Typosquatting protection

What it is#

Typosquatting protection refers to the layered defensive strategies organizations deploy to prevent, detect, and respond to malicious registrations of lookalike domains. No single measure eliminates the risk. Effective programs combine proactive registration, continuous monitoring, DNS and email controls, legal remedies, and a practiced incident-response workflow.

Defensive domain registration#

The most intuitive defense is registering high-risk typosquatting variants before attackers do. A practical registration strategy prioritizes:

• Common omissions, transpositions, and keyboard-proximity errors of the primary brand domain
• Adjacent TLDs (.co, .net, .org, plus country-code domains relevant to the organization's markets)
• Bitsquat variants, which form a small, deterministic set and are inexpensive to cover
• High-value homoglyph and IDN homograph substitutions that are visually indistinguishable in browser address bars

Cost/benefit reality#

Individual domain registrations usually cost on the order of ten dollars per year, but the permutation space grows quickly. A 10-character domain can generate thousands of variants across hundreds of TLDs. Fortune 500 companies hold an average of roughly 19,500 defensively registered domains each, a commitment that only the largest organizations can sustain. For most teams, registering every variant is financially impractical.

By contrast, recovering a domain through UDRP typically costs on the order of a few thousand dollars per case, usually far more than a year or two of defensive registration for a high-risk variant. Defensive registration of the highest-risk variants is almost always cheaper than after-the-fact recovery. The key is treating defensive registration as a complement to monitoring, not a replacement for it.

Continuous monitoring#

Monitoring closes the gap that defensive registration cannot cover. The most effective programs generate permutations across every major category (omission, addition, transposition, homoglyph, hyphenation, combosquatting, TLD swap) and continuously cross-reference against incoming registration data from multiple sources:

• Zone file access (via ICANN's Centralized Zone Data Service for gTLDs, and commercial feeds for ccTLDs)
• Certificate Transparency logs for domains obtaining TLS certificates, often the first signal that a domain is preparing to serve content
• Passive DNS for domains that begin resolving
• WHOIS and RDAP for registration metadata and ownership signals

Alerting on registration alone generates noise. Layering signals (DNS resolution, MX record presence, web content, HTTP banner data) separates parked domains from active threats. Organizations that triage alerts based on enrichment data, rather than raw registration events, reduce false positives and focus analyst time on confirmed risks.

Have I Been Squatted automates this pipeline by generating permutations, checking registration status, searching Certificate Transparency logs, and enriching each match with DNS, HTTP, RDAP, and screenshot data so security teams can prioritize confirmed threats.

DNS-level blocking#

Technical controls at the DNS layer reduce user exposure to known typosquat domains:

• Enterprise DNS filtering resolvers can block domains flagged by domain monitoring or commercial threat feeds
• Google Safe Browsing and Microsoft SmartScreen flag known phishing domains, including typosquats, with browser-level warnings
• Browser autocomplete suggests known URLs as users type, reducing the probability of a typo reaching DNS resolution

These controls are inherently reactive. They depend on a typosquat domain being identified and listed before a user visits it, offering no protection against newly registered, unlisted domains. DNS-level blocking works best as a downstream consumer of a monitoring system that feeds it fresh indicators.

Email authentication#

Typosquat domains are frequently registered to send phishing emails impersonating a brand. Tens of millions of phishing emails are detected annually, with a significant fraction originating from newly created domains. Configuring DMARC, SPF, and DKIM on the organization's own domains prevents direct spoofing, but these protocols cannot prevent an attacker from sending email from a typosquat domain under their own control (the attacker's DMARC policy, if any, applies to the attacker's domain).

The practical countermeasure is monitoring for typosquat domains with MX records configured, a signal that the domain is likely staged for email-based attacks, and pursuing takedowns proactively. Password managers provide an additional safeguard. They match stored credentials to the exact domain and will not autofill on a lookalike, neutralizing many credential-harvesting attempts even when a user clicks a phishing link.

Legal enforcement#

Two primary ICANN-administered mechanisms exist for recovering typosquat domains:

• UDRP (Uniform Domain-Name Dispute-Resolution Policy). Arbitration that typically costs on the order of a few thousand dollars per case. WIPO sees thousands of UDRP cases per year, with roughly 79% resulting in domain transfer. Proceedings take 45 or more days and require demonstrating bad-faith registration and use.
• URS (Uniform Rapid Suspension). A faster, lower-cost alternative to UDRP that suspends rather than transfers the domain. Limited to cases of clear trademark infringement.

For U.S. trademark holders, the Anticybersquatting Consumer Protection Act (ACPA) provides a federal litigation path with substantial statutory damages for bad-faith registration, but suits typically cost far more than UDRP. Both UDRP and ACPA are effective for individual domains but do not scale against attackers who bulk-register hundreds of variants faster than legal processes resolve them. For a deeper look at takedown channels, see brand protection enforcement.

Incident response#

Detection is only valuable if it triggers a practiced response. A typosquatting incident-response workflow typically includes:

1. Triage. Confirm whether the flagged domain is actively serving content, resolving DNS, or sending email
2. Enrichment. Gather WHOIS/RDAP data, screenshot the site, check Certificate Transparency for issued certificates, and assess overlap with brand impersonation patterns
3. Containment. Submit the domain to DNS blocklists, Safe Browsing, and phishing domain detection feeds; notify the registrar and hosting provider
4. Recovery. File UDRP or send a cease-and-desist for domains worth recovering; pursue defensive registration of the variant after transfer
5. Post-incident review. Update monitoring rules, add the variant pattern to internal threat intelligence, and adjust the defensive registration portfolio

Speed matters. Phishing domains used for business email compromise often operate for only hours before rotating to a new domain, so automating the triage-to-containment path reduces exposure window.

What does not scale#

An honest assessment of limitations strengthens any protection program:

• Exhaustive defensive registration is cost-prohibitive outside the Fortune 500
• UDRP and URS cannot keep pace with automated bulk registration by determined attackers
• Blocklists are reactive and always lag behind newly registered domains
• User training reduces but does not eliminate accidental visits, because typosquatting exploits involuntary motor errors, not ignorance

The most effective programs accept these constraints. They invest in fast detection and rapid response rather than attempting to prevent every malicious registration. A domain monitoring pipeline that surfaces threats within hours of registration, combined with automated enrichment that separates noise from confirmed abuse, provides the foundation for a brand protection strategy that scales with the threat landscape.