What is Typosquatting? Examples and How to Protect Your Brand

Every day, millions of internet users make typos when typing website addresses. Most of the time, they get an error page and try again. But sometimes, they land on a website that looks almost right — and that's where the danger begins.

This is typosquatting: the practice of registering domain names that are slight misspellings of popular websites. It's a technique that has been used to steal credentials, distribute malware, and siphon traffic from legitimate businesses for over two decades. And it's still highly effective today.

In this guide, we'll explain exactly what typosquatting is, show you real-world examples of famous attacks, explain how cybercriminals profit from these domains, discuss the legal landscape, and give you practical strategies to protect your brand.

What is Typosquatting? A Definition

Typosquatting (also known as URL hijacking, domain mimicry, or sting sites) is a form of cybersquatting where someone registers domain names that are common misspellings or typographical errors of popular websites, brand names, or trademarked terms.

The goal is to intercept traffic from users who:

• Make typing errors when entering a URL directly into the address bar
• Misread a link in an email or message
• Trust a domain that looks visually similar to a legitimate site
• Follow links from phishing emails that use lookalike domains

The genius of typosquatting is its simplicity. No hacking is required. No complex malware. The attacker simply registers a domain, sets up a website, and waits for traffic to arrive. When a user lands on the typosquatted site, the attacker can monetize that visit in several ways — from displaying ads to harvesting login credentials.

How Typosquatting Works: The Technical Basics

Typosquatting exploits the gap between how humans process information and how computers handle domain names. To a computer, google.com and goggle.com are completely different domains. To a human glancing quickly at a URL, they can look identical.

Attackers use several techniques to create convincing typosquats:

1. Character Omission

Simply dropping a letter from the domain name. This exploits the fact that our brains often autocorrect words as we read them.

• gogle.com (missing 'o')
• amazn.com (missing 'o')
• facebok.com (missing 'o')
• youtbe.com (missing 'u')

2. Character Substitution

Replacing a character with one that looks similar or is adjacent on the keyboard.

• amaz0n.com (zero instead of 'o')
• paypa1.com (one instead of 'l')
• micr0soft.com (zero instead of 'o')
• twltter.com ('l' instead of 'i')

3. Character Transposition

Swapping adjacent characters, mimicking the natural errors people make when typing quickly.

• goggle.com (swapped 'o's)
• googel.com (swapped 'l' and 'e')
• fcacebook.com (swapped 'c' and 'e')
• yuotube.com (common transposition)

4. Homoglyph Attacks

Using characters from different alphabets that look identical to Latin characters. This is one of the most deceptive techniques.

• Cyrillic 'а' (U+0430) instead of Latin 'a' (U+0061)
• Cyrillic 'е' (U+0435) instead of Latin 'e' (U+0065)
• Greek 'ο' (omicron) instead of Latin 'o'
• Using "rn" to mimic "m" — rn looks like m in many fonts

5. TLD Variation

Changing the top-level domain (the extension at the end) while keeping the brand name the same.

• google.co instead of google.com
• amazon.net instead of amazon.com
• microsoft.org for a commercial entity
• Country-code TLDs: .tk, .ml, .ga (often free and abused)

6. Combosquatting

Adding words before or after the brand name to create plausible-looking domains.

• google-login.com
• amazon-secure.com
• microsoft-update.com
• apple-support.net

Real-World Typosquatting Examples

Typosquatting isn't theoretical. Here are documented cases of major typosquatting attacks and schemes:

The Google "Goggle" Domain

The domain goggle.com has a long history of abuse. Over the years, it has been used to:

• Spread malware through drive-by downloads
• Display aggressive advertisements and pop-ups
• Redirect users to scam websites
• Harvest search queries for competitive intelligence

At one point, security researchers estimated that goggle.com was receiving millions of visits per month from users who simply typed too fast. Google eventually acquired the domain, but not before years of abuse.

The Amaz0n and Paypa1 Scams

Two of the most commonly typosquatted brands are Amazon and PayPal, given their massive user bases and financial transactions. Variations like:

• amaz0n.com — Used for phishing campaigns targeting Amazon customers
• paypa1.com — Used to steal PayPal login credentials
• amazon-secure-payment.com — Fake checkout pages designed to steal credit card data

These domains often replicate the exact login pages of the real sites, making them nearly indistinguishable to average users. Once credentials are entered, attackers gain access to real accounts, often linking to bank accounts or credit cards.

Microsoft and Office 365 Targeting

Microsoft products are prime targets due to their enterprise adoption. Typosquats like:

• micros0ft.com
• office365-login.com
• microsoftt.com
• outlook-security.com

These domains are used in sophisticated business email compromise (BEC) campaigns. An employee receives an email that appears to be from IT, asking them to "verify their Office 365 account" via a link. The link leads to a perfect replica of the Microsoft login page on a typosquatted domain.

The Twitter to X Transition Exploitation

When Twitter rebranded to X in 2023, typosquatters quickly registered hundreds of variations including:

• Common misspellings of "x.com"
• Combinations like twitter-x.com
• Typosquats of the word "twitter" with various TLDs

Major brand changes create windows of opportunity for typosquatters, as users adjust to new domain names and may be more likely to make errors.

How Attackers Profit from Typosquatting

Typosquatting is profitable. Attackers monetize these domains through several methods:

1. Phishing and Credential Harvesting

The most lucrative use of typosquatted domains is phishing. By creating near-perfect copies of login pages, attackers collect:

• Usernames and passwords
• Credit card numbers
• Bank account credentials
• Personal information for identity theft
• Corporate network credentials

These credentials are then used for financial fraud, sold on dark web markets, or leveraged for further attacks like business email compromise.

