What Is Typosquatting? (Look-Alike Domains)

TL;DR: Typosquatting is when an attacker registers a domain that looks almost like yours — kalenfy.co, kalenfy-support.com, kalenfly.com — to trick people who misread or mistype it. They use it for phishing, fake invoices and BEC. You can't register every variant, but you can lock down your real domain and watch for the worst look-alikes. Scan your domain free to harden the genuine one first.

How typosquatting works

Attackers register domains that exploit common mistakes and visual tricks:

• Typos: gogle.com, amazom.com — a slipped or swapped letter.
• Different TLDs: your .com as a .co, .net or .org.
• Added words: yourbrand-support.com, secure-yourbrand.com.
• Homoglyphs: look-alike characters (a Cyrillic "а" for a Latin "a").

Why it's dangerous

A look-alike domain can host a convincing copy of your login page to harvest passwords, or send email that passes authentication — because the attacker fully controls that domain, SPF/DKIM/DMARC all check out for it. It's the gap that domain locking alone can't close, which is why it's used alongside BEC and phishing.

How typosquatting differs from spoofing

Spoofing forges your exact domain — and DMARC stops it. Typosquatting uses a different domain that merely looks like yours, so DMARC on your domain doesn't apply. Different problem, different defences.

How to defend

1. Lock your real domain with enforced DMARC, so attackers are pushed toward look-alikes you can monitor rather than spoofing you directly. Start here.
2. Register the obvious variants — common typos and key TLDs of your brand.
3. Monitor new registrations of look-alike domains (services and DMARC reports can surface them).
4. Report and request takedowns of malicious look-alikes via the registrar or a brand-protection service.
5. Tell customers your real domain and that you'll never ask for payment details by email.

FAQ

Can I stop typosquatting completely?

No — you can't register every variant. The goal is to cover the obvious ones, monitor for the rest, and react fast with takedowns.

Will DMARC stop look-alike domains?

No — DMARC only protects your exact domain. Look-alikes are separate registrations, so they need monitoring and takedowns instead.

Should I buy every TLD of my brand?

Buy the few most likely to fool people (common typos, .co/.net); buying all of them isn't practical.

Start by making your genuine domain unspoofable. Scan your domain, then reply to your report — we're developers and we'll lock it down so attackers are forced to the look-alikes you can watch.