Typosquatting Explained with Real-World Examples

Typosquatting, also known as URL hijacking or domain spoofing, is a form of cybersquatting that targets people who accidentally mistype a website address directly into their web browser's URL field. It works by capitalizing on common typos, misspellings, or misunderstandings of a popular domain name. 

Cybersquatters register domain names that are slight variations of a target brand, such as "faacebook.com" for Facebook or "gooogle.com" for Google. Users who fail to notice their mistake may end up on a fraudulent or malicious alternative website set up by cybercriminals.

In 2025, typosquatting has evolved from a simple nuisance to a significant and growing cybersecurity threat. The proliferation of new TLDs (top-level domains) like .xyz or .coffee has created hundreds of thousands of new opportunities for typosquatters. 

Businesses with a high volume of web traffic, in particular, face a significant cybersecurity risk from this practice. The prevalence of typosquatting has grown to the point of forcing large companies like Apple, Google, Facebook, and Microsoft to either register typographical error variations of their domain or block potential typosquatting domains through services provided by the Internet Corporation for Assigned Names and Numbers (ICANN).

In this article, we take a deeper look at typosquatting, provide real-world examples, and provide a full response and prevention guide to help you defend your brand.

Examples of typosquatting

Typosquatting can take many forms, from simple typos to complex brand impersonation, designed to deceive users and exploit brand recognition.

Common misspellings

The most straightforward type of typosquatting is usually caused by a common misspelling, where a single mistake leads the user to a different site.

• Simple typos: These are common keyboard errors, such as typing a duplicate letter, like "faacebook.com".
• Transposition: This involves reversing letters, such as micrsoft.com instead of microsoft.com.
• Character substitution: This involves replacing a letter with a similar character or number. For example, paypa1.com instead of paypal.com. Another typical example is goggle.com, which was used as a phishing site against Google.
• Character omission: Occurs when a user misses a letter, such as gogle.com instead of google.com.

Hyphenated variations

This involves the omission or addition of a hyphen to a domain name. For example, a typosquatter might register "face-book.com" to mislead users who forget to type the hyphen in "face-book.com".

Brandjacking instances

This is a more sophisticated form of typosquatting, in which the fraudulent site mirrors the identity of the legitimate brand to perform a phishing attack. The scam website copies the design, logos, and layout of the real site to trick users into believing they are on a legitimate platform. For example, a fake login page for a bank or email service may be set up at a slightly misspelled URL to steal user credentials.

How does typosquatting work?

Typosquatting exploits human psychology and technical processes to redirect users to malicious sites. While a user may only see a seemingly legitimate webpage, a series of deliberate actions—from psychological manipulation to backend technical maneuvers—make the attack successful.

Psychological tactics

Typosquatters rely on a user's trust and complacency to make the attack effective.

• Visual deception: The most common tactic is to mirror the legitimate brand's website design, including its logos, fonts, and color schemes. This visual mimicry tricks users into believing they are on the correct site, making them less likely to notice the misspelled URL.
• Urgency-based language: Phishing campaigns that use typosquatted domains often employ urgency to provoke a hasty response from the user. Phrases like "Urgent: Your account has been compromised" or "Action Required: Your password will expire soon" pressure the user to click a link and enter credentials without double-checking the URL.
• Social engineering: Typosquatted domains are frequently used in a larger social engineering attack, such as a phishing email. The email might contain a link to a typosquatted domain, leading the user to a fake login page designed to steal personal data, login credentials, or user emails.

‍

The technical backend

A few key technical steps enable the attack once the user mistypes a URL.

• Domain registration: Typosquatters register misspelled domain names for a very low cost, often just a few dollars, through various domain registrars. The cheap domain registration price for most top-level domains makes typosquatting incredibly profitable.
• DNS resolution: When users type a URL, their browser requests the Domain Name System (DNS) to find the corresponding IP address. In the case of a typo, the DNS resolves the misspelled domain, redirecting the user to the IP address of the typosquatter's server.
• Common hosting tactics: The malicious website is hosted on a server controlled by the attacker. They may use free hosting services, virtual private servers (VPS), or a content delivery network (CDN) to host the site, making it difficult to trace and shut down. Some attackers also use redirects to send users to an entirely different, unrelated site, monetizing the traffic through advertisements.

