Resources

What is Typosquatting?

Typosquatting (also called URL hijacking) exploits typing mistakes to redirect users to fraudulent domains that mimic legitimate brands. A single-character error in a URL can land an employee or customer on a fake site designed to steal credentials, deliver malware, or facilitate financial fraud.

Arsen Team
2 minutes read
What is Typosquatting?

What is typosquatting?

Typosquatting occurs when attackers register domain names that are visually or phonetically close to a legitimate brand's domain — differing by one character, a transposition, a substitution, or an alternative extension. The goal is to intercept users who mistype the intended address.

Common manipulation patterns:

Pattern Legitimate domain Typosquatted variant
Missing character example.com exampl.com
Character substitution example.com examp1e.com
Transposition example.com examlpe.com
Homoglyph example.com exаmple.com (Cyrillic "а")
Alternative TLD example.com example.net / example.co
Added character example.com examples.com

Once on the fake site, users may be prompted to enter login credentials, payment card details, or personal data, all harvested directly by the attacker. Some typosquatted domains also silently deliver malware, compromising the device without any user interaction beyond the page load.

How does typosquatting enable phishing and social engineering?

Typosquatting is most effective as a phishing delivery layer. Attackers do not need to send a malicious email — they simply wait for organic traffic from users who mistype a URL, or actively drive traffic to the fake domain through:

  • Phishing emails containing the typosquatted link rather than the real one; visually identical to the legitimate address
  • Smishing campaigns with shortened URLs that mask the misspelled domain
  • Ad networks bidding on brand keywords to surface the fake domain above the legitimate one in search results
  • QR codes embedded in printed materials pointing to the fraudulent domain

Because the fake site replicates the real one's design, users who land on it rarely notice the discrepancy. The social engineering element is passive; the site does the manipulation, not a human attacker.

What are the risks of typosquatting for organisations?

Typosquatting creates exposure on two fronts simultaneously.

For employees and customers:

  • Credential theft via fake login pages (feeding directly into account takeover)
  • Payment card fraud on counterfeit e-commerce replicas
  • Malware delivery without any active social engineering interaction

For the targeted brand:

  • Reputational damage when customers associate the phishing experience with the legitimate company
  • Customer trust erosion, particularly in financial services where confidence is a product
  • Legal exposure if customer data is compromised via a domain impersonating the brand

Financial institutions, payment providers, and SaaS platforms are disproportionately targeted because their domains carry the highest value for attackers seeking credentials and payment data.

How should organisations protect against typosquatting?

Protection operates on two levels: reducing the available attack surface, and detecting what you cannot pre-emptively block.

Reduce attack surface:

  • Register common misspellings, transpositions, and alternative TLDs for your primary domain preemptively. Redirect all variants to the canonical domain.
  • Include homoglyph variants (domains using visually similar Unicode characters) in registration scope.
  • Secure international domain variants (IDNs) that could be weaponised in homoglyph attacks.

Detect and respond:

  • Use continuous domain monitoring tools (such as Arsen's Threat Monitoring) to surface newly registered lookalike domains before attackers activate them.
  • Monitor certificate transparency logs — attackers often request TLS certificates for typosquatted domains days before launching campaigns.
  • Establish a takedown process with your legal and security teams so suspicious domains are acted on quickly.

Train employees:

  • Employees who recognise phishing URLs (including subtle domain variations) are the last line of defence when a user follows a link rather than typing an address. Regular simulation training that includes lookalike domain scenarios builds this recognition reflex.

Key takeaways

  • Typosquatting registers domains differing from legitimate brands by one or a few characters; transpositions, substitutions, missing letters, or alternative TLDs.
  • Attackers use fake domains passively (waiting for organic mistyping) or actively via phishing, smishing, and paid search ads.
  • Credential theft, malware delivery, and payment fraud are the primary outcomes for victims.
  • Reputational and legal exposure for the targeted brand can be significant, especially in financial services.
  • Defence combines preemptive domain registration, continuous lookalike domain monitoring, and employee URL-recognition training.

What is Arsen Threat Monitoring?

Arsen's Threat Monitoring module scans the clear and dark web in real time for newly registered lookalike domains, data leaks, and exposed employee information that attackers could weaponise in social engineering attacks. It gives security teams early warning before a typosquatting or phishing campaign is launched — not after the first victim clicks.

Discover Threat Monitoring

Book a demo

Discover why Arsen is the go-to platform for helping CISOs, security teams, and IT leaders protect their organizations against social engineering.

Request a demo

Frequently Asked Questions

Typosquatting is a cyberattack technique in which attackers register domain names that closely resemble legitimate brand domains (differing by a single character, transposition, or alternative extension) to intercept users who mistype a URL or click a lookalike link.

Attackers embed typosquatted domains in phishing emails, smishing messages, and QR codes. Because the URL looks almost identical to the legitimate one, users who do not check carefully proceed to enter credentials or payment data on the fake site.

Typosquatting uses standard ASCII characters in common misspelling patterns. A homoglyph attack replaces one or more characters with visually identical Unicode characters; for example, substituting a Cyrillic "а" for a Latin "a". Both result in a domain that looks legitimate but resolves to an attacker-controlled server. Homoglyph variants are harder to detect by eye and should be included in any domain monitoring strategy.

Training employees to inspect URLs carefully before entering credentials — and to recognise that a link in an email or SMS is not the same as the legitimate domain — reduces the success rate of typosquatting-based phishing. Arsen's phishing simulation platform includes lookalike domain scenarios to train this specific reflex at scale.