What is typosquatting? Definition, risks, and how to prevent it

Typosquatting is a growing cybersecurity threat that businesses can’t afford to ignore. As companies increasingly rely on having a digital presence, cybercriminals exploit common URL misspellings to deceive users, steal sensitive data, and damage brand reputation. These fraudulent domains can lead to financial loss, regulatory risks, and a breakdown of customer trust. In this article, we'll cover what typosquatting is, how it works, its risks, and the steps businesses can take to stay protected.

What is typosquatting?

Typosquatting is a social engineering technique that targets internet users who mistype a website address. Attackers register misspelled or lookalike domain names of popular sites, then use these alternative websites to trick users into revealing personal or financial information or downloading malware. For businesses being impersonated, such fake websites can erode trust, damage reputation, and lead to financial loss if customers fall victim to scams under their name.

The “typo” part comes from the small mistakes people make when entering URLs. A classic example is goggle.com, a web address users may type instead of "google.com."

How does typosquatting work?

Typosquatting works by exploiting human error: typos, spelling mistakes, and visual misinterpretations of website addresses. Attackers register lookalike domains and use them for various schemes, including:

• Phishing: Attackers create fraudulent websites that mimic legitimate ones to trick users into entering their usernames, passwords, or other sensitive credentials.
• Malware and adware: Visiting a fake website may result in the installation of malicious software, which can compromise devices, steal information, or display intrusive ads.
• Redirects: Users who visit these lookalike domains may be unknowingly redirected to other sites filled with advertisements, affiliate links, or unwanted content.
• Fake digital products: Cybercriminals use lookalike domains to sell counterfeit or unauthorized products under a well-known brand’s name, deceiving customers.
• Data harvesting: Fraudulent websites can collect personal data, including credit card details and other sensitive information, for identity theft or financial fraud.

An alternative website often mimics the real site, using an identical logo, branding, and layout to appear legitimate. Users who don't notice the difference may unknowingly hand over valuable information.

Types of typosquatting

Cybercriminals manipulate domain names using different techniques to mislead users. Here are the most common types of domain typosquatting.

Misspellings and typos

The simplest technique relies on common typing mistakes. An accidentally misspelled domain name can lead to a fraudulent website instead of the one the user intended to visit. Examples include:

• gooogle.com instead of google.com
• facebok.com instead of facebook.com

Attackers take advantage of these errors to direct unsuspecting visitors to scam websites, malware pages, or ad-heavy pages designed to generate revenue.

Homoglyph attacks (lookalike characters)

Homoglyph attacks swap characters that look nearly identical to the human eye, creating deceptive but convincing web addresses. Some examples:

• rnicrosoft.com (using "rn" to look like "m" in microsoft.com)
• g00gle.com (replacing “o” with zeros in google.com)

These subtle swaps are effective because users often don’t notice the difference, especially on smaller screens or at a quick glance. Once on the fake site, visitors are likely to enter their credentials, thinking they are on the real website.

Extra characters (prepending/appending)

Typosquatters manipulate web addresses by adding extra letters, numbers, or words to closely mimic legitimate domains. Even a small change can go unnoticed, especially if users aren’t paying close attention. Examples:

• amazonn.com instead of amazon.com
• realtors.com instead of realtor.com

Turning a singular domain name into a plural or adding a single letter is often enough to deceive users. These lookalike domains are often used for phishing scams, malware distribution, or ad fraud.

Hyphenated domains

Adding hyphens between words may make a domain appear legitimate at first glance. Most popular websites don’t use hyphens in their main domains, so cybercriminals exploit this trend to create misleading alternatives. Examples:

• net-flix.com instead of netflix.com
• apple-support.com mimicking a legitimate Apple support page (support.apple.com/)

Users scanning a URL quickly may assume it’s a genuine site, only to end up on a phishing website or a page filled with deceptive ads.

Missing-dot domains

Missing-dot domains look nearly identical to legitimate website addresses but omit or add a dot in critical places. These subtle changes are easy to miss, especially when users type URLs quickly or rely on autofill. Examples:

• financeciti.com instead of finance.citi.com
• chickenfarm.fences.com instead of chickenfarmfences.com

A missing or misplaced dot can lead users to phishing sites, malware downloads, or deceptive ads.

Alternative spellings

Spelling variations can also be used to trick users into landing on a fake website. Typosquatters exploit regional differences, such as American and British English spellings, to create misleading domains. For example:

• favorite.com vs. favourite.com
• colorcode.com vs. colourcode.com

Businesses with internationally recognized brands need to be aware of these variations and secure key domain versions to avoid losing traffic — or worse, exposing users to scams.

Wrong domain endings

With countless top-level domains available (.com, .co.uk, .net, .org, .shop, etc.), typosquatters take advantage of users assuming they are on the right website when they’re not.

