Someone Registered a Domain That Looks Like Yours

Domain squatting as BEC precursor

Most business email compromise does not start with a hacked account. It starts with a domain registration. An attacker identifies your organization's domain, creates a variation that looks nearly identical, and registers it for less than ten dollars. Within hours, they have a working email address that will pass a quick visual check in any inbox.

The emails sent from these lookalike domains pass basic spam filters because the sending domain is technically legitimate. It has valid MX records, valid SPF, and sometimes even DKIM. The only thing wrong with it is that it does not belong to your organization. And in a busy inbox, that single difference is easy to miss.

Three types of lookalike domains

Typosquatting: one letter off

Typosquatting is the most common technique. The attacker registers a domain that differs from yours by a single character: a swapped letter, a doubled consonant, or a missing vowel. Consider the domain acmewidgets.com. A typosquatted version might be acmewldgets.com, where the "i" has been replaced with an "l." In most email clients, rendered in a proportional font at normal size, the difference is nearly invisible.

Attackers target characters that are visually similar or adjacent on a keyboard. Common substitutions include rn for m, vv for w, and transpositions like wdigets instead of widgets. Each of these is easy to miss when scanning an inbox quickly.

Combosquatting: adding a plausible word

Combosquatting appends or prepends a word to the legitimate domain. Instead of acmewidgets.com, the attacker registers acmewidgets-secure.com, acmewidgets-payments.com, or acmewidgets-portal.com. These domains look like they could be legitimate subbrands or internal systems.

Combosquatting is harder to catch than typosquatting because the original domain is spelled correctly. The recipient recognizes the company name and assumes the suffix is a system they have not encountered before. Words like "secure," "portal," "accounts," and "billing" are among the most commonly used additions. Research has found that combosquatting domains are significantly more prevalent than typosquatting domains and tend to remain active for longer periods.

Homoglyph attacks: visually identical characters

Homoglyph attacks use characters from different Unicode scripts that look identical to Latin letters. The Cyrillic "a" (U+0430) is visually indistinguishable from the Latin "a" (U+0061) in most fonts. An attacker can register a domain that appears character-for-character identical to yours but is technically a completely different string.

Internationalized domain names (IDNs) make this possible. While modern browsers display Punycode warnings for suspicious IDN combinations, most email clients do not. A homoglyph domain in an email header will render exactly like the real domain in virtually every mail application.

How attackers use lookalike domains for payment fraud

The attacker does not need to compromise anyone's mailbox. They register the lookalike domain, set up email infrastructure, and send messages directly to the target. The typical scenario unfolds like this:

1. Reconnaissance. The attacker identifies a business relationship that involves regular payments: vendor invoices, contractor fees, real estate closings, or subscription renewals. This information is often available from public sources, job postings, or previous data breaches.
2. Domain registration. The attacker registers a lookalike domain matching the vendor or the buyer, depending on which side they intend to impersonate. Cost: under ten dollars at a registrar that accepts cryptocurrency.
3. The redirect email. Using the lookalike domain, the attacker sends a convincing email to the person responsible for payments. The message references a real invoice or transaction and requests a change in banking details. Because the domain looks correct and the details are accurate, the recipient complies.
4. Funds transfer.The payment goes to the attacker's account. By the time anyone notices, the money has been moved through multiple hops and is unrecoverable.

Detection: finding lookalike domains before they are used

Proactive detection is far more effective than reactive investigation. The strongest defenses combine multiple approaches.

Domain monitoring services:

• Register for certificate transparency log monitoring. Every time someone obtains an SSL certificate for a domain similar to yours, you receive an alert. This often catches lookalike domains within hours of registration.
• Use domain monitoring tools that watch new registrations in relevant TLDs (.com, .net, .org, and country-code variants of your domain).
• Register common typosquatting variants of your own domain preemptively. This is inexpensive insurance compared to the cost of a successful BEC attack.

Email header inspection:

• Train your team to check the full sender address, not just the display name. The display name can be set to anything. The actual sending domain is what matters.
• Look at the Return-Path and Authentication-Resultsheaders. A legitimate sender's email will show SPF and DKIM alignment with their real domain, not a lookalike.

Legal response: cease and desist, UDRP, IC3

Discovering a lookalike domain is not just a security concern. It is also a legal matter with established remedies.

• Cease and desist.A formal cease and desist letter to the domain registrant (identifiable through WHOIS or the registrar's abuse contact) is the fastest first step. Many registrars will suspend domains used for fraud upon receiving documented evidence.
• UDRP filing. The Uniform Domain-Name Dispute-Resolution Policy administered by ICANN provides a formal arbitration process. If you hold a trademark on your domain name, a UDRP filing can force transfer or cancellation of the infringing domain. The process typically takes 45 to 60 days and costs between $1,500 and $5,000.
• IC3 report.If the lookalike domain has been used in fraud (or you have evidence it is being staged for fraud), file a report with the FBI's Internet Crime Complaint Center at ic3.gov. IC3 reports feed into federal investigations and can result in domain seizure.

Automated detection with InboxWatch

InboxWatch detects typosquatting, combosquatting, and homoglyph domains in inbound email headers automatically. When an email arrives from a domain that is visually similar to one of your known contacts or your own organization's domain, InboxWatch flags it immediately.

This detection runs on every scan, against every message header, without requiring any manual configuration. You do not need to maintain a list of domains to watch. InboxWatch builds that list automatically from your email history and compares every new sender against it using Levenshtein distance, keyboard proximity analysis, and Unicode homoglyph matching.