- Typosquatting is a cyberattack that uses misspelled or lookalike domains to mislead users.
- Attackers use typosquatted domains to steal credentials, collect personal information, deliver malware, or impersonate trusted brands.
- Typosquatting is related to cybersquatting, but it focuses on small domain errors that users may overlook.
- Enterprises should monitor lookalike domains, suspicious links, user clicks, and phishing reports.
- Mimecast helps protect users from malicious URLs, phishing pages, and typosquatting attacks across email and collaboration tools.
A single mistyped URL can send users to the wrong place. Typosquatting takes advantage of that moment by using lookalike domains that resemble legitimate websites.
For enterprises, the risk goes beyond accidental visits. A typosquatted domain can support phishing, credential theft, malware delivery, business email compromise, and brand impersonation. That makes typo squatting a domain, email, and human risk problem.
What Is Typosquatting?
Typosquatting is a cyberattack where threat actors register domains that resemble legitimate websites but contain small changes, such as typos, swapped letters, missing characters, or deceptive top-level domains.
These look-alike domains are common enough to affect major online brands, with one study finding that 13,857 typosquatting domains targeted the top 500 most-visited websites worldwide. A typosquatted domain is designed to look familiar at a glance so users may visit the wrong site without realizing it.
Typosquatting is also called URL hijacking and is related to domain impersonation, brand impersonation, and cybersquatting. The main goal is to exploit trust in familiar names, domains, and brands so attackers can redirect traffic, steal credentials, collect sensitive information, or support phishing and fraud.
Typosquatting vs. cybersquatting
Typosquatting and cybersquatting are related, but they are not exactly the same. Typosquatting focuses on lookalike domains with small errors or character changes that mislead users into mistyping a URL, clicking a deceptive link, scanning a QR code, or missing a difference in a phishing message.
Cybersquatting is broader because it involves registering domain names tied to a brand, trademark, or business name to profit from resale, misuse, or confusion. In practice, typosquatting is often used for active deception, while cybersquatting may also involve domain resale, trademark abuse, or brand confusion.
How Does Typosquatting Work?
A typosquatting attack usually follows a simple path. The domain looks familiar, the user trusts it, and the attacker uses that trust to steal information or redirect traffic.
Identify a trusted brand or domain
Attackers often start with a popular website, business platform, vendor portal, or login page. They choose names users are likely to recognize, such as workplace apps, payroll tools, file-sharing sites, banks, ecommerce portals, or customer support pages.
Register a similar domain
The attacker creates a lookalike domain using a common misspelling, missing letter, added character, swapped letter, or deceptive top-level domain. A small change can be enough if users are moving quickly or viewing the link on a mobile device.
Build a deceptive site or redirect
The fake site may imitate a login page, payment portal, help desk, file-sharing page, or software download page. In other cases, the domain may redirect users to ads, scam pages, malicious downloads, or other attacker-controlled infrastructure.
Lure users to the fake domain
Some users reach typosquatted domains by typing the wrong URL. Others arrive through phishing emails, search results, paid ads, QR codes, social posts, or links shared in collaboration tools. This is why typosquatting often works best when paired with phishing campaigns.
Exploit the visit
Once users arrive, attackers may steal credentials, capture payment details, collect personal information, install malware, redirect traffic, or impersonate the trusted brand. Some advert typosquatting schemes also generate money each time someone visits the site or clicks an ad.
What Are Common Types of Typosquatting Domains?
Typosquatting domains are often based on small spelling or character changes. The difference may be obvious in isolation, but easy to miss in an email, search result, or mobile browser.
- Misspellings — Use a common spelling mistake or phonetic variation, such as “exampel.com.”
- Missing letters — Remove one character from the legitimate domain, such as “examle.com.”
- Added letters — Add one extra character, such as “exampple.com.”
- Repeated characters — Repeat a vowel or consonant, such as “exammple.com.”
- Swapped letters — Rearrange nearby letters, such as “exmaple.com.”
- Adjacent-key typos — Replace a character with a nearby keyboard letter, such as “exanple.com.”
- Pluralized words — Add or remove an “s,” such as “examples.com.”
- Hyphenated versions — Insert a hyphen to look official, such as “example-login.com.”
- Lookalike top-level domains — Swap the ending, such as “example.co” instead of “example.com.”
Attackers may also use visually similar characters or internationalized domain names to make a typosquatting domain harder to spot. That is why users should not rely on visual review alone.
What Are Typosquatting Examples in Enterprise Attacks?
Enterprise typosquatting attacks often target tools employees already use. The fake site does not need to fool everyone. It only needs to fool one user with the right access.
Fake Microsoft 365 login pages
Attackers may imitate familiar workplace sign-in pages to steal usernames, passwords, MFA codes, or session information. Once credentials are captured, attackers may try to access email, documents, Teams, or other connected apps.
HR portals
A fake HR portal can be used to collect employee records, tax details, benefits information, or login credentials. These attacks may appear during open enrollment, onboarding, or payroll update periods.
Payroll sites
Typosquatted payroll pages may capture banking details, direct deposit information, employee IDs, or account logins. This can lead to payroll fraud, identity theft, or account takeover.
File-sharing pages
Attackers may imitate document-sharing services to trick employees into opening malicious files or entering credentials. A fake “shared document” page can be especially effective when sent from a compromised account.
Expense platforms
Fake reimbursement or expense sites can collect payment information, internal financial data, or employee credentials. These attacks may be timed around travel, procurement, or month-end reporting.
