What is a lookalike domain?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you get an email from support@paypa1.com. At a glance, it looks like PayPal. But that 1 where the l should be? That's a lookalike domain doing exactly what it was designed to do.
A lookalike domain is a domain registered to visually mimic a real, trusted one. The goal is to fool people into thinking they're dealing with a legitimate brand when they're actually interacting with an attacker. Common examples include swapping letters (arnazon.com), replacing letters with numbers (g00gle.com), adding or removing hyphens (pay-pal.com), and inserting extra words (paypal-support.com).
Why does it work? We don't read every character when we're moving fast. Our brains recognize familiar shapes and patterns. Attackers exploit that. A domain that's 90% familiar gets treated as 100% trustworthy, at least long enough to click a link or hand over a password.
Here's what makes lookalike domains especially tricky from an authentication standpoint. The attacker actually owns the lookalike domain, so SPF, DKIM, and DMARC can all pass cleanly on their side. Authentication wasn't built to stop someone from registering a domain that sounds like yours. It was built to stop someone from faking that they are you. That's a meaningful difference.
Lookalike domains show up in a few different attack patterns. Phishing emails that appear to come from your bank or a shipping company. Business email compromise (BEC) scams where an attacker pretends to be a colleague or vendor. Fake login pages that harvest credentials. And even customer-facing fraud where your customers get targeted by someone posing as your brand.
If you're a brand with any kind of audience, the question isn't really whether someone might register a lookalike domain targeting you. It's whether you'd know if they did. Monitoring for impersonation domains is a real practice, not just a paranoid one. Domain monitoring services watch for new registrations that pattern-match against your brand name and alert you early.
For defense, the practical steps are: register obvious variations of your own domain before attackers do, monitor for new lookalike registrations, implement DMARC at enforcement on your real domain, and consider BIMI to give your emails a visible brand mark that's harder to fake at a glance.
But if you want to see what your domain's authentication looks like to the outside world right now, our free DMARC parser is a good place to start. And if this feels urgent, our SOS hotline is free to use.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.