One of the most common tricks is using .co instead of .com — Colombia’s official domain extension — since it closely resembles the world’s most popular TLD.

Other examples include:

• brandname.org instead of brandname.com
• popularshop.web instead of popularshop.shop

To prevent typosquatters from fooling their client base, companies often register multiple domain variations to block squatters from capitalizing on these minor but effective differences.

What is the purpose of typosquatting?

Scammers register misspelled or lookalike domains for different reasons — some for financial gain, others for more malicious purposes. Here are the most common motivations.

Cybersquatting

Cybersquatting refers to the practice of registering, selling, or using a domain name with the intent of profiting from someone else’s trademark. A common tactic involves typosquatting, where slight misspellings of popular domains are registered to mislead users or pressure companies into buying them.

Getting clicks or views

Typosquatters often create fake websites filled with misleading ads, low-quality content, or even malicious links. They’re designed to attract accidental web page visitors and generate advertising revenue for each click.

Earning money from affiliate links

Sometimes, a fake site redirects traffic to the real company’s website through affiliate links. The squatter earns a commission from the brand's legitimate affiliate program, effectively monetizing users’ mistakes.

Redirecting traffic to competitors

A typosquatter may create a “related search results” listing and use its traffic to benefit rival businesses. When users land on the deceptive domain, they’re shown search results or ads leading to competitors. These businesses pay the typosquatter per click. Again, this tactic monetizes accidental visitors at the expense of the original brand.

Bait-and-switch scams

In this scheme, attackers create fake websites that closely resemble real e-commerce or service sites. Victims pay for items that never arrive or services that never materialize. This practice, known as website spoofing, is designed to look as authentic as possible — until the buyer realizes they’ve been conned.

Stealing personal information (phishing)

One of the most dangerous uses of typosquatting is phishing. Attackers create fraudulent login pages for popular websites, such as banking sites, social media platforms, or online stores. A user lands on the malicious site, enters their credentials, and unknowingly hands over their account access to cybercriminals. This stolen data is then used for fraud or identity theft or sold on the dark web.

Spreading malicious software

Some typosquatted sites are designed to infect visitors’ devices with malicious software. These fake websites may:

• Trick visitors into installing fake antivirus software that locks a device until a ransom is paid.
• Use keyloggers to track passwords and sensitive information.
• Deploy spyware to monitor online activity or steal financial details.

Damaging a brand’s reputation

Attackers may create fake domains that host harmful, misleading, or defamatory content, linking it to the targeted company. Users who land on these sites may see false claims, offensive material, or fake products, which are all designed to erode confidence in the real brand.

Parody and satire

Not all typosquatting is malicious. Some domains are set up as joke sites that poke fun at existing sites, well-known brands, public figures, or organizations. While these alternative websites are usually created for humor, they can still damage reputations or spread misinformation, especially if users mistake them for the real thing.

Who is typically targeted by typosquatting?

Typosquatting affects individuals, small businesses, and large corporations. Attackers exploit human error, using deceptive domains to steal data, spread malware, and erode trust. The most common targets include:

• Corporations and their employees. Large companies are prime targets — attackers often exploit lookalike domains to impersonate corporate websites and internal portals. These fake websites are often used for phishing attacks, distributing malicious software, and supply chain fraud.
• Small businesses. Unlike large corporations, small businesses often lack dedicated cybersecurity teams or resources to monitor for typosquatting attempts. Attackers take advantage of this situation by creating malicious websites to deceive customers, steal sensitive data, or tarnish a brand’s reputation. This attack often has devastating consequences for smaller companies.
• Everyday internet users. Anyone who types a website URL into their browser is a potential target. A single misspelled web address can lead to a fake login page, malicious pop-ups and scams, or even financial fraud.
• Mobile users. Typosquatting is even more effective on mobile devices, where smaller screens make it harder to spot URL differences. Plus, autocorrect can modify URLs in unexpected ways, sending users to fake sites.

Risks associated with typosquatting

While not every typosquatted domain is created with malicious intent, many of their owners do act in bad faith. Typosquatting can cause serious security and financial risks, especially for businesses:

• Data theft. Fake sites can deceive users into entering sensitive information such as login credentials, credit card details, or personal data. This stolen information can then be used for fraud or identity theft or sold on the dark web.
• Phishing attacks. Attackers design lookalike malicious sites to steal login credentials, often targeting banks, email providers, and corporate portals. A single typo can lead users straight into a phishing trap.
• Distributing malicious software. Fake websites may prompt users to download a "security update" or software that is actually malware. Once installed, this can spy on users, steal data, or even lock systems for ransom.
• Brand reputation damage. Malicious typosquatter’s sites can be used to spread misinformation or sell counterfeit products.
• Financial loss. Businesses can lose revenue when customers fall victim to fake websites.

