Lookalike domain

How it works

Lookalikes use any trick that makes a domain pass for yours: alternative endings, inserted hyphens or words, swapped characters, or subdomains that bury your brand, as in "yourbrand.login-secure.com". Once registered, they host phishing, fake shops, or spoofed email.

How it relates to brand impersonation

The lookalike domain is the most common building block of brand impersonation. Catching new ones at registration is the earliest possible point of intervention, before any victim is reached.

How nebty helps

nebty continuously discovers lookalike domains targeting your brand, scores them by risk, and lets you escalate the dangerous ones to an on-demand takedown that you only pay for on success.

The trick categories to watch

Lookalike is an umbrella, and the families underneath it are worth knowing because each needs a different detection rule. There are typos (a slipped or doubled letter), combinations (your brand plus a word like login or pay), homoglyphs (foreign characters that look identical), and alternative endings (your brand on .net, .shop, or a country code you do not own). A sneakier family buries your brand in a subdomain, so yourbrand.account-verify.com looks right at a glance even though the real owner is account-verify.com. No single rule catches all of these, which is why effective monitoring generates each variant family separately and then ranks the results, so the dangerous, ready-to-use lookalikes rise above the parked or harmless ones.

Prioritise by readiness, not similarity alone, because a lookalike with live hosting, a certificate, and mail records is a campaign in waiting, while a parked one can usually wait too.