What are the dangers of typosquatting?

The dangers of typosquatting extend far beyond simple brand confusion. Owners of typosquatted domains often act in bad faith, developing malicious websites with severe consequences for individuals and businesses.

Financial and security consequences

• Phishing and data theft: One of the most common and dangerous uses of typosquatted domains is for phishing attacks. These malicious sites are designed to look exactly like popular websites to trick users into revealing personal information, login credentials, or financial data. This can lead to identity theft, fraudulent credit card charges, and unauthorized access to individual accounts.
• Malware and ransomware delivery: A typosquatted website can automatically install malware or adware onto a visitor's device without their knowledge. Sometimes, these sites can even install ransomware, such as WannaCry, which holds a user's data hostage until a ransom is paid.
• Ad fraud and traffic monetization: Typosquatters can monetize the traffic they steal from legitimate websites in several ways. This includes advertising or pop-ups to generate revenue, or redirecting visitors to competitor websites through affiliate links to earn a commission. They may also use a "bait and switch" tactic, selling a product but never sending it.
• Domain hijacking: While typosquatting is distinct from domain hijacking, a typosquatted domain can be a starting point for more severe attacks. The stolen credentials from a typosquatted phishing site could be used to access the legitimate domain's registrar account, allowing the attacker to take control of the real domain. Learn more about domain hijacking here.

What is cybersquatting?

Cybersquatting is a distinct form of domain squatting where a person registers, sells, or uses a domain name with the bad-faith intent to profit from a trademark's goodwill. The goal is typically to sell the domain to the trademark owner at a heightened price, leveraging the fact that the brand needs the URL to maintain its online identity and prevent misuse. Due to the low cost of domain registration for most top-level domains (TLDs), cybersquatting can be incredibly profitable.

While both are forms of domain name abuse, the key difference lies in the perpetrator's intent and the type of domain registered. Typosquatting focuses on deceiving users through look-alike domains and typographical errors to perform malicious activities, like phishing or malware distribution. Conversely, cybersquatting typically involves registering the exact brand name with the primary goal of financial extortion from the brand owner.

Typosquatting vs. cybersquatting

‍

Legal and resolution procedures

If your business becomes a target of typosquatting, there are legal frameworks and established procedures you can use to protect your brand and get fraudulent domains taken down.

The Anticybersquatting Consumer Protection Act (ACPA)

In the United States, the ACPA was enacted in 1999 to establish a cause of action for registering, trafficking, or using a domain name confusingly similar to a trademark or personal name. This law was specifically designed to thwart cybersquatters who register domain names containing trademarks with no intention of creating a legitimate website, but instead, plan to sell them to the trademark owner. 

Under the ACPA, a trademark owner can file a civil suit if a domain name is registered with a "bad faith intent to profit". A court can then order the forfeiture, cancellation, or transfer of the domain name to the trademark owner. The plaintiff may also be able to recover statutory damages.

Understand the act: Read more about ACPA here.

WIPO and the UDRP Dispute Resolution Process

Outside the United States, and often as an alternative to a lawsuit, the Uniform Domain-Name Dispute-Resolution Policy (UDRP) from ICANN allows trademark holders to file a case at the World Intellectual Property Organization (WIPO). The UDRP provides a streamlined, administrative process to resolve disputes over domain names.

To win a UDRP case and get ownership of a domain transferred to you, a trademark holder must prove all three of the following elements to a neutral panel:

• The domain name is identical or confusingly similar to a trademark in which the complainant has rights.
• The domain holder has no rights or legitimate interests in the domain name.
• The domain name has been registered and is being used in bad faith.

Step-by-step mitigation guide for businesses

If you suspect typosquatting, acting quickly to mitigate potential damage is essential.

1. Detect and document: The first step is to identify the suspicious domain. Use tools to perform a WHOIS lookup to determine who owns the domain and check your internal records. Gather evidence that the domain is being used maliciously, such as screenshots of the fraudulent website.
2. Contact the registrar: Use a WHOIS lookup to find the domain's registrar. Many registrars have a "report abuse or fraud" link on their website, where you can file a complaint and have the site taken down.
3. Initiate legal action: If direct contact with the registrar is unsuccessful, you can file a UDRP complaint with a provider like WIPO. UDRP proceedings are typically decided on the written record and can result in the domain being transferred to you. An ACPA lawsuit may be a more suitable option for cases in the U.S. or where monetary damages are sought.
4. Notify your stakeholders: Inform your customers, staff, or other relevant parties about suspicious emails or a phishing website. This will help them remain vigilant and avoid falling victim to the scam.

