How to Investigate Typosquats

Posted: 27th October 2021

What To Do When You Encounter A Suspicious Look-alike Domain

Typosquats and other forms of domain-based impersonation are a significant problem for organizations both big and small. Adversaries use lookalike domains to target your customers and employees, resulting in credential theft, reputational damage, and potentially millions of dollars of damage along the way.

But not all suspicious-looking domains are equal, and only certain types can be taken down. This step by step guide will help you understand how to investigate a potential typosquat domain so that you can act quickly before any potential damage is done:


Step 1 You identify what appears to be a typosquat or fraudulent domain. Proceed to the next step.

Step 2

Check to see if the domain is owned by your company:

  • Perform a WHOIS lookup (e.g., DomainTools)
  • Check your internal company records

YES, the domain is owned by your company → Dismiss the alert. NO, the domain is now owned by your company → Proceed to the next step

Step 3

Find out if the domain is being used maliciously:

  • Review references to the domain
  • Research the certificate (e.g., Censys)
  • Check for website brand abuse (e.g., using URLScan)

NO, the domain is not being used maliciously →

  • Dismiss the alert and continue monitoring the domain for future abuse. YES, the domain is being used maliciously → Proceed to Step 4.

Step 4

Take action:

  • Have your legal team work with the domain registrar to take the fraudulent domain down
  • Report as phish or malicious via Google, Symantec, Phishtank
  • Block the domain in your email gateway
  • Record metrics of value

Typosquat Discovery and Takedown is Easy with Brand Intelligence

One of the most difficult parts in managing typosquats is that most organizations don’t have visibility into when adversaries are registering new domains. Brand Intelligence from Recorded Future automatically detects typosquats and other forms of domain abuse in real-time, allowing you to instantly know when a new malicious website is registered and when it is being weaponized

Alerts are automatically packed with valuable context including DNS records, WhoIS data, and certificate data—allowing you to dramatically decrease the amount of time needed to investigate and take action on a typosquat. Additionally, bundled takedown services make it simple to get malicious websites taken down, with minimal effort from your own team.

Request a demo if you’d like to see Brand Intelligence in action for yourself.