Typosquatting Explained: How One Mistyped Letter Becomes an Attack

You go to type your bank's web address, your finger slips, and you hit return on a domain that's one letter off. Most of the time nothing happens — a "server not found," or a parked page of adverts. But sometimes you land on a page that looks exactly like the site you meant to visit, down to the logo and the login box. That's typosquatting: registering domains that are deliberate misspellings of popular ones, and waiting for human error to do the rest.

It's one of the oldest tricks on the web, and it persists for a simple reason — it's cheap to set up, trivial to scale, and it preys on a habit nobody can fully switch off: we don't read URLs carefully.

The anatomy of a typo domain

Squatters don't guess at random. They work through the predictable ways a person fumbles a domain, registering the variants most likely to catch traffic:

• Omission — a dropped letter: gogle.com.
• Transposition — two letters swapped: googel.com.
• Replacement — a neighbouring key hit by mistake: googlw.com.
• Insertion — an extra character: gooogle.com.
• Wrong TLD — the right name, wrong ending: example.co instead of example.com.
• Hyphenation and padding — pay-pal.com, or appended words like paypal-login.com.
• Subdomain trickery — putting the real name where it looks reassuring: paypal.com.account-verify.net, which is actually the domain account-verify.net.

For any well-known domain there are dozens of these within easy reach, and a squatter can register the lot for the price of a few coffees.

Homograph attacks: the sinister cousin

The variations above at least look slightly wrong if you squint. A homograph attack doesn't even give you that. It exploits the fact that domain names can now contain characters from non-Latin scripts, and some of those characters are visually identical to Latin letters. The Cyrillic а, for instance, is a completely different character from the Latin a — but on screen they're indistinguishable. Register "аpple.com" with that one Cyrillic letter and you have a domain that reads perfectly but points wherever the attacker likes.

Browsers fight back by detecting mixed or suspicious scripts and refusing to show them as typed, displaying the domain in its raw Punycode form instead. Punycode is an ASCII encoding for internationalised domains — it always begins with the prefix xn-- followed by a string of seemingly random characters — so the moment a browser renders the lookalike that way, it stops resembling the real thing at all. It's a solid defence, but it isn't universal, and it depends on the browser spotting the trick.

What squatters actually do with the domains

Once a look-alike is registered, there are a handful of well-worn ways to make it pay:

• Phishing — clone the real login page and harvest whatever credentials people type in.
• Malware — serve a drive-by download dressed up as a software update or document.
• Ad and affiliate revenue — park the domain on a wall of adverts, or bounce visitors through affiliate links to skim a commission.
• Brand damage or redirection — send the traffic to a competitor, a protest page, or something embarrassing.
• Email interception — register a typo of a domain used in email and quietly collect messages meant for the real company. This is a favourite in business email compromise, where a single misdirected invoice can be worth a fortune.

Why it keeps working

None of this is sophisticated, and that's rather the point. People mistype constantly; people glance at a URL rather than reading it; and a look-alike domain sails straight through that glance. Add in how cheap registration is — a squatter can hold hundreds of variants and only needs a tiny fraction to catch traffic — and the economics sit firmly in the attacker's favour.

Defending yourself as a user

The single most useful habit is to actually read the address bar before you trust a page with anything sensitive — and to be especially wary of links you arrived at from an email or a message rather than typed yourself. A few specifics help:

• Bookmark the sites you log into, and reach them through the bookmark rather than by typing.
• Hover over a link to see where it really goes before you click.
• Watch for the look-alike characters and the extra words bolted onto a familiar name.

One trap worth naming: the padlock means nothing here. A typosquatted domain can obtain a valid SSL certificate in minutes, so the connection will be encrypted and the padlock will show — it simply guarantees you're talking privately to the attacker. As our piece on how certificates work explains, the padlock proves encryption, not identity.

Defending a brand you own

If you run a domain worth impersonating, the job is partly preventive and partly watchful:

• Register the obvious variants yourself — the common typos and the main alternative TLDs — so a squatter can't.
• Monitor for look-alikes. Certificate Transparency logs are unexpectedly useful here: every certificate issued is published, so a brand-new cert for a domain that resembles yours is an early warning. (Our CT explainer covers how to search them.)
• Investigate what turns up. A WHOIS lookup on a suspicious domain shows when it was registered and, often, where it points.
• Use the legal routes when it matters. ICANN's UDRP process and, in the United States, the Anticybersquatting Consumer Protection Act both exist precisely to claw back domains registered in bad faith against a trademark.

Finding the look-alikes

You don't have to imagine every variant by hand. The mechanical approach is to generate the plausible permutations of a domain — the omissions, swaps, replacements, insertions, homoglyphs, and alternative TLDs — and then check which of them are actually registered and where they resolve. That turns a vague worry into a concrete list: these variants exist, these few point at live pages, here's when they were registered. It's exactly what our typosquatting checker does.

The takeaway

Typosquatting converts a slipped keystroke into an attack surface — cheap for whoever registers the domain, easy to miss for whoever lands on it. As a user, the defence is unglamorous but reliable: read the URL before you trust it, and remember that a padlock is not a promise about who is on the other end. As a brand, find the look-alikes before your customers do. You can generate and check the typo variants of any domain with our typosquatting checker.