Real-world examples of typosquatting attacks

Typosquatting has been used in various cyberattacks, targeting both individuals and organizations. Notable typosquatting examples include:

• PayPaI phishing attack (first active in mid-2000; resurfaced in 2011, 2012, 2017, and 2020). Attackers registered paypaI.com, a domain nearly identical to paypal.com, replacing the lowercase "L" with an uppercase "i." Unsuspecting users who mistyped the URL were directed to a fake website mimicking PayPal's login page. Many had their credentials stolen and later had to deal with unauthorized transactions.
• Fake credit reports (ongoing since 2003). Following the launch of AnnualCreditReport.com, dozens of similar domains with intentional typos were registered. These fake sites deceived visitors into providing sensitive financial information, leading to identity theft and credit fraud.
• Last Week Tonight (2016). Comedian John Oliver registered typosquatted sites like equifacks.com (Equifax), experianne.com (Experian), and tramsonion.com (TransUnion). Unlike malicious actors who use typosquatting for deceptive or harmful purposes, Oliver’s intent was purely educational. He used these examples to humorously and effectively highlight the security vulnerabilities associated with typosquatting, demonstrating how easy it is to register misleading domains and raise public awareness about the issue.
• Icelandic national police phishing (2018). Cybercriminals registered logregIan.is, cleverly replacing the lowercase "L" with a capital "I" to mimic logreglan.is, the official website of Iceland's national police. This fake site was used to run phishing attacks, compromising personal and financial information.
• US census scam (2020). Ahead of the 2020 US census, multiple typosquatted domains were registered to mimic the official Census Bureau website. These fake sites were used to harvest personal information from unsuspecting visitors and spread false or misleading information about the census process.

Is typosquatting legal or illegal?

Typosquatting exists in a legal gray area — its legality depends on intent. Some businesses register typo domains for defensive purposes to protect their brand, which is perfectly legal. But when typosquatting is used for fraud, phishing, distributing malicious software, or impersonation, it becomes illegal.

Typosquatting is a subset of cybersquatting. While cybersquatting involves registering domain names that mimic legitimate websites — often to resell them for profit — typosquatting specifically targets internet users who mistype URLs, using misspellings or lookalike characters to create fake websites.

In the United States, the Anticybersquatting Consumer Protection Act (ACPA) makes it illegal to register or use website addresses that are confusingly similar to trademarks with the intent to profit from or mislead users. The law was created to stop individuals from hoarding trademarked domain names to sell them at a high price.

To comply with ACPA, domain owners must prove they are acting in good faith and not misleading users or violating trademark rights. Internationally, the Internet Corporation for Assigned Names and Numbers (ICANN) enforces the Uniform Domain-Name Dispute-Resolution Policy (UDRP), which allows trademark holders to challenge typosquatting and cybersquatting cases. If a domain is found to be registered in bad faith, it can be transferred or canceled.

How can businesses prevent typosquatting attacks?

Typosquatting puts businesses at risk of phishing scams, data theft, and reputational damage. Here’s how companies can stay ahead of attackers and protect their brand:

1. Secure domain variations. Register common misspellings, hyphenated versions, and alternate spellings of your domain. Purchase relevant top-level domains, such as .com, .net, .org, and country-specific extensions, to prevent bad actors from misusing them. Redirect the misspelled domains to your official website.
2. Monitor for typosquatted domains. Use domain monitoring tools, such as cybersquatting detection, to detect and receive real-time typosquatting alerts when suspicious domains appear.
3. Use SSL certificates to signal trust. SSL certificates prove your website’s authenticity and protect user data. When a site has a valid SSL certificate, browsers display a padlock icon in the address bar and “https” in the website address, confirming that the connection is secure.
4. Secure your email from impersonation. Attackers may use typosquatted domains to send phishing emails in your company's name. Protect your organization by:
5. Implement anti-phishing measures. Train employees to spot phishing domains, especially in emails, chat messages, and online searches. Deploy email security solutions to block phishing attempts before they reach inboxes.
6. Encourage direct website navigation. Use bookmarks, QR codes, or mobile apps to reduce reliance on manual web address entry. Alternatively, encourage employees to use safe search tools instead of typing URLs directly into their address bars.
7. Get suspicious websites and mail servers taken down. If typosquatting affects your business, report and take legal action for a domain takedown.
8. Notify stakeholders. If an attacker is impersonating your business, inform your customers, staff, or other relevant parties immediately. Encourage them to look out for suspicious emails or fake websites.
9. Use a threat exposure management platform. A security platform like NordStellar provides proactive domain monitoring, alerting businesses to typosquatting threats before they cause damage.

How NordStellar helps prevent typosquatting

NordStellar offers proactive typosquatting protection for businesses. With real-time domain monitoring, automated alerts, and AI-powered threat detection, NordStellar helps companies:

• Detect typosquatted domains before they can be used against their brand.
• Prevent phishing attacks targeting employees and customers.
• Protect brand reputation by securing domain variations.