Protecting Your Brand from Lookalike Domains and Typosquatting

What are lookalike domains?

A lookalike domain is any domain name that closely resembles a legitimate brand's domain, registered with the intent to deceive. The goal is to trick users into believing they are interacting with the real organisation. The deception might be as simple as swapping two adjacent letters or as sophisticated as using Unicode characters that are visually indistinguishable from standard Latin letters.

Lookalike domains are dangerous because they exploit human perception rather than technical vulnerabilities. A user who receives an email from [email protected] (with an “rn” instead of “m”) is unlikely to spot the difference at a glance, especially on a mobile device. The same applies to links embedded in emails, chat messages, or social media posts.

Unlike direct domain spoofing, which DMARC is designed to prevent, lookalike domains are entirely separate registrations. The attacker owns the domain, controls the DNS, and can set up their own SPF, DKIM, and DMARC records. From a technical standpoint, the emails they send are fully authenticated. This makes lookalike attacks one of the hardest threats to detect with protocol-level controls alone.

Types of lookalike attacks

Attackers use several techniques to create convincing lookalike domains. Understanding each type helps you prioritise what to scan for.

Typosquatting (keyboard-adjacent substitutions)

Typosquatting targets common typing mistakes. Letters are swapped, doubled, or replaced with their keyboard neighbours. For example, if your domain is acmecorp.com, an attacker might register acmecrop.com (transposed letters), acmecopr.com (adjacent key substitution), or acmecorp.co (missing character). These are trivially cheap to register and can be set up with phishing pages within minutes.

Homoglyph and IDN attacks

Internationalised Domain Names (IDNs) allow the use of Unicode characters in domain names. This opens the door to homoglyph attacks, where visually identical characters from different scripts replace Latin letters. The Cyrillic “a” (U+0430) looks identical to the Latin “a” (U+0061) in most fonts. An attacker could register a domain using Cyrillic characters that renders identically to yours in a browser address bar. While modern browsers now display the Punycode (xn--) representation for mixed-script domains, older software and email clients may not.

TLD variants

If your brand operates on acmecorp.com, an attacker might register acmecorp.net, acmecorp.co.uk, acmecorp.org, or acmecorp.io. These are especially effective when targeting users in specific regions. A UK employee might not question an email from the .co.uk variant of their company's .com domain.

Combosquatting

Combosquatting adds plausible words to the brand name. Examples include acmecorp-login.com, acmecorp-secure.com, or acmecorp-support.com. Research published by Georgia Tech found that combosquatting is even more prevalent than traditional typosquatting and is harder to detect because the permutations are nearly infinite.

Subdomain spoofing

Attackers register a generic domain and create subdomains that mimic the target brand. For example, acmecorp.com.login-secure.net or secure.acmecorp.evil-domain.com. To a casual reader, the presence of the real brand name in the URL is enough to establish trust. This technique is particularly effective in phishing emails where the full URL is truncated or hidden behind display text.

You can scan your domain for all of these attack types using our free Brand Protection Checker, which generates and tests hundreds of permutations in seconds.

Real-world impact

Lookalike domains are not a theoretical risk. They are actively exploited across every industry, and the consequences are severe.

• Phishing and credential harvesting. The most common use case. Attackers clone a login page on a lookalike domain, send a phishing email that passes SPF and DKIM (because they control the sending domain), and harvest credentials in real time. Victims have no reason to suspect the page is fake because the domain looks correct at first glance.
• Business email compromise (BEC).An attacker registers a lookalike of a supplier's domain and sends an invoice with updated bank details to the finance team. These attacks routinely result in six-figure losses. The FBI's IC3 report consistently ranks BEC as the highest-loss cybercrime category.
• Brand and reputational damage. If customers receive phishing emails that appear to come from your organisation, trust erodes regardless of whether you were technically compromised. The perception of insecurity is enough to damage client relationships and generate negative press coverage.
• Supply chain attacks on MSPs. Managed service providers are high-value targets because a single compromised MSP can provide access to dozens of client environments. Our 2026 audit of 192 UK MSPs found widespread gaps in email authentication, which makes MSP domains attractive targets for lookalike impersonation.

How to detect lookalike domains

Detection is the first step. You cannot take action against a lookalike domain if you do not know it exists. There are three primary detection methods.

Automated permutation scanning

Tools like the ShieldMarc Brand Protection Checker generate thousands of permutations of your domain name (transpositions, substitutions, homoglyphs, TLD variants, combosquats) and check whether each one is registered. This gives you an immediate snapshot of the lookalike landscape around your brand.

Certificate Transparency logs

Every publicly trusted SSL certificate is logged in Certificate Transparency (CT) logs. If an attacker registers a lookalike domain and obtains an SSL certificate for it (which is trivial with free providers like Let's Encrypt), that certificate will appear in the CT logs. Monitoring CT logs for certificates that match patterns similar to your brand name can reveal lookalike domains as soon as they are activated, often before the first phishing email is sent.

DNS and WHOIS monitoring

Periodically querying WHOIS data and DNS records for known lookalike permutations lets you track changes over time. A domain that was previously unregistered and suddenly resolves to an IP address, or one whose WHOIS records change to hide registrant information behind privacy protection, may warrant investigation. Use our WHOIS Lookup to examine registration details for any suspicious domain.

