What is domain impersonation?

Domain impersonation is when attackers register domains that look similar to legitimate brands to conduct phishing, fraud, or scams. This includes typosquatting (example.corn instead of example.com), character substitution (examp1e.com using "1" for "l"), and homograph attacks (using Unicode lookalikes). These domains are used to deceive customers, employees, and partners.

What is typosquatting?

Typosquatting is registering domain names that are common typos of legitimate domains. Attackers rely on users making typing mistakes: missing letters (exampe.com), extra letters (exammple.com), swapped letters (exmaple.com), or wrong TLDs (example.co instead of example.com). These domains catch misdirected traffic and are used for phishing or malware distribution.

How does the scanner detect lookalike domains?

Our scanner uses Levenshtein distance algorithm to calculate string similarity between your domain and potential variations. It generates hundreds of typosquatting variations (character omissions, additions, swaps, keyboard proximity errors), detects character substitutions (0 for O, 1 for l, rn for m), and calculates similarity scores. Domains above 70% similarity are flagged. DNS validation checks which variations are actively registered.

What is the difference between severity levels?

Critical: Domain is active (DNS configured), highly similar (90%+), and has email capability (MX records). Immediate action required. High: Domain is registered with 80%+ similarity and may have DNS/email configured. Medium: Domain exists with 70%+ similarity but limited configuration. Low: Potential variation below 70% similarity or not registered. Severity accounts for similarity score, DNS status, email capability, and character substitution patterns.

What should I do if critical threats are found?

For critical threats: (1) Document evidence immediately with screenshots and DNS records. (2) Submit abuse complaints to the domain registrar. (3) Report to hosting provider if website is active. (4) Consider legal action if trademark infringement is clear. (5) Implement strict DMARC policy to prevent email spoofing from that domain. (6) Alert customers and employees about the phishing domain. (7) Monitor the domain for changes or deactivation.

Should I register defensive domain variations?

Defensive registration makes sense for high-value brands. Prioritize: (1) Common typos (.co instead of .com, one letter off). (2) Character substitutions flagged as high risk. (3) Alternative TLDs for your exact brand (.net, .org, .io). (4) Domains with historical phishing attempts. Defensive registration prevents abuse but can be expensive for many variations. Focus on critical threats identified by the scanner.

Domain Impersonation Scanner

Detect lookalike domains, typosquatting, and phishing attempts targeting your brand. Scan for domain impersonation threats with advanced similarity detection.

Domain Impersonation Scanner

Scan for lookalike domains, typosquatting, and potential phishing attempts targeting your brand.

Understanding Domain Impersonation and Typosquatting

Overview

Domain impersonation is a critical cybersecurity threat where attackers register domains that closely resemble legitimate brands to conduct phishing attacks, distribute malware, or commit fraud. These lookalike domains exploit user trust and typing mistakes to intercept sensitive information, steal credentials, or damage brand reputation.

Types of Domain Impersonation

Typosquatting

Typosquatting exploits common typing mistakes users make when entering URLs:

Character omission: exmple.com (missing "a")
Character addition: exammple.com (extra "m")
Character swap: exmaple.com ("ma" instead of "am")
Keyboard proximity: wxample.com ("w" next to "e" on keyboard)
Wrong TLD: example.co, example.cm, example.om

Character Substitution (Homograph Attacks)

Attackers replace characters with visually similar alternatives:

Number substitution: examp1e.com (1 for l), g00gle.com (0 for o)
Character lookalikes: exarnple.com (rn for m)
Unicode homoglyphs: Using Cyrillic а (U+0430) instead of Latin a (U+0061)
Case confusion: ExampIe.com (capital I for lowercase l)

Combosquatting

Adding keywords to legitimate brand names to appear official:

example-secure.com, example-login.com, example-verify.com
secure-example.com, login-example.com, verify-example.com
examplesupport.com, examplehelp.com, exampleofficial.com

Bitsquatting

Exploiting bit-flip errors in computer memory to register domains one bit different:

example.com → exaople.com (bit flip in "m" to "o")
Rare but can catch traffic from hardware errors

How Domain Impersonation Attacks Work

Phishing Emails

Attackers use lookalike domains to send emails that appear to come from your brand:

Email from support@examp1e.com instead of support@example.com
Recipients see familiar brand name and trust the message
Emails contain malicious links, credential harvesting forms, or malware
DMARC does not protect against lookalike domains (only exact domain spoofing)

Clone Websites

Impersonators create replica websites on lookalike domains:

Identical design and branding to legitimate site
Captures login credentials when users attempt to sign in
Collects payment information during fake checkout process
May redirect to real site after stealing credentials to avoid suspicion

Traffic Interception

Typosquatting domains catch misdirected traffic:

Users mistype your domain and land on impersonator site
Impersonator shows ads, affiliate links, or competitors
Traffic monetization at your brand's expense
May redirect users to competitor websites

Brand Damage

Impersonation sites can harm reputation:

Scam sites using your brand to defraud customers
Adult content or malware associated with lookalike domains
Customer support scams collecting sensitive information
Negative SEO from impersonator content

How the Scanner Works

Variation Generation

The scanner generates potential typosquatting variations using multiple techniques:

Character omission: Remove each character individually
Character addition: Duplicate each character
Character swap: Swap adjacent character pairs
Keyboard proximity: Replace with nearby keyboard keys
Common substitutions: Test known lookalike replacements (0/o, 1/l, rn/m)
TLD variations: Test common alternative TLDs (.co, .net, .org, .io)

Similarity Calculation

Levenshtein distance algorithm measures string similarity:

Calculates minimum number of single-character edits needed to transform one string to another
Edits include insertions, deletions, and substitutions
Similarity score = (1 - distance/max_length) × 100%
Domains above 70% similarity threshold are flagged as potential threats

DNS Validation

When enabled, the scanner performs DNS lookups to identify active threats:

A records: Check if domain has valid DNS (is registered and active)
MX records: Verify if email is configured (can send phishing emails)
NS records: Identify nameservers (hosting infrastructure)
DNS validation is slower but identifies real threats vs theoretical variations

Severity Scoring

Each detected domain receives a severity score based on multiple factors:

Similarity score: Higher similarity = higher severity
DNS status: Active DNS significantly increases severity
Email capability: MX records indicate phishing capability
Character substitution: Homograph attacks are weighted higher
TLD matching: Same TLD increases impersonation risk

Interpreting Scan Results

Critical Severity (Score 90+)

Domain is highly similar to yours (90%+ match)
DNS is active (domain is registered and configured)
Often has MX records (capable of sending phishing emails)
Action required: Contact registrar abuse department immediately
Consider legal action if trademark infringement is clear
Document all evidence for potential legal proceedings

High Severity (Score 80-89)

Domain is very similar (80-89% match)
May or may not have active DNS
If MX records exist, phishing risk is significant
Action required: Submit abuse complaint to registrar
Monitor closely for activation or email configuration
Consider defensive domain registration

Medium Severity (Score 70-79)

Domain is moderately similar (70-79% match)
Lower immediate threat but worth monitoring
If DNS is active, investigate further
Action required: Add to monitoring watchlist
Document for future reference
Evaluate for defensive registration based on brand value

Low Severity (Score <70)

Lower similarity score or unregistered variation
Primarily informational
Keep on watchlist for periodic rescanning
Action required: Monitor periodically for registration

Protection Strategies

Defensive Domain Registration

Register common typo variations of your primary domain
Secure alternative TLDs (.com, .net, .org, .io, .co) for exact brand
Register character substitution variations flagged as critical
Redirect defensive domains to legitimate site or show coming soon page
Renew defensive domains indefinitely to prevent expiration takeover

DMARC Protection

Implement strict DMARC policy (p=reject) on your legitimate domain
Prevents attackers from spoofing your exact domain in email
Does NOT protect against lookalike domains (separate threat)
Educate users to check sender domain carefully
Publish SPF and DKIM records to enable DMARC

Trademark Monitoring

Register trademarks for your brand name
Use Uniform Domain-Name Dispute-Resolution Policy (UDRP) for clear infringement
Submit abuse complaints to domain registrars
Report phishing sites to browsers and search engines
Take legal action against persistent infringers

Regular Scanning

Scan monthly for new domain registrations
Enable DNS checking to detect newly activated domains
Monitor high-risk variations continuously
Track changes in DNS configuration and email capability
Document evidence when new threats are identified

User Education

Train employees to verify sender domains carefully
Educate customers about official communication channels
Publish list of official domains on your website
Encourage URL verification before entering credentials
Provide reporting mechanism for suspected phishing

Taking Action Against Impersonators

Document Evidence

Screenshot the impersonation website before reporting
Save WHOIS records showing registration details
Document DNS records (A, MX, NS)
Archive phishing emails if applicable
Record timestamps of discovery and reporting

Report to Registrar

Use WHOIS to identify domain registrar
Submit abuse complaint to registrar's abuse contact
Include evidence of impersonation and trademark
Reference terms of service violations
Follow up if no response within 3-5 business days

Report to Hosting Provider

Identify hosting provider via reverse IP lookup
Submit abuse complaint to hosting provider
Often faster takedown than registrar action
Hosting providers typically respond within 24-48 hours

File UDRP Complaint

Use Uniform Domain-Name Dispute-Resolution Policy for clear trademark infringement
Requires: (1) domain identical/confusingly similar, (2) registrant has no rights, (3) registered in bad faith
Costs $1,500-$2,500 per complaint
Resolution typically takes 60-90 days
High success rate for clear impersonation cases

Legal Action

Consult intellectual property attorney for persistent infringement
Cease and desist letters often effective for opportunistic squatters
Litigation appropriate for ongoing business harm
Anti-Cybersquatting Consumer Protection Act (ACPA) in US
Can recover damages and legal fees in successful cases

Best Practices

Proactive scanning: Run monthly scans to detect new registrations early
Enable DNS checking: Slower but identifies real active threats vs theoretical risks
Prioritize critical threats: Focus resources on highly similar active domains first
Register defensively: Secure critical variations before attackers do
Implement DMARC: Prevent exact domain spoofing in addition to lookalike monitoring
Act quickly: Early reporting increases takedown success rate
Track trends: Monitor for patterns in impersonation attempts
Educate users: Trained users are best defense against impersonation