Lookalike domains: the typosquatting threat to your brand
Typosquats and homoglyph domains are cheap to register and easy to weaponise. Here is how they work and what to do about the ones already pointed at your brand.
For a few dollars, anyone can register a domain that looks almost exactly like yours. Multiply that by every plausible misspelling, every swapped character, and every alternative top-level domain, and most brands have dozens of lookalikes registered without their knowledge.
The three flavours
- Typosquats rely on human error —
exmaple.com,example.co,example-support.com. - Homoglyphs swap characters that look identical — a Latin "a" for a Cyrillic one, or "rn" for "m".
- Combosquats bolt a believable word onto your name —
example-login.com,secure-example.net.
Each is harmless while parked and dangerous the moment it is weaponised into a phishing page, an investment scam, or a redirect.
Why parked domains still matter
It is tempting to ignore a lookalike that just shows a parking page. But a registered domain is a loaded option: the attacker can point it at a phishing kit at any time, often timed to a campaign, a product launch, or a breach. Treating only the active phishing domains means you are always reacting after the harm starts.
How to clear them
- Enumerate the full set. Don't chase domains one at a time — fingerprint the cluster by shared registrar, hosting ASN, or TLS issuer to find the dormant ones too.
- Triage by risk. Active phishing first, then redirects, then parked.
- Pursue the registrar layer. For clearly abusive domains, suspension through the registrar's abuse channel removes the domain entirely, not just the content.
- Keep a watchlist. The lookalikes you can't remove today go on a monitored list so a newly weaponised one is caught early.
The economics favour the attacker — registration is cheap and instant. The defence is to make the cost of staying up higher than the cost of moving on.