Defensive registration strategies

While you cannot register every possible permutation of your domain, a targeted defensive registration strategy significantly reduces the attack surface.

• Register common TLD variants. At a minimum, register your brand name under .com, .co.uk, .net, .org, and any country-code TLDs relevant to your operations. Point them all to your primary domain with 301 redirects and publish v=spf1 -all and p=reject DMARC records on each.
• Register common misspellings. Identify the two or three most likely typos of your brand name and register those variants. Transpositions of adjacent letters and missing characters are the highest priority.
• Use domain monitoring services. Defensive registration is a one-time cost, but the landscape changes daily as new TLDs are introduced and expired domains become available. Continuous monitoring ensures you are alerted when a new lookalike appears, even if it was not part of your original defensive set.

For every defensive domain you register, apply the same hardening you would to a parked domain: null SPF, DMARC reject, and no active mail services. Our guide on how to redirect parked domains covers the full setup.

What to do when you find a lookalike domain

Discovering a lookalike domain is only the beginning. The next steps depend on whether the domain is actively being used for malicious purposes and what legal or procedural options are available.

1. Gather evidence.Before taking any action, document everything. Take screenshots of the lookalike domain's website (if one exists), capture email headers from any phishing messages, and record DNS records. Use our WHOIS Lookup to record registrant details, creation date, and registrar information. This evidence will be critical for any dispute or takedown request.
2. Check the domain's trust posture. Run the lookalike domain through our Security Grade Check to see whether it has SPF, DKIM, DMARC, and SSL configured. A domain that has been set up with full email authentication is more likely to be actively used for phishing, which strengthens your case for takedown.
3. Report to the registrar. Every domain registrar is required by ICANN to maintain an abuse contact point. File an abuse report with the registrar identified in the WHOIS record. Include your evidence and a clear explanation of how the domain infringes on your brand. Registrars will typically suspend domains used for phishing within 24 to 48 hours if the evidence is clear.
4. File a UDRP dispute.The Uniform Domain-Name Dispute-Resolution Policy (UDRP) is an ICANN-mandated arbitration process for resolving domain name disputes. To succeed, you must demonstrate that the domain is identical or confusingly similar to your trademark, that the registrant has no legitimate interest in the name, and that the domain was registered in bad faith. UDRP proceedings typically cost between £1,200 and £4,000 and take 45 to 60 days.
5. Report to hosting and email providers. If the lookalike domain is hosting phishing pages, report the content to the hosting provider. If it is sending phishing emails, report it to the email service provider. Google, Microsoft, and other major providers have dedicated abuse reporting channels that can disable accounts quickly.
6. Notify your users. If the lookalike domain has been used in active phishing campaigns targeting your customers or partners, issue a notification explaining the attack and advising recipients to verify the sender domain on any unexpected emails.

Lookalike domains and DMARC: understanding the gap

DMARC is essential for email security. A p=reject policy prevents anyone from spoofing your exact domain in the From header of an email. But DMARC only protects the domain you publish it on. It does nothing to prevent an attacker from sending fully authenticated email from a lookalike domain they own.

This is the gap that brand protection fills. DMARC and lookalike monitoring are complementary controls, not alternatives. You need DMARC to stop direct spoofing, and you need brand monitoring to detect and act on lookalike threats. If you have not yet configured DMARC on your primary domain, start there. Our guide to DMARC explains how to go from no record to full enforcement. Then use the DMARC Checker to verify your configuration.

Organisations that have reached p=reject on their primary domain sometimes assume the job is done. In reality, attackers simply pivot to lookalike domains once direct spoofing is blocked. This is why brand protection monitoring should be part of your security posture from day one, not an afterthought.

Ongoing monitoring

Lookalike domain threats are not static. New domains are registered every day, and attackers frequently let domains expire and re-register them under different identities. Effective brand protection requires continuous monitoring, not a one-off scan.

A robust monitoring programme should include regular scans of domain permutations, CT log monitoring for newly issued certificates matching your brand, and WHOIS change tracking for known lookalike domains. ShieldMarc combines these signals into a single platform. Learn why organisations choose ShieldMarc for unified domain security that covers DMARC reporting, DNS health, SSL monitoring, and brand protection in one dashboard.

The retirement of NCSC Mail Check has left many UK organisations without the DMARC monitoring they relied on. If you are migrating from Mail Check, this is an ideal time to adopt a platform that covers both email authentication and brand protection rather than replacing like for like.

Next steps

Protecting your brand from lookalike domains requires a combination of detection, defensive registration, and response procedures. Here is where to start:

• Scan your domain for lookalikes now with our free Brand Protection Checker to see which permutations are already registered.
• Use the WHOIS Lookup to investigate the registrant details of any suspicious domains you find.
• Check your DMARC record to ensure your primary domain is protected from direct spoofing while you address lookalike threats.
• Read our complete guide to DMARC if you have not yet deployed an email authentication policy.
• Review the 2026 UK MSP DMARC audit to understand why MSPs are particularly vulnerable to brand impersonation attacks.