Right now, someone may have registered a domain that looks almost exactly like yours. They're waiting for the right moment โ or already using it. Here's how to find them, what to watch for, and how to catch new impostors before they cause damage.
Domain impersonation is one of the most effective attack techniques targeting small and mid-sized businesses, precisely because it doesn't require hacking anything. An attacker registers acmecorp-support.com or acmec0rp.com, spins up a convincing copy of your website or contact page, and starts sending emails or running ads.
Your customers get scammed. Your brand takes the hit. And you often don't find out until someone calls to complain about a refund they're owed for a purchase they never made with you.
The techniques are well-documented and almost entirely automated. Attackers use tools that generate hundreds of domain variations in seconds:
| Technique | Example (original: acmecorp.com) | Method |
|---|---|---|
| Typosquatting | acmecrop.com | Transposed letters |
| Homoglyph | acmec0rp.com | 0 for o, l for I |
| Subdomain spoof | acmecorp.support-login.com | Legit brand as subdomain |
| TLD swap | acmecorp.net / acmecorp.co | Different extension |
| Hyphen insertion | acme-corp.com | Hyphen added |
| Keyword append | acmecorp-support.com | Support/login/help added |
| Combosquatting | acmecorpinc.com | Inc/group/official appended |
A typical brand generates 100โ200 plausible lookalike variations. Most are already registered. Some are parked. A handful are actively used for attacks.
Emails sent from [email protected] look legitimate in email clients that only show the display name. The goal is credential theft or payment diversion.
A copy of your product page accepts payment via Stripe or PayPal. Customers think they're buying from you. They get nothing, you get the chargeback complaint.
The lookalike domain hosts a "customer support" page with a phone number. Customers who search for support find it in Google Ads and call a scammer instead.
The attacker emails your suppliers or employees from the lookalike domain asking for wire transfers or invoice changes. Internal staff assume it's from your company.
You can do a manual sweep in about 20 minutes. It won't catch everything, but it'll surface active threats:
The core problem with manual detection is timing. A lookalike domain registered today won't appear in your weekly manual check until next week โ and a well-executed phishing campaign can do serious damage in 48 hours.
The other problem is scale. There are typically 100โ200 plausible variations of any domain. Manually checking each one weekly isn't sustainable for a small team.
๐ What to look for when you find a lookalike: Check if it has a DNS A record (is it live?), whether it has an MX record (is it sending email?), and what content it serves. A parked domain with just a registrar page is low risk today โ but worth watching in case it activates.
Continuous domain monitoring generates hundreds of variations of your domain, then checks each one weekly for:
When any of these signals appear on a domain that wasn't active last week, you get an alert with the domain, what was found, and recommended action (report to registrar, submit takedown, block at email gateway).
Practical tips, new threat intel, and product updates. No spam โ unsubscribe anytime.
BrandGuard checks over 100 typosquatting and homoglyph variations of your domain every week. When one goes live or shows suspicious content, you get an alert โ with what was found and what to do. $14/mo, no setup required.
Start BrandGuard Monitoring โ