2. Malware Distribution

Typosquatted domains serve as distribution points for malware:

• Drive-by downloads: Malicious code that installs when a user simply visits the page
• Fake software updates: Pop-ups claiming Adobe Flash, Chrome, or other software needs updating
• Malicious apps: Fake download pages for popular software containing trojans or ransomware

3. Advertising and Affiliate Fraud

Even without malicious intent, typosquatters monetize through:

• Parking pages filled with pay-per-click advertisements
• Affiliate link redirects to the legitimate site (earning commissions on purchases)
• Pop-up ads and redirect chains

In these cases, the typosquatter profits from traffic that rightfully belongs to the brand owner.

4. Domain Sales and Extortion

Some typosquatters register domains specifically to sell them back to the brand owner at inflated prices. This can border on extortion, especially when the domain is being used in ways that damage the brand.

Legal Aspects: Can You Stop Typosquatters?

The legal landscape around typosquatting has evolved significantly. Here are the main mechanisms for addressing it:

The Anti-Cybersquatting Consumer Protection Act (ACPA)

In the United States, the ACPA (1999) provides civil remedies against cybersquatting. To succeed in an ACPA claim, you must prove:

1. The defendant registered a domain that is identical or confusingly similar to your trademark
2. You had trademark rights at the time of registration
3. The defendant acted with "bad faith intent to profit" from your mark

Remedies include statutory damages of up to $100,000 per domain, plus attorney's fees in exceptional cases.

UDRP (Uniform Domain-Name Dispute-Resolution Policy)

UDRP is an international arbitration process administered by organizations like WIPO. It's faster and cheaper than court litigation. To win a UDRP case, you must prove:

1. The domain is identical or confusingly similar to your trademark
2. The registrant has no legitimate rights or interests in the domain
3. The domain was registered and is being used in bad faith

UDRP decisions can result in transfer of the domain to the complainant, but no monetary damages.

Practical Challenges

Legal action has limitations:

• Cost: UDRP proceedings cost $1,500–$5,000+ per domain; litigation is significantly more expensive
• Volume: Large brands may face thousands of typosquats, making individual legal action impractical
• Jurisdiction: Many typosquatters operate from countries with weak enforcement
• Speed: Legal processes take months; typosquatters can register new domains faster than you can shut them down

How to Protect Your Brand from Typosquatting

A comprehensive typosquatting protection strategy involves multiple layers:

1. Register Defensive Domains

Proactively register the most common typosquats of your brand:

• Single-character omissions of your brand name
• Common transpositions (adjacent character swaps)
• Key TLD variations: .net, .org, .co, and your country code
• Common combos: yourbrand-login, yourbrand-support, secure-yourbrand

While you can't register every possible variation, covering the top 10–20 most likely typos significantly reduces exposure.

2. Implement Continuous Domain Monitoring

You can't register every typosquat — but you can monitor for them. Continuous monitoring watches new domain registrations in real-time and alerts you when domains resembling your brand appear.

Effective monitoring should detect:

• All six types of typosquatting (omission, substitution, transposition, homoglyph, TLD, combosquat)
• New registrations as they happen (not weeks later)
• Active threats vs. parked domains (risk scoring)
• Visual similarity using image recognition technology

3. Establish Rapid Takedown Procedures

When a typosquat is detected and confirmed as malicious, speed matters. Have documented processes for:

• Reporting to the domain registrar
• Contacting the hosting provider
• Submitting to Google Safe Browsing
• Filing abuse reports with relevant authorities
• Initiating UDRP proceedings for high-value targets

4. Implement Email Authentication

Typosquatted domains are often used to send phishing emails. While DMARC won't stop lookalike domains, it prevents direct spoofing of your exact domain. Combined with SPF and DKIM, this makes it harder for attackers to impersonate you directly.

5. Educate Your Users

Make it easy for customers to verify your legitimate domains:

• Publish a page listing all your official domains
• Include security tips in customer communications
• Make your legitimate URLs easy to remember and type
• Provide clear channels for reporting suspicious sites

How DoppelDown Detects Typosquatting Automatically

Manual typosquatting protection doesn't scale. Searching for variations of your domain by hand is time-consuming, incomplete, and reactive.

DoppelDown automates typosquatting detection with technology that:

• Monitors all TLDs: Continuously scans new domain registrations across hundreds of top-level domains
• Detects all variation types: Uses algorithms to identify omission, substitution, transposition, homoglyph, TLD, and combosquatting variants
• Analyzes risk: Not every lookalike domain is a threat. DoppelDown checks DNS configuration, website content, email setup, and hosting patterns to prioritize active dangers
• Alerts in real-time: Get notified immediately when high-risk domains are detected — not days or weeks later
• Enables rapid response: Built-in tools streamline evidence collection and takedown workflows

Whether you're protecting a single brand or an entire portfolio, DoppelDown gives you visibility into the typosquatting landscape that attackers count on you not having.

Don't Wait for the Typo That Costs You

Typosquatting is a persistent threat that preys on human error. No matter how careful your customers are, some will make typos. The question is whether those typos lead to your website — or to an attacker's trap.

The businesses that stay ahead aren't the ones hoping customers never make mistakes. They're the ones monitoring for those mistakes before attackers can exploit them.

Start monitoring your brand with DoppelDown today — it's free, requires no credit card, and takes minutes to set up. See what typosquats already exist for your brand, and get ahead of new ones before they become problems.