What Is Typosquatting?

In plain English

Typosquatting is registering a lookalike domain to catch people who mistype an address or misread a link. The site on the other end is built to look like the real one, so you log in or pay without realising you left.

The idea

Domains are cheap and mistakes are constant. Someone registers an address that is one small step away from a real one, puts up a copy of the real site, and waits.

Some visitors arrive by typing too fast. Most arrive because a phishing message linked them there. The lookalike domain is what makes the fake login page believable, because the address bar almost reads correctly.

Almost is the whole business model.

The usual patterns

Using example.com as the real domain, the variations tend to look like this.

  • A digit standing in for a letter. examp1e.com. At small text sizes, a one and an l are close to identical.
  • A doubled or dropped letter. exemple.com, exampple.com, exmple.com. All of these are one slip of a finger away.
  • Letters swapped around. exapmle.com. Your eye reads the shape of the word, not the order.
  • An extra word bolted on. example-support.com, example-secure.com, myexample.com. It sounds official, and that is the point.
  • A different ending. example.shop instead of example.com. The name is perfect. The bit after it is not.
  • The real name as a subdomain of something else. example.com.checkout-verify.net. The only part that matters here is checkout-verify.net.

How to read a domain properly

Find the last two parts before the first single slash. That is the real domain. Everything to the left of it can say anything at all, because whoever owns the domain controls it.

So in example.com.checkout-verify.net/login, the site you are on is checkout-verify.net. The words example.com are decoration.

Read it slowly. Read it right to left. And never trust what a link says it is, because the words in a link and the address behind it have nothing to do with each other. Hover, or press and hold, and check.

Other things that give one away

The domain is the main tell, but the rest of the site usually agrees with it.

  • The domain is brand new. Real shops have history. Check the domain age and the WHOIS record.
  • The padlock proves nothing here. An SSL certificate says the connection is encrypted. It does not say the site is honest, and anyone can get one for any domain they own.
  • Small things are wrong. Dead links, an old logo, prices that make no sense, contact details that do not exist.
  • You did not choose to be there. You clicked something in a message rather than typing the address yourself.

If you own the brand

You cannot register every possible misspelling, and trying will cost more than it saves. Focus on the few that matter.

Register the obvious near misses and the main alternative endings, then point them at your real site. Watch for new registrations using your name. And keep your email locked down with DMARC, because a lookalike domain is far less useful to a scammer if they cannot also make the message appear to come from you.

You can see how your own domain currently stands with a free check, and our guide on how to spot a scam website is worth sending to customers who ask.

Related terms

Browse the full glossary →

See where your site stands.

Run a free check and find out which of these your site already passes, in seconds.

Run a free check Browse the fixes