What Is Typosquatting? How to Protect Your Business
Typosquatting registers misspelled or lookalike versions of legitimate domains to trick users into visiting fraudulent websites. Criminals use it for phishing, malware delivery and brand impersonation — and UK businesses need both technical and monitoring defences.
Nathan Hill-Haimes
Technical Director
What is typosquatting?
Typosquatting — also called URL hijacking or domain mimicry — involves registering domain names that are slight variations of legitimate domains, designed to catch users who make typing errors or do not look closely at a URL. A criminal might register amv1a.co.uk or amvla.co.uk to impersonate amvia.co.uk, banking on the fact that many users will not notice the difference in a phishing email or a browser address bar.
Domain registration is inexpensive — a .co.uk domain costs a few pounds per year — meaning attackers can register dozens of variants of a target domain for minimal cost. The potential return from a single successful phishing attack far exceeds this investment, making typosquatting an economically rational tactic for criminals targeting specific businesses or brands.
How typosquatting attacks work
Phishing via email
Typosquatted domains are frequently used as the sending domain for phishing emails. An email from accounts@barclays-online-secure.co.uk looks convincing to a recipient who does not examine the full domain carefully. The typosquatted domain passes some technical checks — it has its own SPF, DKIM and DMARC records — because it is a legitimate registered domain, just not the legitimate brand's domain.
Fake websites
A typosquatted domain can host a website that visually mimics the legitimate business — same design, same content, cloned from the real site — with a login form that steals credentials entered by visitors who land there by mistake. This is particularly effective against businesses with public-facing login portals.
Business email compromise support
Criminals conducting BEC attacks sometimes use a typosquatted domain in the reply-to address of an email that appears to come from a legitimate supplier. Replies from victims go to the criminal's inbox rather than the genuine supplier's, allowing them to intercept and control the conversation.
Software package hijacking
A specific variant of typosquatting targets software developers who install packages from repositories like npm or PyPI. A malicious package named reqests instead of requests can be installed accidentally and execute malicious code in a development or production environment.
Who is at risk?
Any business with a public-facing web presence and a recognisable brand is potentially at risk. The highest-risk categories are:
- Financial services firms with online client portals
- Professional services firms — law firms, accountants — whose domains are used in client communications involving financial transactions
- E-commerce businesses where users log in and provide payment details
- Any business with a well-known brand that attackers could exploit to build credibility
SMEs are not immune — criminals often target smaller firms precisely because they are less likely to have brand monitoring in place than large corporations.
Detecting typosquatting
The primary detection tool is domain monitoring. Services that monitor newly registered domains for variations of your brand name can alert you within hours of a typosquatted domain being registered — giving you the opportunity to investigate and, if necessary, report or pursue takedown before it is used in attacks.
Free tools such as dnstwist generate lists of likely typosquatting variants of a domain and check whether they are registered. Commercial brand protection services provide automated monitoring, alerting, and takedown assistance.
Protecting your business
A layered approach to typosquatting protection includes:
- Defensive domain registration: Register the most likely typosquatting variants of your primary domain — common misspellings, singular/plural variants, hyphenated versions — and redirect them to your legitimate site. This removes the most obvious attack vectors, though it is not feasible to register every possible variant.
- Domain monitoring: Automated monitoring for new registrations of domains that closely resemble yours, with alerting so you can investigate suspicious registrations quickly.
- Staff and customer awareness: Train staff to examine domain names carefully before entering credentials or sensitive information. Customer communication should warn customers to verify the URL they are visiting.
- Email security gateways with impersonation detection: Security gateways that detect near-match domain impersonation in inbound email provide a technical layer against typosquatted phishing emails.
DMARC enforcement on your own domain prevents direct spoofing but does not protect against typosquatted domains — those require the monitoring and defensive registration approach above.
Is Your Business Domain Being Imitated?
Typosquatted domains can be active for weeks before a business notices. AMVIA can check for existing lookalike domains and put monitoring in place to alert you to future registrations.
Frequently Asked Questions
Registering a domain with the intention of profiting from or harming a brand can be actionable under the Nominet Dispute Resolution Service (DRS) for .co.uk domains, and through ICANN's Uniform Domain-Name Dispute-Resolution Policy (UDRP) for generic top-level domains. Criminal intent may also engage the Fraud Act 2006. However, enforcement through these routes takes time, making prevention and monitoring more practical than relying on legal action.
For .co.uk domains, a complaint can be filed with Nominet under their DRS. For .com and other gTLDs, the ICANN UDRP process applies. The NCSC's website abuse reporting service can assist with takedowns of sites hosting phishing content. If the domain is being used in an active fraud, report to Action Fraud. Brand protection services can handle this process on your behalf.
Registering the most obvious variants — one-character substitutions, common misspellings, your domain with and without hyphens, and in the most common TLD variants (.co.uk, .com, .org.uk) — provides meaningful protection at modest cost. A five-domain defensive registration might cost £20-50 per year. You cannot register every possible variant, so domain monitoring is the complement to defensive registration.
If a typosquatted domain sends large volumes of phishing email impersonating your brand, recipients and email providers may begin associating phishing characteristics with your brand, even though your actual domain is uninvolved. This can indirectly affect deliverability and trust. Rapid detection and takedown of typosquatted phishing domains is the most effective mitigation.
Cybersquatting involves registering a domain that matches a well-known trademark or brand name — for example, registering fordcars.co.uk before Ford does — with the intent to sell it to the legitimate owner or profit from the association. Typosquatting is specifically about registering misspellings or close variants to catch users who make errors. Both are forms of bad-faith domain registration.
DMARC protects your exact domain from being spoofed in email. It does not protect against typosquatted domains, which are independently registered and have their own DMARC records. A DMARC policy of p=reject on your domain prevents criminals from sending email as your exact domain, but a criminal can still send email from a visually similar typosquatted domain that DMARC cannot detect.
Related Reading
What Is DMARC?
How DMARC protects your exact domain from spoofing — and where its protection ends.
Email Spoofing: How to Detect and Prevent It
The relationship between domain spoofing, typosquatting and email authentication controls.
Email Phishing: Keeping Your Business Safe
How typosquatted domains are used in phishing campaigns and the layered controls that stop them.