Book a free consultation
Layer 6 · Threat & Impersonation

Brand impersonation and lookalike domains

Lookalike domains are domains that closely resemble yours — one character swapped, a hyphen added, a different TLD. Attackers register them to send phishing mail that appears to come from your company. Your DMARC record cannot protect you from them. You need to find and monitor them.

How lookalike attacks work

A spoofing attack uses your actual domain. A lookalike attack uses a different domain that resembles yours enough to fool recipients. Common techniques include:

  • Typosquatting — registering your domain with a common typo (yourcmopany.com, yourcompnay.com)
  • Homoglyph substitution — replacing letters with visually similar characters (y0urcompany.com — zero instead of O)
  • Added words — appending common words (yourcompany-support.com, yourcompany-help.com, yourcompanyinc.com)
  • Different TLD — registering your brand on a different extension (yourcompany.net when you own yourcompany.com)
  • Subdomain abuse — using a legitimate-looking subdomain of a different domain (yourcompany.attacker.com)

Attackers who use lookalike domains can set up their own SPF, DKIM, and DMARC records on those domains — so the authentication passes for the lookalike domain even though the mail is fraudulent. Your DMARC record protects your domain, not theirs.

Who they target

Lookalike domain attacks typically target your customers, partners, or suppliers. Common scenarios:

  • Phishing emails that look like your password reset or invoice emails, asking recipients to enter credentials on a fake site
  • Business email compromise (BEC) attacks that impersonate your executives to request wire transfers or gift cards
  • Vendor fraud where attackers intercept supplier relationships by posing as you or your suppliers

How to find lookalike domains

You cannot catch all lookalike domains after they have been deployed — the goal is early detection, before the attack reaches your customers.

Domain monitoring services

Services like DomainTools, Bolster, or similar threat intelligence platforms continuously scan newly registered domains for similarity to yours and alert you when potential lookalikes appear. Some DMARC reporting services include basic lookalike monitoring.

Manual checks

Tools like dnstwist generate permutations of your domain and check which ones are registered. Running this periodically gives you visibility without ongoing subscription costs.

Customer reports

Establish a clear channel for customers and partners to report suspicious emails. Many lookalike attacks are discovered by recipients who notice something is slightly off.

What to do when you find a lookalike

Depending on your risk tolerance and resources:

  1. Register the most obvious variants defensively — if you haven't already registered common typos and alternative TLDs for your domain, consider doing so. This is the simplest prevention.
  2. Report to the registrar — if the domain appears to be actively used for phishing, file an abuse report with the domain registrar. Many registrars will suspend domains used for phishing.
  3. Report to Google Safe Browsing and Microsoft — if there is a phishing site associated with the domain, report it to the major blocklist providers.
  4. Warn your customers — if an active attack is underway, communicate proactively through your known channels about what genuine communications from you look like.
Prevention is cheaper than response. Registering the 10-20 most likely lookalike domains for your brand costs less than responding to one successful phishing incident.
Free 30-minute consultation

Still stuck? Talk to a specialist.

If the guides aren't enough, book a free 30-minute call. We'll look at your setup, name the layer that's failing, and give you the fix order. No pitch, no obligation.

Book a free consultation