What is typosquatting?

Typosquatting is the practice of registering domain names that resemble a target brand or popular site, usually through misspellings or other predictable permutations. It is often associated with mistyped URLs but commonly extends to lookalike domains used for phishing, advertising, and related abuse. This guide covers permutation categories, attacker motivations, scale, and legal frameworks.

9 min read

What it is#

Typosquatting is the practice of registering domain names that closely resemble a target brand or high-traffic domain, typically using misspellings or other predictable permutations. The classic pattern is accidental traffic. If someone intends to visit google.com but types gogle.com or googel.com, whoever registered that variant may receive the visit instead.

In security usage the term often covers the same permutation space when it is used deliberately, for example phishing sites, ad-heavy parking pages, affiliate redirects, or competitive traffic diversion, not only addresses that users reach by mistyping a URL.

Typosquatting touches two response tracks that are often mixed up. DNS abuse is harm that involves domain names and DNS as infrastructure, including phishing on a lookalike host (ICANN treats phishing as DNS abuse), malware, botnets, and related categories. Trademark and cybersquatting complaints target confusing similarity to a protected mark and bad-faith registration, including many parked or advertising-only typosquats that do not necessarily meet DNS abuse thresholds. The same registration can raise both issues; the appropriate channel depends on whether the priority is malicious hosting and misuse of DNS or mark confusion and unfair registration.

The technique has existed since the earliest days of commercial domain registration and remains one of the most common forms of domain abuse. Measurement studies have found that roughly 95% of the top 500 websites have at least one typosquatting domain registered against them, with at least 938,000 typosquat domains targeting the top 3,264 .com sites alone.

Typosquatting is one category within the broader family of lookalike domains, which also includes homoglyph substitution, combosquatting, IDN homograph attacks, and TLD squatting. For real-world incidents across these categories, see typosquatting examples.

Common typo categories#

Typosquatting variants are generated from predictable categories of human typing errors and keyboard-adjacent changes. The same categories are enumerated algorithmically for attack and defense, which is how tools generate the full set of permutations for a given domain:

  • Omission. Dropping a character, gogle.com instead of google.com
  • Addition. Inserting an extra character, googgle.com or gooogle.com
  • Transposition. Swapping two adjacent characters, googel.com instead of google.com
  • Substitution. Hitting an adjacent key, googke.com (the l key is next to k on QWERTY)
  • Vowel swap. Replacing one vowel with another, goagle.com
  • Hyphenation. Inserting or removing hyphens, goo-gle.com
  • Bitsquatting. Single-bit errors in memory that alter a character, googde.com (l and d differ by one bit)
  • TLD variation. Using the wrong top-level domain, google.co instead of google.com

Beyond keyboard errors, attackers exploit visual similarity through homoglyphs and internationalized domain names encoded as Punycode, as well as semantic tricks like keyword squatting, subdomain takeover, and brand impersonation.

A single popular domain can have thousands of possible typosquatting variants when all categories are combined. Have I Been Squatted generates these permutations automatically and checks each one for active registration, alerting domain owners when dangerous variants appear.

How typosquatting works in practice#

A typical typosquatting operation follows a predictable sequence.

  1. Enumeration. The attacker generates typo variants of a target domain using automated tools that apply permutation categories.
  2. Registration. The attacker registers the most promising variants, often through privacy-protected registrars to obscure ownership visible in WHOIS and RDAP records.
  3. Infrastructure setup. The attacker configures DNS records, obtains a TLS certificate to serve HTTPS, and deploys content (a phishing page, ad-laden parking page, or redirect).
  4. Victim or client arrival. Users or systems arrive through typing errors, autocomplete mistakes, misremembered URLs, misleading links, or misconfiguration.
  5. Exploitation. Depending on the attacker's goal, the visitor is phished, served malware, redirected, or monetized through advertising.

The entire cycle from registration to active exploitation can happen within hours. Certificate Transparency logs can surface newly issued certificates for typosquat domains, providing an early signal. This speed is why continuous domain monitoring matters more than periodic manual checks.

Attacker motivations#

Typosquatters pursue several monetization strategies. Research indicates that roughly 80% of typosquatting domains display pay-per-click advertising, while 20% redirect traffic elsewhere:

  • Phishing. Presenting a fake login page that harvests credentials, frequently supporting business email compromise campaigns. Modern typosquat phishing sites often use adversary-in-the-middle proxies to capture session tokens and bypass multi-factor authentication (MFA).
  • Malware distribution. Serving drive-by downloads or fake software updates.
  • Ad revenue. Displaying pay-per-click ads on parked domains, profiting from mistyped or otherwise directed traffic. Research shows 63% of typo domains serving Google ads traced back to just five advertising IDs.
  • Affiliate fraud. Redirecting visitors to a legitimate retailer through an affiliate link to earn commissions.
  • Competitive diversion. Redirecting a competitor's mistyped or confused traffic to a rival site.
  • Domain resale. Holding a typosquat domain and selling it to the brand owner at a premium.

Some typosquatters register thousands of variants across hundreds of brands, operating at industrial scale with automated registration and hosting infrastructure. A large fraction of typosquatting domains trace back to a small group of page hosters.

