Typosquatting

Typosquatting, also called URL hijacking, is the practice of registering domain names that closely resemble legitimate, high-traffic domains by exploiting common typing errors. Examples include transposed characters (gooogle.com), missing letters (microsft.com), substituted characters (rn for m: payrnl.com), or added characters (paypal-secure.com). When users mistype a URL or click a link pointing to the lookalike domain, they land on an attacker-controlled page.

Typosquatting domains are used as infrastructure for phishing campaigns, malware distribution, and credential harvesting. They are effective because the domain appears plausible at a glance, especially in email clients that truncate long URLs or in contexts where users are moving quickly. High-value targets include financial institutions, cloud identity providers (Microsoft, Google), and widely used SaaS platforms.

Attackers identify high-value target domains and systematically register variants covering common keyboard adjacency errors, character transpositions, missing or doubled letters, and TLD substitutions (.com vs .co). The registered domain is then configured with a cloned version of the legitimate site. In phishing emails, these domains appear in hyperlinks where the display text shows the legitimate domain while the href points to the typosquatted one — a link-display mismatch. In BEC attacks, lookalike domains are used in the From or Reply-To header to intercept communications.