TLDR
Typosquatting is when scammers register domains that are one character different from popular websites (e.g., gogle.com instead of google.com). When you mistype a URL, you land on a malicious site instead of the real one. ScamVerify™ tracks 69,088 malicious domains through URLhaus - many are typosquats targeting popular brands, banks, and government sites.
How Typosquatting Works
The Most Common Techniques
| Technique | Example | Targets |
|---|---|---|
| Missing letter | gogle.com | google.com |
| Extra letter | googgle.com | google.com |
| Adjacent key | goofle.com (f is next to g) | google.com |
| Letter swap | gogole.com | google.com |
| Number substitution | g00gle.com | google.com |
| TLD swap | google.co | google.com |
| Hyphen addition | google-login.com | google.com |
| Homograph attack | googlе.com (Cyrillic "е") | google.com |
The homograph attack is particularly dangerous because the fake domain uses Unicode characters that look identical to standard letters. The Cyrillic "е" (U+0435) is visually indistinguishable from the Latin "e" (U+0065) in most fonts.
What Happens When You Land on a Typosquat
Scenario 1: Phishing page The site displays a fake login page identical to the real service. You enter your credentials thinking you are on the legitimate site.
Scenario 2: Malware download The site attempts to install malware through drive-by downloads or fake "update" prompts.
Scenario 3: Ad redirect The domain redirects through affiliate links, earning the typosquatter advertising revenue from your visit.
Scenario 4: Competitor redirect In some cases, competitors register typosquats of rival brands to redirect traffic to their own sites.
The Scale of the Problem
Our URLhaus database tracks 69,088 malicious domains. The distribution shows why typosquatting is effective:
| TLD | Malicious Domains | Typosquatting Risk |
|---|---|---|
| .com | 59,876 (86.7%) | Highest - most brands use .com |
| .net | 4,000 (5.8%) | Common TLD swap target |
| .org | 3,996 (5.8%) | Government/nonprofit typosquats |
| .co | (in "other") | Common .com typo |
The .co TLD is particularly dangerous for typosquatting because it is a single missing letter away from .com. Typing amazon.co instead of amazon.com takes you to a completely different domain (Colombia's country code TLD).
High-Value Typosquatting Targets
Scammers focus on domains where a mistype leads to credential theft:
| Category | Why It Is Targeted |
|---|---|
| Banking sites | Login credentials = direct financial access |
| Email providers | Email access = gateway to all other accounts |
| Social media | Account credentials + personal data |
| Government sites | SSN, tax information, benefits access |
| E-commerce | Payment information |
| Cryptocurrency exchanges | Wallet access = irreversible theft |
How to Protect Yourself
1. Use Bookmarks
Save frequently visited sites (bank, email, social media) as bookmarks. Click the bookmark instead of typing the URL. This eliminates typos entirely.
2. Use a Password Manager
Password managers auto-fill credentials only on exact domain matches. If you are on arnazon.com instead of amazon.com, the password manager will not fill in your Amazon credentials - alerting you to the mismatch.
3. Let Search Engines Auto-Correct
Instead of typing full URLs, type the site name into your browser's address bar. Modern browsers use search engine suggestions that auto-correct common misspellings.
4. Check the URL After the Page Loads
Before entering any information, verify the URL in your browser's address bar matches exactly what you expected.
5. Use ScamVerify
Check any suspicious URL at scamverify.ai/website-checker before interacting with it.
How Browsers Help
Modern browsers include some typosquatting protection:
- Google Chrome: Suggests correct URLs and warns about deceptive sites
- Firefox: Built-in phishing protection via Google Safe Browsing
- Safari: Fraudulent website warning
- Edge: SmartScreen Filter
However, these protections are reactive - they only catch typosquats that have already been identified and reported. New typosquats may not be in the database yet.
FAQ
How many typosquat domains exist?
Research estimates that major brands each have hundreds to thousands of typosquat domains registered against them. Amazon alone has had over 2,000 typosquat domains identified. Our URLhaus database of 69,088 malicious domains includes a significant portion that are typosquats.
Is typosquatting illegal?
In the US, the Anticybersquatting Consumer Protection Act (ACPA) makes it illegal to register a domain in bad faith that is identical or confusingly similar to a trademark. However, enforcement is primarily through lawsuits by the trademark holder, and many typosquatters operate from jurisdictions where enforcement is difficult.
Can I register typosquats of my own brand to protect it?
Yes, and many large companies do exactly this. It is called "defensive registration." Companies register common misspellings of their domain and redirect them to their real website. This is a standard brand protection strategy.
