Typosquatting

How it works

Attackers register variants with missing letters, swapped characters, doubled keys, or alternative endings like .co instead of .com. A visitor who mistypes the address lands on a page the attacker controls, used for ads, malware, phishing, or resale.

How it relates to brand impersonation

Typosquatted domains are a primary vehicle for brand impersonation and email spoofing. They let attackers send mail that looks like it comes from you and host lookalike pages that fool your customers.

How nebty helps

nebty domain monitoring generates and watches the typo and variant space around your brand, scoring new registrations by risk so you see threats before they go live and can trigger a takedown in one click.

How to spot a typosquatted domain

Most typosquats fall into a few patterns: a missing or doubled letter (gogle, googgle), two adjacent keys swapped (gooogle), a substituted character that looks close (rn for m), or a different ending such as .co or .cm instead of .com. On a phone the address bar truncates the URL, which is exactly why mobile users get caught. The habit that protects you is simple: read the domain right to left from the final dot, since the real owner controls the part immediately before the top-level domain and anything to the left can be faked. For a brand owner, the defence is to enumerate that variant space yourself and watch new registrations, so you see a typosquat at registration rather than after it sends its first email.

If you spot one in the wild, report it to the registrar abuse contact, because a single typosquat usually targets many people before anyone flags it.