Incident

Typosquat Phishing: How Attackers Register Your Lookalike Domains

Attackers register domains that look like yours — one character off, a different TLD, a homoglyph substitution — and use them for phishing campaigns. Here's how it works and how to find lookalike domains targeting your brand.

Published March 19, 2026

Attackers spend $10 on a lookalike domain — paypa1.com, yourbrand.co — then host a clone of your login page and send mail that almost passes the eye test. Your DMARC on the real domain doesn't stop mail from a different domain.

How typosquat phishing works

Step 1 — Register a lookalike: The attacker registers something like paypa1.com (l→1) or paypal.co (TLD swap). The cost is $10-15/year.

Step 2 — Set up infrastructure: They configure MX records, create email accounts, and sometimes clone your entire website on the domain.

Step 3 — Send phishing email: Emails appear to come from support@paypa1.com — close enough that users don't notice. Links go to a cloned version of your site.

Step 4 — Harvest credentials: Users enter usernames and passwords on the fake site. Attackers collect them.

Common lookalike techniques

Homoglyph: paypa1.com (l→1) Missing char: paypl.com Doubled char: paypall.com TLD swap: paypal.co, paypal.net Prefix: mypaypal.com, getpaypal.com Suffix: paypalapp.com Subdomain: paypal.com.attacker.com

How to find lookalikes

Run DomainPreflight Typosquat Monitor — it generates 30-50 variants of your domain and checks which ones resolve to active websites. A resolving domain is higher risk than a registered-but-parked domain — active sites can be hosting phishing.

Defensive registration: Consider registering your highest-risk variants. The cost is small compared to the damage from an active phishing campaign.

Check for typosquats

Open Typosquat Monitor →

Related: Typosquatting

FAQ

What is a typosquat phishing domain?

A domain registered to look like a legitimate brand — one character off, different TLD, or homoglyph swap — used to host phishing pages or send phishing email.

How do I find domains impersonating my brand?

Run DomainPreflight Typosquat Monitor — checks 30-50 lookalike variants via live DNS to find which ones resolve.

Should I register lookalike domains defensively?

For high-risk variants (homoglyphs, common TLD swaps) — yes. The cost is low. The alternative is letting attackers register them.

What if I find a phishing domain using my brand?

Report to the registrar's abuse team, the hosting provider's abuse contact, and Google Safe Browsing (safebrowsing.google.com/safebrowsing/report_phish/).

Can DMARC protect against typosquat phishing?

Only for your actual domain. DMARC on yourdomain.com doesn't protect against email from paypa1.com — that's a different domain with its own DNS.

← All incidents

Open DomainPreflight →