What Is Typosquatting?
Typosquatting is the practice of registering or using a domain name that resembles a legitimate domain closely enough to confuse users.
Typosquatting is the use of misspelled, lookalike, or deceptively similar domain names to trick users into visiting malicious or misleading websites. Attackers use typosquatting to steal credentials, impersonate brands, deliver malware, redirect traffic, or support phishing and fraud campaigns.
The idea is simple: if a fake domain looks close enough to a legitimate one, some users will not notice the difference. That makes typosquatting a common tactic in phishing, brand impersonation, and email-based scams. For related background, see what is phishing and what is whaling.
How typosquatting works
Typosquatting works because people often trust familiar-looking domains without inspecting them carefully.
The attacker chooses a target
The target is usually a domain people already recognize and trust, such as:
- A bank
- A cloud login portal
- A retailer
- A payroll provider
- A well-known SaaS platform
- A company’s own domain
- A vendor or partner domain
Attackers prefer brands or services that users are likely to type manually, click from email, or access under time pressure.
The attacker registers a lookalike domain
Once a likely variation is identified, the attacker registers a confusingly similar domain.
Common patterns include:
- Missing-letter variations
- Double-letter variations
- Letter transpositions
- Alternate TLDs like
.netinstead of.com - Hyphenated versions
- Character substitutions
- Lookalike internationalized characters in homograph-style attacks
For example, a user expecting a familiar login page may not notice that the domain is off by one character.
The attacker uses the domain for abuse
A typosquatted domain can support several kinds of malicious activity, including:
- Hosting a fake login page
- Collecting usernames and passwords
- Serving malware downloads
- Redirecting traffic to scam pages
- Displaying ads for accidental traffic
- Supporting brand impersonation
- Sending deceptive email from a lookalike domain
The specific use depends on the attacker’s objective.
The attacker drives traffic to it
Traffic to the domain may come from:
- Manual typing mistakes
- Phishing emails
- Text messages or chat links
- Search result manipulation
- Malicious ads
- Fake download pages
This is why typosquatting is not only a domain issue. It also matters in email security, identity protection, and brand defense.
Common examples of typosquatting
Typosquatting can appear in several forms.
Fake login portals
An attacker creates a page that looks like Microsoft 365, Google Workspace, a VPN portal, or another trusted service. The victim enters credentials, which are then captured.
Vendor or billing impersonation
A finance employee is sent to a lookalike billing portal or payment page that appears to belong to a real supplier.
Malware download sites
A fake software site mimics a legitimate vendor and offers an infected installer, update, or browser extension.
Misdirected traffic monetization
Not every typosquatted site is highly sophisticated. Some simply capture mistyped traffic and monetize it through ads, redirects, or affiliate abuse.
Typosquatting and email attacks
Typosquatting is often tied directly to phishing and business email compromise.
A lookalike domain may be used to:
- Send fake document links
- Impersonate HR or IT
- Request payment changes
- Pose as a vendor
- Continue a conversation after mailbox compromise
- Trick users into approving a login or MFA flow
Because many people check display names more often than full sender domains, even a small domain variation can be effective.
When you are most likely to encounter typosquatting
You are most likely to encounter typosquatting in workflows where users rely on recognition rather than careful verification.
Common scenarios include:
- Phishing emails with nearly identical links
- Cloud login prompts for common business platforms
- Software downloads from copied vendor pages
- Vendor impersonation in finance or procurement
- Executive targeting in social engineering campaigns
- Accidental browser visits caused by mistyped URLs
Typosquatting is especially effective in rushed environments where users expect to see trusted brands and move quickly through email, chat, and browser prompts.
How to reduce typosquatting risk
No single control eliminates typosquatting, but several practical steps help.
Train users to inspect domains
Users should be taught to check the real destination domain, not just:
- The display name
- The logo
- The page design
- The first part of the URL
This matters most for logins, payment requests, and document-sharing links.
Use bookmarks for important portals
For high-value services such as payroll, banking, admin consoles, and identity providers, bookmarks are safer than retyping or trusting ad-driven search results.
Strengthen password hygiene
If a user does enter credentials into a fake site, unique passwords reduce the blast radius. A password manager like Try 1Password → can help users avoid password reuse across lookalike login pages.
Add endpoint protection
Some typosquatting sites are used for fake downloads or malware delivery. Security software such as Get Malwarebytes → can help reduce risk from malicious files and known harmful sites.
Improve domain and email defenses
Organizations can also reduce exposure by:
- Monitoring for lookalike domain registrations
- Enforcing SPF, DKIM, and DMARC
- Blocking newly observed suspicious domains when justified
- Reviewing email security controls for impersonation attempts
- Verifying payment and account changes out of band
Typosquatting vs related terms
Phishing
Phishing is the broader practice of tricking users into revealing information or taking harmful actions. Typosquatting is one technique often used in phishing campaigns.
Lookalike domain
A lookalike domain is any domain designed to resemble a legitimate one. Typosquatting is a common subtype built around misspellings and close variations.
Homograph attack
A homograph attack uses visually similar characters, sometimes from different alphabets, to make one domain appear to be another. It is related to typosquatting but more specific.
Domain spoofing
Domain spoofing is a broader term for making a sender or domain appear trustworthy when it is not. Typosquatting can support domain spoofing, especially in email attacks.
Brand impersonation
Brand impersonation is the use of a trusted company’s identity to deceive users. Typosquatting often provides the infrastructure for that deception.
Final takeaway
Typosquatting is the use of misspelled or lookalike domains to exploit trust in familiar brands, services, and websites. A small change in a URL can be enough to steal credentials, deliver malware, misdirect payments, or support broader phishing campaigns.
If a workflow depends on users recognizing a domain quickly, it is a workflow where typosquatting can work. Good user verification habits, stronger email controls, and safer credential practices all help reduce the risk.