Domain typosquatting beyond the browser#

The problem extends well beyond web browsing. Typosquats target any system where a hostname is entered or configured and then resolved:

  • Email addresses. An employee sending sensitive data to @acme.co instead of @acme.com delivers it to whoever controls the typosquat domain. Attackers configure MX records on typosquat domains specifically to harvest misdirected email, and DMARC policies on the legitimate domain cannot prevent delivery to a different domain entirely.
  • API endpoints. Misconfigured services pointing to a typosquat of an API hostname can leak credentials or tokens.

Scale of the problem#

For a popular domain with a moderately long name, the number of possible typosquatting variants can reach into the thousands when combining all permutation categories. Most of these variants remain unregistered, but for high-traffic domains the economically viable subset is large. One estimate puts approximately 20% of all .com domain registrations as typo domains, with significant activity in the long tail beyond the most popular sites.

The barrier to entry is low. Domain registration usually costs on the order of ten dollars per year for most TLDs, bulk registration APIs allow hundreds of domains to be acquired in minutes, and privacy-protected registration conceals the registrant's identity. This asymmetry (cheap to attack, expensive to defend across all variants) is what makes typosquatting persistent. Passive DNS and domain threat intelligence feeds help surface new registrations, but only if they feed into an active monitoring workflow.

Legal frameworks#

UDRP and ACPA are the main trademark-oriented tools for cybersquatting. They are not interchangeable with DNS abuse remediation. Registrar and registry DNS abuse processes (see what is DNS abuse) usually turn on evidence of phishing, malware, botnets, or related harm. Phishing on a typosquat is DNS abuse; a parked typo that only infringes a mark may still be actionable under UDRP or ACPA even when it is not treated as DNS abuse.

The two primary legal mechanisms for that trademark and bad-faith registration lane are:

  • UDRP (Uniform Domain-Name Dispute-Resolution Policy). An ICANN-administered arbitration process that allows trademark holders to file complaints and recover infringing domains. A typical case usually costs on the order of a few thousand dollars. UDRP requires demonstrating that the domain is identical or confusingly similar to a trademark, that the registrant has no legitimate interest, and that it was registered in bad faith. WIPO handles thousands of UDRP cases per year, with roughly 79% resulting in domain transfer.
  • ACPA (Anticybersquatting Consumer Protection Act). A U.S. federal statute that provides for substantial statutory damages and domain transfer when someone registers a domain in bad faith. Courts have issued large aggregate awards against operators of broad typo networks.

These mechanisms are effective for individual domains but do not scale well against attackers who register hundreds of variants. The cost and time required for each complaint creates an asymmetry that favors the squatter. Outcomes depend heavily on facts and venue. UDRP panels have denied claims from well-funded trademark holders, while federal courts have issued eight-figure ACPA judgments against bulk registrants. Documented disputes and verdicts illustrate the range. For procedural detail and available remedies, see brand protection enforcement. For live phishing or other DNS abuse, organizations typically lean on registrar and hosting abuse workflows and security blocking first; UDRP and ACPA are a poor substitute when the goal is to stop credential theft in progress.

Detection and protection#

Effective typosquatting defense combines several layers. For a detailed breakdown, see typosquatting protection.

  • Defensive registration. Proactively registering the highest-risk typo variants before attackers do.
  • Continuous monitoring. Scanning newly registered domain feeds for variants matching a permutation set. Have I Been Squatted generates permutations for monitored domains, checks registration status, and enriches matches with DNS, HTTP, RDAP, and screenshot data.
  • Certificate Transparency monitoring. Detecting when TLS certificates are issued for typosquat domains, signaling intent to serve HTTPS content.
  • DNS-based blocking. Adding confirmed typosquat domains to internal blocklists to prevent employee access.
  • Phishing domain detection. Analyzing enrichment signals (page content, redirect chains, hosting infrastructure) to distinguish active phishing from parked pages.
  • Trademark and cybersquatting enforcement. Pursuing UDRP, ACPA, or related mark-based complaints when the issue is confusing similarity and bad-faith registration, including many non-malicious parked or monetized typosquats. Registrar DNS abuse reports (see DNS abuse) are the usual first step when the domain is used for phishing, malware, or other DNS abuse categories, often alongside hosting complaints and internal blocking.

No single layer is sufficient. Defensive registration cannot cover every variant, and monitoring is only useful if it triggers timely response. Trademark proceedings are often too slow and narrowly framed for active DNS abuse such as live phishing. DNS abuse remedies may not resolve a typo that mainly creates mark confusion without malicious content. A layered approach that matches the response to the harm provides the strongest defense.

More from Typosquatting

View all

IDN homograph attacks

IDN homograph attacks exploit visual similarity between characters in different Unicode scripts to create domains that appear identical to legitimate ones. This guide covers the technical mechanism, notable demonstrations, browser and registry defenses, and detection approaches.

Typosquatting examples

Documented real-world typosquatting incidents, from Google's typo-domain disputes to Fortune 500 email interception and supply-chain attacks on package managers. Each case illustrates a distinct attack category with dates, outcomes, and lessons.

Typosquatting permutations

Typosquatting permutation generation is the process of algorithmically enumerating all plausible misspellings and variations of a domain name. This guide explains the permutation categories, the tools that generate them, the combinatorial explosion problem, and how security teams prioritize the output.

Put what you learn into practice

Monitor typosquats, investigate infrastructure, and move from reading to detection with continuous domain coverage built for security teams.

Start free trialExplore features