Security Premier: In-Depth Paper on TypoSquatting

Learn more about the threat of typosquatting, or url hijacking, and what it means for you and your customers.

download Download Now

Typosquatting FAQ.

What is typosquatting?

Typosquatting is the act of buying domains that look very similar to brand names, but the key difference is that they have small typos or common misspellings. Typosquatters use hard-to-notice “mistakes” to create real-looking fake sites that fool even savvy web users. For instance, business.com may be spoofed as busines.com for phishing and fraud.

Typosquatters can also use other domains, like .cm instead of .com. The most commonly typosquatted businesses are SaaS, medical, telecom, finance, and retail. Typosquatters may also lure in an organization’s partners and employees, feeding traffic to fake sites with urgent-sounding email messages.

Is typosquatting illegal?

Typosquatting is a violation of the Anti-CyberSquatting Consumer Protection Act—federal legislation that awards up to $100,000 per domain in damages to injured businesses. For example, Facebook was awarded $2.8 million when cybercriminals spoofed more than 100 names like “facegbook” and “rcfacebook.”

Acting in bad faith

Buying a domain with the intent to profit from someone else’s trademark is illegal typosquatting. That’s true whether the intent is to defraud a company’s customers or to simply sell ad space on a good-natured “spoof” site. Once money enters the picture, you cannot use the fair use defense.

Is URL hijacking the same as typosquatting?

URL hijacking is the same as typosquatting and domain mimicry. All three terms refer to creating fraud websites with similar (but not exact) URLs as legitimate businesses. Cybersquatting is related, but technically involves creating a fraud site for a business that doesn’t have its own website yet.

How to prevent typosquatting?

It’s critical to identify fraudulent and typosquatting web URLs during the setup process. Since buying up the thousands of domains related to your business is cost-prohibitive, monitoring URL “A records” and “MX records” is vital. A service like Bolster can spot fake sites before they even go live.

Machine learning and AI can also sniff out copy-pasted text and images from real sites and issue takedowns before they can cause damage. An API that links to domain registrars automates the process to ensure a scalable, always on-duty system that shores up your web security in the background.

Read our full whitepaper to learn more about how typosquatters hurt businesses, including:

  • How the exponential growth of new top-level domains has given typosquatters unlimited opportunities for attack
  • A breakdown of URL hijacking risk by industry
  • How phishing and typosquatting work hand-in-glove to defraud organizations and their partners, customers, and employees.
  • How to fight typosquatting without an exhaustive and costly seek-and-destroy campaign
download Download Now