What is domain monitoring for typosquatting?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine someone registers amaz0n-offers.com overnight, mirrors your brand's email template, and starts sending phishing messages to your customers. By the time you hear about it, the damage is done. That's typosquatting in practice, and it happens to brands of every size.
Domain monitoring is the practice of watching for new domain registrations that look dangerously close to yours. Think misspellings, character swaps, added hyphens, or extra keywords bolted onto your brand name. The goal is to catch these before attackers flip the switch and start sending.
There are a few categories of look-alike domains worth watching.
- Typosquats are simple misspellings or common keyboard errors. If your domain is harborcargo.com, someone might register haborcargo.com or harborcargo.net.
- Homograph attacks replace letters with visually identical characters, often from other alphabets. The Cyrillic letter "а" looks identical to the Latin "a" in most fonts. That's deliberate.
- Keyword variations add words around your brand, like harborcargo-support.com or secure-harborcargo.com. These are popular for fake login pages and account-alert phishing.
For tools, you've got a few routes. Commercial services like PhishLabs and Bolster automate the detection and alert you in near real-time. If you prefer a more hands-on approach, DNSTwist is an open-source tool that generates look-alike permutations of your domain and checks which ones are already registered. It's free and surprisingly thorough.
Certificate transparency logs are another layer worth adding. Every time a TLS certificate is issued for a domain (including a fake one), it gets logged publicly. Services like crt.sh let you search those logs. If someone registers secure-yourbrand.com and gets an HTTPS cert for it, you can often catch it within hours.
Once you spot a suspicious domain, move fast. Here's the rough order of operations.
- Document everything. Screenshot the WHOIS record, the registration date, any live content, and any emails sent from that domain if you have samples. You'll need this for enforcement.
- Report to the registrar. Every domain registrar has an abuse contact. File a report with the evidence you've gathered. Response times vary wildly, but it's step one.
- File with ICANN. If the registrar is unresponsive, ICANN has a Uniform Domain-Name Dispute-Resolution Policy (UDRP) process designed for exactly this. It's slower but it works.
- Alert your users. If you have any reason to think your customers have already been targeted, send a heads-up from your real domain. Keep it simple and link them to your official URL.
And one thing that genuinely helps here is having a published BIMI record and a solid DMARC policy. It doesn't stop someone from registering a look-alike domain, but it does make your real emails visually verifiable (your logo shows up in the inbox) and makes it much harder for someone to spoof your actual domain. Combined with monitoring, that's a meaningful defense.
If you've spotted something suspicious and want a second opinion, our SOS hotline is free. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.