What is a spoofing attack using lookalike domains?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you get an email from support@paypa1.com. It looks like PayPal. The logo's right, the tone's right, the urgency is turned up just enough to make you click. But that domain is paypa1.com, with a number 1 swapped in for the letter L. You'd probably miss it at a glance. Most people do.
That's a lookalike domain attack. The attacker registers a domain that's visually close to a real brand's domain, then sends email from it. Classic tricks include swapping letters for numbers (paypa1.com), using character pairs that blur together (arnazon.com, where "rn" reads as "m"), or adding small words (support-apple.com, mail-amazon.com).
Here's the part that makes this so tricky: the email is technically legitimate. The attacker controls the lookalike domain, so SPF and DKIM both pass. DMARC doesn't flag it either, because DMARC only checks that the sending domain matches the domain in the From header. It's matching fine. The lookalike domain is the From header. Authentication was never designed to protect against this kind of trick, and that's exactly why attackers use it.
So what does actually help?
- Domain monitoring. Services that watch for newly registered domains that look like yours. If someone registers paypa1.com or paypa1.net, you want to know about it before your customers get a phishing email.
- User awareness. Training people to hover over links, read the actual domain carefully, and be suspicious of any email asking for credentials or urgent action. (Easier said than done, yes, but it's still one of the most effective defenses out there.)
- BIMI. When a legitimate brand has BIMI set up, their verified logo appears in the inbox. A lookalike domain won't have that logo, which gives observant recipients a visual cue that something's off.
- Email clients. Some clients, including Gmail, flag suspicious-looking sender domains or show warnings when a domain hasn't been seen before. It's not foolproof, but it adds friction.
If you run a brand that's worth impersonating (and most brands are, at some point), it's worth checking whether anyone has already registered domains that look like yours. Our SOS hotline is free if you're not sure where to start.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.