Your finance manager receives an email from what appears to be your cloud storage provider. The branding is perfect, the message is urgent, and the login link looks legitimate. She clicks, enters her credentials, and nothing seems to happen — so she tries again. Within minutes, an attacker has her username and password. The trick? The domain in the link was not dropbox.com but dr0pbox.com — a zero instead of an "o." This is typosquatting, and it remains one of the most effective and underestimated attack vectors in cybersecurity.

TL;DR — Key Takeaways

  • Learn how typosquatting attacks use lookalike domains to steal credentials and deliver malware
  • Understand how Typosquatting Works
  • Identify common Typosquatting Techniques before they impact your business

Visual Overview

flowchart LR
    A["User Mistypes URL"] --> B["Lands on Fake Domain"]
    B --> C["Looks Like Real Site"]
    C --> D["Enters Credentials"]
    D --> E["Attacker Captures Data"]

Typosquatting — also known as URL hijacking or domain mimicry — exploits the simple fact that humans make mistakes when reading and typing web addresses. Attackers register domains that are nearly identical to legitimate ones and use them to steal credentials, distribute malware, or intercept sensitive communications. Understanding how these attacks work is essential for protecting your organisation.

How Typosquatting Works

The fundamental principle is deceptively simple. Attackers identify high-value target domains — popular services your employees use daily — and register variations that look almost identical. They then build convincing replicas of the legitimate websites and drive traffic to them through phishing emails, search engine manipulation, or simply waiting for users to make typing errors.

The attack chain typically follows this pattern:

  1. Domain registration: The attacker registers one or more domains that closely resemble a legitimate target domain.
  2. Website cloning: They create a near-perfect copy of the legitimate website, including branding, layout, and functionality — often using AI-powered tools that can clone a site in seconds.
  3. SSL certificate acquisition: The attacker obtains a free SSL certificate (from services like Let's Encrypt) so the fake site displays the padlock icon, lending false credibility.
  4. Traffic generation: Victims are directed to the fake domain through phishing emails, malicious advertisements, or organic typos.
  5. Credential harvesting or malware delivery: When victims interact with the fake site — entering login credentials, downloading files, or providing personal information — the attacker captures everything.

Common Typosquatting Techniques

Attackers employ a variety of techniques to create convincing lookalike domains. Understanding these methods helps your team recognise them.

Character Substitution

Replacing one character with a visually similar one is the most common technique. Examples include:

  • Replacing "o" with "0" (zero): micros0ft.com
  • Replacing "l" (lowercase L) with "1" (one): pay1pal.com
  • Replacing "i" with "l": llnkedin.com
  • Swapping "rn" for "m": arnazon.com (the "rn" resembles "m" in many fonts)

Character Omission and Addition

Removing or adding a single character creates domains that victims easily overlook:

  • Omission: gogle.com instead of google.com
  • Addition: googgle.com with a doubled letter
  • Missing dot in subdomains: wwwgoogle.com instead of www.google.com

Character Transposition

Swapping the order of adjacent characters exploits common typing mistakes:

  • googel.com instead of google.com
  • microsotf.com instead of microsoft.com

TLD Variations

Registering the same domain name under a different top-level domain (TLD) is extremely effective because users rarely verify TLDs:

  • company.co instead of company.com
  • company.org instead of company.com
  • company.net, company.io, company.com.co

Homoglyph Attacks (IDN Homograph Attacks)

This is the most sophisticated and dangerous variant. Attackers use characters from non-Latin scripts (Cyrillic, Greek, Armenian) that are visually identical to Latin letters. For example, the Cyrillic "а" (U+0430) looks identical to the Latin "a" (U+0061) in most fonts, but they are entirely different characters. A domain like аpple.com using a Cyrillic "a" would appear identical to apple.com in a browser's address bar.

Homoglyph attacks are particularly insidious because even careful, security-conscious users cannot visually distinguish the fake domain from the real one. This is why technical controls matter as much as training.

Subdomain Abuse

Attackers register a domain and use subdomains to create convincing URLs:

  • login.microsoft.com.attacker-domain.com
  • secure.paypal.com.verify-account.net

Many users look only at the beginning of a URL and see the trusted brand name, missing the fact that the actual domain is different.

Real-World Impact

Typosquatting is not a theoretical risk. It causes measurable damage across every industry:

  • Credential theft at scale: A single typosquatted Microsoft 365 login page can harvest thousands of credentials before being detected, leading to business email compromise and data breaches.
  • Supply chain attacks: In software development, typosquatting in package registries (registering packages with names similar to popular libraries) has been used to inject malicious code into development pipelines.
  • Financial fraud: Attackers create typosquatted domains of banks and payment providers to intercept financial transactions and steal funds.
  • Malware distribution: Fake download pages for popular software serve trojanised installers that compromise the victim's machine.

