Try the WHOIS Lookup

Domain Squatting and Typosquatting: How to Detect and Defend Against Brand Impersonation

Typosquatters register domains like examp1e.com and brand-support.com to phish customers and intercept traffic. Here's the patterns attackers use, how to monitor for lookalike registrations using CT logs and DNSTwist, defensive registration strategy, and UDRP dispute resolution.

By sadiqbd Β· June 9, 2026

Share:
Domain Squatting and Typosquatting: How to Detect and Defend Against Brand Impersonation

Cybercriminals register domains designed to look like yours β€” and most brand owners don't know until it's too late

Domain squatting, typosquatting, and brand impersonation through domains are among the most common vectors for phishing, brand damage, and customer confusion. The defensive playbook β€” monitoring for lookalike registrations, understanding dispute resolution options, and preemptively registering variations β€” starts with understanding what attackers actually do.

Typosquatting patterns: how attackers construct lookalike domains

Typosquatters register domains that capitalise on common typing errors or visual similarities. The main patterns:

Character transposition: adjacent letters swapped examlpe.com instead of example.com amoazon.com instead of amazon.com

Missing letter: exampl.com instead of example.com googl.com instead of google.com

Extra letter: examplle.com instead of example.com microsofft.com instead of microsoft.com

Character substitution (homoglyphs): examp1e.com (digit 1 instead of letter l) rn appearing as m in some fonts: rnarket.com looks like market.com

Hyphenation: my-bank.com instead of mybank.com (or vice versa) example-secure.com instead of example.com

TLD variation: example.net, example.org, example.co when the brand domain is example.com Country-code TLDs: example.co.uk, example.de

Combosquatting: examplesupport.com, examplesecure.com, examplelogin.com β€” legitimate-looking subpages of a brand as domains

What attackers do with lookalike domains

Phishing: the most common use. Lookalike domains host convincing copies of login pages. Victims navigate to m1crosoft.com instead of microsoft.com and enter credentials.

Business email compromise (BEC): attackers register company-name.com (with a hyphen) and send emails from invoice@company-name.com to employees and suppliers. The domain looks legitimate enough to fool non-vigilant recipients.

Brand damage and confusion: competitors or disgruntled individuals register brand domains with negative additions (mycompany-sucks.com, mycompany-complaints.com).

Traffic diversion: intercepting customers who mistype the URL and redirecting them to competitor products.

Ad fraud and affiliate fraud: lookalike domains that redirect through affiliate links, capturing commission on customers who type the URL slightly wrong.

Monitoring for lookalike domain registrations

Several tools provide real-time or near-real-time alerting when new domains similar to yours are registered:

DNSTwist: open-source tool that generates permutations of a domain name and checks which ones are registered. The web interface at dnstwist.it provides a quick scan.

Brand monitors:

  • DomainTools Iris: commercial, comprehensive monitoring
  • Bolster (CheckPhish): free tier available, focuses on phishing detection
  • MarkMonitor: enterprise brand protection, monitors registrations and content
  • Google Alerts: free but reactive β€” creates alerts for your brand name appearing on new pages

Certificate Transparency monitoring: new SSL certificates are logged in public CT logs. Monitoring CT logs for certificates issued to domains containing your brand name provides early warning β€” attackers usually get a certificate before launching a phishing campaign.

Tools: Cert Spotter, crt.sh alerts, Facebook Certificate Transparency Monitoring.

Defensive domain registration

Proactively registering common typosquatting variants eliminates the attack surface for those specific domains.

Priority registrations:

  • Common TLDs: .com, .net, .org, .co, .io
  • Country codes for key markets: .co.uk, .de, .fr, .com.au
  • Common typos of your primary domain (based on DNSTwist output)
  • Hyphenated and dehyphenated variants
  • Brand + common words: brand-support.com, brand-login.com

Cost-benefit calculation: domain registrations typically cost $10–20/year each. 20 defensive registrations = $200–400/year. A single successful phishing attack against customers costs far more in reputation damage and incident response.

What to do with defensive registrations: point all variants to your primary domain via 301 redirect. This prevents them from being used against you and ensures visitors who mistype still reach you.

UDRP: the dispute resolution process for existing squatted domains

If a cybersquatter has already registered a domain you want, the Uniform Domain Name Dispute Resolution Policy (UDRP) provides an alternative to expensive litigation.

UDRP eligibility: you must demonstrate all three:

  1. The domain is identical or confusingly similar to your trademark
  2. The registrant has no legitimate rights or interests in the domain
  3. The domain was registered and is being used in bad faith

Process:

  • Filed with an ICANN-accredited dispute resolution provider (WIPO, NAF, or others)
  • Average cost: $1,500–3,000 (single-panel); $4,000–5,000 (three-panel)
  • Average time: 45–60 days to decision

Outcomes: the most common remedy is domain transfer to the complainant. Cancellation is also available. Domain sales involving bad faith don't produce transfer fees.

Success rate: roughly 80–85% of UDRP cases are decided in favour of complainants, reflecting that most filed cases involve clear bad faith.

How to use the WHOIS Lookup on sadiqbd.com

For brand protection:

  1. Enter suspected lookalike domain
  2. Check registration date β€” a recent registration after your product launch or news coverage suggests squatting
  3. Check registrar β€” some registrars are known to be more permissive with squatted domains
  4. Check contact information β€” often privacy-masked, but sometimes reveals patterns
  5. Compare with your legitimate domain registration date and structure

Frequently Asked Questions

How do I know if a lookalike domain is being used for phishing? Check whether it has an SSL certificate (crt.sh), whether it has MX records (could be used for BEC email), and whether it has any web content (screenshot tools like urlscan.io show what's hosted). Active phishing pages typically have certificates and functional login forms.

Can I register a domain similar to a competitor to redirect their mistyped traffic? This is likely illegal in most jurisdictions (trademark infringement, consumer deception) and violates registrar policies. Defensive registration of your own brand variants is legitimate; predatory registration of competitor domains is not.

Is the WHOIS Lookup free? Yes β€” completely free, no sign-up required.

Domain monitoring is the brand protection investment with the highest return per dollar. A $200/year defensive registration programme and a CT log alert service prevents the phishing campaigns and brand confusion that cost far more to remediate.

Try the WHOIS Lookup free at sadiqbd.com β€” check domain registration, expiry, and registrar for any domain instantly.

Share:
Try the related tool:
Open WHOIS Lookup

More WHOIS Lookup articles

WHOIS Lookup β€” Check Domain Registration, Ownership & Expiry Instantly WHOIS Lookup β€” Check Domain Registration, Ownership & Expiry Instantly Domain Due Diligence: Using WHOIS for SEO Research, Vendor Vetting, and Expiry Monitoring Domain Due Diligence: Using WHOIS for SEO Research, Vendor Vetting, and Expiry Monitoring Why WHOIS Now Says "REDACTED FOR PRIVACY": GDPR, Default Redaction, and the Shift to RDAP Why WHOIS Now Says "REDACTED FOR PRIVACY": GDPR, Default Redaction, and the Shift to RDAP