VPN or SSO login pages
Spoofed VPN or single sign-on pages can give attackers broader access to enterprise systems. If the user enters valid credentials, the attacker may gain a foothold for unauthorized access or lateral movement.
What Are the Business Risks of Typosquatting?
Typosquatting can act as an entry point rather than a standalone threat. A fake website, phishing email, QR code, or social engineering message can lead to larger security and fraud issues.
- Credential theft — Fake login pages can collect usernames, passwords, MFA codes, tokens, and session information from employees, customers, or vendors.
- Phishing — A lookalike domain can make phishing emails, QR codes, ads, and social posts look more believable to unsuspecting users.
- Financial loss — Attackers may use typosquatted domains to collect payment details, redirect invoices, support wire fraud, or trick users into paying fake vendors.
- Reputation damage — A typosquatted website can make customers question whether a brand is safe, especially if users lose credentials or sensitive information.
- Legal issues — Companies may spend time and money on investigations, domain disputes, takedown requests, customer notices, and possible legal action.
- Malware delivery— Fake sites may prompt users to download malicious files, browser updates, invoices, or software installers.
- Ransomware entry points — Malware delivered through a typosquatted site can give attackers an initial foothold for ransomware activity.
- Business email compromise support — Lookalike domains can support fake vendor messages, invoice fraud, payment-change requests, and executive impersonation.
- Account takeover — Stolen credentials can give attackers access to email, SaaS apps, customer portals, or internal systems.
- Unauthorized access — Captured logins, tokens, or session data can help attackers view sensitive data or move deeper into the environment.
Typosquatting can also affect software supply chains. In some cases, attackers create a malicious package with a name similar to a legitimate package, hoping developers install the wrong one.
How Can Organizations Detect Typosquatting?
Detection starts with visibility across domains, URLs, email, user behavior, and reported threats. The goal is to spot suspicious activity before users fall for the fake site.
Monitor domains and URLs
Organizations should track newly registered domains, lookalike domains, suspicious top-level domains, brand-plus-keyword domains, and visually similar characters. Teams should also monitor suspicious traffic, blocked URLs, user clicks, phishing reports, and unusual login attempts tied to lookalike sites.
Detect risky email and user behavior
Email security tools should identify messages that link to misspelled domains, suspicious redirects, fake login pages, credential harvesting sites, and unexpected payment portals. User behavior signals, such as repeated risky clicks, credential submissions, failed logins, or brand-like domain reports, can help teams identify exposed users and apply stronger controls.
How Can Organizations Prevent Typosquatting Attacks?
Organizations cannot stop attackers from registering every deceptive domain, but they can reduce exposure. Prevention should combine domain monitoring, email security, DNS controls, user education, and clear response workflows.
- Monitor domain registrations — Track newly registered domains, lookalike domains, suspicious top-level domains, and brand-plus-keyword variations that could imitate the organization or its partners.
- Register defensive domains — Secure common misspellings, alternate top-level domains, and high-risk variations before attackers can use them.
- Strengthen email authentication — Use DMARC, SPF, and DKIM to reduce domain spoofing and make fraudulent email easier to identify.
- Improve DNS security — Use DNS filtering and security controls to detect suspicious resolution patterns, block malicious domains, and reduce redirected traffic.
- Use URL filtering and browser isolation — Block known malicious domains, suspicious redirects, newly observed lookalike domains, and URLs tied to phishing or credential harvesting.
- Create takedown workflows — Establish a clear process for reporting, validating, and removing fraudulent domains or fake websites quickly.
- Use bookmarks for critical sites — Encourage employees to save commonly used company websites, vendor portals, and login pages instead of typing URLs manually.
- Train users on lookalike domains — Teach employees to inspect links, avoid rushing through login prompts, and report suspicious domains before entering credentials.
These controls are strongest when they work together. Domain monitoring can help identify suspicious registrations, while email security, URL inspection, DNS filtering, and user awareness can reduce the chance that employees reach or trust a fake site.
For organizations that need stronger protection against malicious URLs and lookalike domains, Mimecast URL Protection can help inspect links at the time of click and block access to suspicious destinations.
How Can Mimecast Help Protect Against Typosquatting?
Mimecast helps organizations defend against typosquatting by reducing the risk that users will click through to malicious links, phishing pages, credential harvesting sites, and suspicious redirects.
URL protection at time of click
Mimecast URL Protection helps inspect links in email and attachments when users click them. This matters because attackers may send links that appear safe at delivery but later redirect to a malicious site, phishing page, ransomware page, or typosquatted domain.
Protection across email and collaboration tools
Typosquatting does not only appear in traditional email. Attackers can place malicious links in shared files, Teams conversations, SharePoint content, OneDrive documents, and other collaboration channels, which is why link and content protection should extend beyond the inbox.
Human risk visibility and coaching
Mimecast can connect link-click behavior to human risk management. If certain users repeatedly engage with risky URLs, security teams can identify patterns, provide coaching, deliver behavioral nudges, and focus protection where the risk is highest.
Strengthening Defenses Against Typosquatting
Typosquatting turns small domain differences into phishing, malware, fraud, and brand impersonation opportunities. A missing letter, swapped character, or deceptive top-level domain can be enough to mislead users, steal credentials, or open a path into enterprise systems.
Preventing typosquatting requires more than asking users to “look closely” at links. Organizations need layered protection across domain monitoring, email security, DNS filtering, URL inspection, browser isolation, takedown workflows, and human risk management. Mimecast helps organizations strengthen protection against malicious URLs, phishing, impersonation, and human-targeted threats across email and collaboration channels.