Defending Your Organisation

Technical Controls

Implement layered technical defences that reduce your exposure to typosquatting attacks:

  • DNS filtering: Deploy a DNS filtering service that blocks known typosquatted domains. Services like Cloudflare Gateway, Cisco Umbrella, and DNSFilter maintain constantly updated databases of malicious domains.
  • Email authentication: Implement SPF, DKIM, and DMARC on your own domains to prevent attackers from sending email that appears to come from your organisation. This protects your customers and partners from phishing that uses your brand.
  • Web browser protections: Modern browsers include protections against IDN homograph attacks, displaying the punycode (encoded) version of internationalised domain names rather than the deceptive visual representation. Ensure your organisation's browsers are up to date.
  • URL filtering and web proxies: Configure web proxies to categorise and block newly registered domains, which are frequently used for typosquatting. Legitimate new domains can be whitelisted as needed.
  • Email link scanning: Deploy an AI-powered email security gateway that analyses URLs in incoming emails, following redirects and checking final destinations against threat intelligence databases.

Domain Monitoring and Defensive Registration

Proactive domain monitoring allows you to identify typosquatted versions of your own domain before they are used in attacks:

  • Register common variations: Purchase the most obvious misspellings and TLD variations of your primary domain and redirect them to your legitimate site.
  • Use domain monitoring services: Tools like DomainTools, PhishLabs, and RiskIQ continuously monitor for newly registered domains that resemble yours and alert you when they appear.
  • Takedown procedures: When you discover a typosquatted domain, initiate a takedown through the domain registrar, your legal team, or services like Netcraft that specialise in rapid domain takedowns.
  • Certificate Transparency monitoring: Monitor Certificate Transparency logs for SSL certificates issued to domains similar to yours. If an attacker registers a lookalike domain and obtains an SSL certificate, you will be alerted.

Employee Training

Technical controls catch most typosquatting attempts, but trained employees provide the essential last line of defence. Your security awareness training should include:

  • URL verification habits: Teach employees to carefully check the full URL before entering credentials, paying attention to subtle character substitutions and unexpected TLDs.
  • Bookmark critical sites: Encourage employees to use bookmarks for frequently accessed business applications rather than typing URLs or clicking email links.
  • Password manager integration: Password managers will not auto-fill credentials on a typosquatted domain because the domain does not match their records. This provides an automatic safety net — if the password manager does not offer to fill credentials, it is a strong signal that something is wrong.
  • Phishing simulations: Include typosquatting scenarios in your regular phishing simulations so employees practise identifying lookalike domains in a safe environment.
  • Reporting culture: Create a blame-free reporting culture where employees feel comfortable flagging suspicious URLs without fear of punishment.

Building a Typosquatting Response Plan

When a typosquatting attack is detected, time is critical. Establish a clear response plan:

  1. Identify affected users: Determine which employees may have interacted with the typosquatted domain.
  2. Reset credentials: Immediately reset passwords for any accounts that may have been compromised.
  3. Block the domain: Add the typosquatted domain to your DNS filter and email gateway blocklists.
  4. Investigate scope: Check authentication logs for suspicious activity from potentially compromised accounts.
  5. Initiate takedown: Contact the domain registrar and relevant abuse reporting channels to have the domain taken down.
  6. Communicate: Notify affected employees and, if customer data may have been exposed, follow your breach notification procedures.
  7. Learn and adapt: Use the incident to improve your defences and update training materials with the real-world example.

The Intersection of AI and Typosquatting

Artificial intelligence is making typosquatting both more dangerous and more detectable. On the attack side, AI tools can automatically generate thousands of plausible domain variations, clone websites instantly, and craft personalised phishing emails that direct victims to typosquatted domains. On the defence side, AI-powered threat detection can analyse domain registration patterns, identify visual similarities between legitimate and suspicious domains, and detect anomalous DNS traffic that may indicate employees are visiting typosquatted sites.

Typosquatting exploits the gap between human perception and digital precision. A single misread character can lead to credential theft, malware infection, or financial loss. By combining technical controls, proactive domain monitoring, and consistent employee training, your organisation can close this gap and ensure that lookalike domains lose their power to deceive. The defences are straightforward and affordable — what they require is awareness, diligence, and the commitment to implement them consistently.