What is domain squatting?
Domain squatting is the registration of a domain to profit from another party's name, traffic, or trademark. This guide explains how domain squatting differs from typosquatting and cybersquatting, the risks it creates, and the available response options.
5 min read
What it is#
Domain squatting is the registration or use of a domain name to benefit from the name, traffic, reputation, or potential future demand associated with another organization or person. It is one concern within domain protection. Some registrations are clearly abusive, such as a domain that impersonates a bank to collect credentials. Others are disputes over trademarks, resale, or confusing similarity that require a fact-specific legal analysis.
The central question is intent and use. Registering a generic term for a legitimate project is not automatically domain squatting. Registering a domain that targets another organization's distinctive name, likeness, or trademark, misleads visitors, or seeks payment for transfer is more likely to create an enforcement issue.
Domain squatting vs. cybersquatting and typosquatting#
These terms overlap but do not mean exactly the same thing:
- Domain squatting is the broadest practical term. It covers registrations that exploit an organization's identity, traffic, or expected demand for a domain name.
- Cybersquatting usually refers to bad-faith registration or use of a domain that is identical or confusingly similar to a trademark. It is the term most often used in trademark disputes and legal frameworks.
- Typosquatting is a subtype of domain squatting that relies on predictable misspellings, keyboard errors, or lookalike versions of a target domain.
A domain may fall into more than one category. For example, gogle.com is a typosquatting domain and may also be cybersquatting if it was registered and used in bad faith against the Google trademark.
Common forms of domain squatting#
Typosquatting and lookalike domains#
Typosquatting captures traffic intended for a legitimate domain through omissions, transpositions, substitutions, or other lookalike domain patterns. Homoglyphs, combosquatting, and internationalized domain name homographs expand the same problem beyond simple typing errors.
Top-level domain and keyword variants#
Top-level domain (TLD) squatting keeps the organization's name but changes the suffix, such as using .co instead of .com. Keyword squatting adds terms such as login, support, or secure to a name or domain. These variants can support phishing, traffic diversion, or counterfeit storefronts even when the primary string is correctly spelled.
Resale and blocking registrations#
Some registrants acquire a domain to sell it to the rights holder later, prevent that party from using it, or divert valuable search and direct-navigation traffic. The outcome depends on the domain, the registrant's rights, the evidence of bad faith, and the applicable jurisdiction. A generic word or a legitimate descriptive use does not by itself establish improper conduct.
Risks to organizations and visitors#
Squatted domains can create security, commercial, and legal exposure. A phishing page can capture credentials. A parked page or affiliate redirect can siphon traffic and revenue. A domain configured with mail exchange records can receive messages sent to a mistyped address. Even an inactive registration can confuse visitors about an organization's identity or become operational quickly when its owner adds Domain Name System (DNS) records, Transport Layer Security (TLS) certificates, and web content.
This makes domain monitoring important before a suspicious domain becomes visibly malicious. Registration data from WHOIS and Registration Data Access Protocol (RDAP), passive DNS, certificate transparency, hosting context, and page content help distinguish a dormant registration from a higher-risk impersonation campaign.
How to respond to domain squatting#
Triage the domain and preserve evidence#
First, determine whether the domain resolves, hosts content, sends email, sends visitors through a redirect chain, or has a recently issued certificate. Preserve timestamped screenshots, web responses, registration data, and DNS records before the content changes. That evidence supports both security operations and any later enforcement decision.
Match the response to the harm#
For active phishing, malware, or credential theft, report the domain and hosting infrastructure through the relevant DNS abuse channels and block confirmed threats through controls such as DNS filtering. For trademark confusion, resale pressure, or inactive but suspicious registrations, gather evidence of the mark, the registrant's use, and the domain's history before selecting an enforcement path.
The Uniform Domain-Name Dispute-Resolution Policy (UDRP) provides an administrative process for many trademark-based abusive domain-name disputes. In the United States, the Anticybersquatting Consumer Protection Act (ACPA) provides a separate legal route in some cases. Neither process replaces rapid incident response when a live domain is being used for phishing or other abuse.
For practical takedown channels, evidence requirements, and escalation choices, see brand protection enforcement. Legal remedies depend on the trademark rights, the domain's registration and use, and the relevant jurisdiction.
Prevention and ongoing monitoring#
Defensive domain registration can prevent abuse of a limited set of high-risk variants, especially common typos and important TLDs. It cannot economically cover every possible variation. Continuous monitoring fills that gap by identifying newly registered and newly active domains that resemble an organization's domains, name, or identity. A broader typosquatting protection program combines registration, monitoring, blocking, and enforcement.
An effective program combines domain threat intelligence with malicious domain detection. It prioritizes cases using registration recency, DNS resolution, certificate issuance, mail configuration, hosting reputation, and page content. The result is a smaller set of cases where teams can investigate, block, report, or pursue recovery based on the actual risk rather than the domain name alone.
Previous
What is domain protection?
Next
Defensive domain registration
More from Domain protection
View all