HTTP
CF
|
May 16, 22:17 | Watching | |
| 1 signal | examp1e.co |
MX
|
May 16, 22:17 | Watching |
Signal Breakdown
This domain resolves to an IP address. It has been registered and pointed to a server.
A valid SSL certificate was detected during a TLS handshake. The site is live and visitors see the padlock icon, making it appear trustworthy.
Mail server configured. This domain can receive email, which enables phishing and spoofing campaigns targeting your customers.
Actively serving web content. This could be a phishing page, a parked page, or a redirect.
Domain Intelligence
Threat Intelligence
1 matchHere is what happened across your monitored domains in the last 7 days.
Common pitfalls to avoid
-
Treating every registered variant as a threat. Most typosquats are registered for resale, not active phishing. Risk scoring exists to separate the dangerous ~5% from the noisy 95%. Disable alerts that fire on registration-only signals.
-
Forgetting IDN homoglyphs. Cyrillic, Greek, and Armenian scripts contain characters visually identical to common Latin letters. A scanner that only generates ASCII variants misses an entire attack family.
-
Only monitoring the apex. Each high-value subdomain (
login.example.com,support.example.com) needs its own typosquat scan, which means adding it as a separately monitored domain (one slot from your tier’s quota). PhishFence’s subdomain-takeover detection (Pro+) is a different feature for a different threat: it enumerates each apex’s existing subdomains for dangling CNAMEs, not lookalike variants. -
Scanning weekly instead of hourly. Phishing campaigns frequently register, send, and decommission within 24 to 48 hours. A weekly scan misses the entire kill chain.
Which PhishFence tier?
For a single-brand domain, Starter at $49/month (5 monitored domains) covers typosquatting protection comfortably. If you also monitor product subdomains, sub-brands, or international TLD variants separately, step up to Pro at $99/month (20 domains). Both tiers include hourly scans, risk scoring, alert routing, and the alert detail page with evidence capture.