How to avoid typosquatting

Organizations can't prevent every typo a user makes, but they can take proactive steps to limit the impact of typosquatting and protect their brand.

Defensive domain registration strategies

The most effective way to prevent typosquatters from acquiring look-alike domains is to register them yourself first.

• Register common variations: Proactively register common misspellings, typographical errors, and phonetic approximations of your primary domain name. You can also secure alternate spellings, variants with and without hyphens, and different country extensions or relevant TLDs. Once registered, these domains should be redirected to your official website to ensure you don't lose traffic and that users are protected from harm.
• Utilize the Trademark Clearinghouse (TMCH): Register your brand name with the TMCH, a central database for verified trademarks established by ICANN. This service provides two key benefits during the launch of new gTLDs (generic top-level domains):
  
  • Sunrise period: Gives you priority access to register a domain name that matches your trademark before it becomes publicly available.
  • Trademark claims service: Notifies you if a third party attempts to register a domain that matches your trademark after launching a new TLD. This allows you to take immediate action.

Domain monitoring and proactive takedown

Even with defensive registration, new threats can emerge, making continuous monitoring critical.

• Monitor for typo-based registrations: Use domain monitoring services to scan new registrations similar to your brand continuously. A practical solution will alert you to impersonation attempts and suspicious activity before they can cause damage.
• Educate employees and customers: To protect people outside your organization, like your customers, it is crucial to notify them to look out for suspicious emails or phishing websites. Internal teams should be educated on the risks and encouraged to double-check URLs before entering sensitive information. It's a good practice to use search engines or bookmarks to navigate to essential sites rather than typing the URL directly.
• Implement a takedown process: If a typosquatted domain is discovered, businesses should have a straightforward, step-by-step process for getting it taken down. This typically involves:
  
  • Discovery: Identifying the malicious site can be difficult without automated tools.
  • Collect evidence: Safely inspect the URL and gather evidence like screenshots of the fraudulent site, IP address details, and registrar data.
  • Report abuse: Submitting an official takedown request to the domain's registrar or hosting provider with the collected evidence.
  • Take legal action: Pursuing legal measures like a UDRP complaint if the registrar does not respond.

UpGuard can protect your business

UpGuard offers a comprehensive solution to help businesses proactively manage and mitigate typosquatting threats. The platform is designed to provide clear visibility into your external attack surface, allowing you to detect and respond to threats before they can cause damage.

‍

External domain monitoring

With the UpGuard Breach Risk Typosquatting module, you can continuously monitor your typosquatting threats. UpGuard's solution lets you choose the specific domain names you want to monitor. It then automatically identifies and constantly monitors a list of potential domain permutations that could be used to impersonate your brand. 

This process includes a variety of strategies to create look-alike domains, such as character omission, substitution, or transposition.

Attack surface discovery and alerting

UpGuard’s platform helps you discover and manage your attack surface, which includes identifying rogue assets like typosquatted domains. The platform provides real-time risk insights and can prioritize risks with data-driven scoring. You can also filter the results by permutation type to find and register all the unregistered variations of your domain. 

This continuous monitoring and automated asset discovery minimize manual workload and enhance your ability to respond to emerging threats.

Real-time breach and impersonation notifications

UpGuard provides real-time notifications to help you stay ahead of potential attacks. You can receive immediate alerts when a look-alike domain is registered or a new impersonation threat is detected. 

This gives you the context needed to act faster and take control of a potential risk. When a malicious domain is identified, the platform can even guide you on how to begin a takedown request by providing a link to the registrar's abuse reporting page.

With typosquatting threats rising, protecting your brand requires proactive, continuous monitoring. Don't wait for a fraudulent domain to damage your reputation and put your customers at risk.

Reach out to our team today to see how UpGuard's platform automatically identifies and alerts you to typosquatting threats in real-time.