What is Typosquatting?

Typosquatting, sometimes called URL hijacking, is the registration of domain names that closely resemble a legitimate one in the hope that users will mistype the real address. The squatted domain might host a phishing page, redirect to a competitor or affiliate offer, serve ads, or simply sit waiting to be sold. Because the domain belongs to whoever registered it, the brand being impersonated cannot just remove a record — it has to anticipate and respond to the lookalike.

Most squatted domains are built from a small set of predictable transformations:

• Misspellings — a single wrong or doubled letter, such as exmaple.com or exammple.com.
• TLD swaps — keeping the name but changing the ending, like example.co or example.net instead of example.com.
• Added or omitted characters — inserting or dropping a letter, for example exampple.com or exampl.com.
• Transposed letters — swapping adjacent characters that are easy to fat-finger, such as examlpe.com.
• Hyphenation tricks — adding or removing hyphens, like ex-ample.com.

• Phishing and credential theft — a lookalike domain hosts a convincing copy of your login page to harvest usernames and passwords.
• Payment fraud — fake checkout or invoice pages capture card details from users who believe they are on the real site.
• Brand abuse — squatters trade on your reputation to sell counterfeit goods, run scams, or push unwanted ads.
• Email impersonation — a lookalike domain can also send mail that appears to come from your company.

• Register defensively — claim the most likely misspellings and the common top-level domains for your brand, then redirect them to your real site.
• Monitor for new registrations — you cannot register every variant, so watch for lookalikes as they appear. Similar domain detection surfaces newly registered domains that resemble yours so you can react quickly.
• Have a takedown path ready — know your process for registrar complaints, host abuse reports, and dispute procedures before you need it.

This is one piece of broader DNS security best practices.

The earlier you spot a lookalike, the more options you have — often before any phishing campaign goes live. Continuous monitoring watches for newly registered domains that are close variants of yours and alerts you so you can investigate and act. A closely related threat uses Unicode lookalike characters rather than typos; see homograph attacks for how those work and why they can be even harder to notice.