Typosquatting: When One Wrong Letter Hands Over Your Credentials

Type “gogle.com” into your browser. You misspelled it. Twenty years ago, that typo would have landed you on a page stuffed with ads. Today, it might land you on a pixel-perfect replica of Google’s login page, one that captures your username and password before redirecting you to the real thing. You would never know.

This is typosquatting, and it has been around since domain names became valuable. What changed is the sophistication. Modern typosquatting campaigns do not just buy obvious misspellings. They register domains using character substitutions that are nearly invisible to the human eye, pair them with valid HTTPS certificates, and deploy them as part of targeted credential-harvesting operations against specific companies.

Palo Alto Networks’ Unit 42 found that roughly 13,857 squatting domains were registered per month in 2023, with typosquatting and combosquatting accounting for the majority. These are not opportunistic parked pages. Many are active phishing sites with a shelf life measured in hours, just long enough to harvest a batch of credentials before being reported and taken down.

Typosquatting is the practice of registering domain names that are very close to legitimate ones, targeting users who make typing mistakes, misread a URL, or click a lookalike link without inspecting it closely. The attacker controls the destination, which can be anything from a credential-harvesting page to a malware distribution site to a fake corporate portal.

The attack succeeds because humans are bad at reading URLs character by character. We recognize domain names the way we recognize faces: by overall shape and context, not by examining each pixel. A domain like “rnicrosoft.com” (with “rn” instead of “m”) looks correct at a glance. So does “arnazon.com” or “linkedln.com” (with an “l” instead of an “I”). Attackers know this and choose substitutions specifically to exploit how our eyes process text.

The techniques fall into several categories, each targeting a different failure mode in human perception.

The simplest approach: register domains where one character is replaced with an adjacent key on a QWERTY keyboard. “Gogle.com” (missing an ‘o’), “Gmial.com” (swapped ‘a’ and ‘i’), “Anazon.com” (missing an ‘m’). These target people who type URLs from memory and make a single keystroke error.

Replace one character with a visually similar one. “rn” for “m” is the classic. “l” (lowercase L) for “I” (uppercase i). “1” (one) for “l” (lowercase L). “0” (zero) for “O.” In many fonts, these are indistinguishable at body text sizes. An email that says “Please log in at rnicrosoft.com” looks correct in most inbox rendering engines.

This is character substitution taken further, using Unicode characters from non-Latin scripts that look identical to Latin letters. The Cyrillic “а” (U+0430) is visually identical to the Latin “a” (U+0061) in most fonts. An attacker can register a domain using Cyrillic characters that appears byte-for-byte different from the legitimate domain but renders identically on screen.

Modern browsers defend against this with Internationalized Domain Name (IDN) display policies. Chrome and Firefox show the Punycode representation (xn—…) for domains that mix scripts. But not all applications render URLs through a browser. Email clients, messaging apps, and mobile notification banners may display the Unicode version directly.

Instead of misspelling the domain, the attacker adds a plausible word. “microsoft-login.com,” “google-security.com,” “amazon-delivery-status.com.” These are technically not misspellings, so they do not trip the same cognitive alarm. They feel like subdomains or microsite URLs that a large company might actually use.

Researchers from Georgia Tech found in a 2017 study that combosquatting domains were 100 times more prevalent than traditional typosquatting and were used in significantly more active attack campaigns. The trend has only accelerated since then.

Register the same domain under a different top-level domain. “company.co” instead of “company.com.” “company.org” instead of “company.com.” “company.cam” instead of “company.com.” The proliferation of new TLDs (.app, .dev, .cloud, .team) has expanded this attack surface considerably, because many organizations do not defensively register their name across all available TLDs.

People assume typosquatting only catches users who manually type URLs. That used to be true. Now it is just one of several attack surfaces.

Phishing emails. An email from “support@arnazon.com” linking to a fake order confirmation page. The domain passes a quick visual check because the substitution is subtle. This overlaps directly with standard email phishing, but the domain similarity adds an extra layer of credibility.

Search engine ads. Attackers bid on brand keywords in Google Ads and link to typosquat domains. A user searching for “Dropbox login” sees an ad at the top of the results that links to “dr0pbox.com” or “dropbox-login.com.” Google has policies against this, but enforcement is reactive. The ad runs for hours before being flagged.

Link manipulation in documents. A shared document, wiki page, or Slack message contains a hyperlink with display text that reads “company.com” but actually points to “cornpany.com.” The user sees the display text, trusts it, and clicks. This is why safe browsing habits need to extend beyond the browser and into every tool where clickable links appear.

QR codes. A QR code phishing attack that encodes a typosquat URL. The domain looks close enough on the brief URL preview that most users tap through without noticing the difference.

Dependency confusion. In software development, attackers publish packages to npm, PyPI, or other registries using names that are one character off from popular libraries. Developers who mistype a package name in their dependency file pull in the malicious version. This is typosquatting applied to the software supply chain, and it has caused real incidents. The 2021 ua-parser-js incident and the 2022 colors/faker.js attacks demonstrated how fragile the supply chain trust model is.

Typosquatting is not a theoretical risk. It operates at industrial scale.

In 2023, Akamai identified over 30,000 domains targeting the top 100 retail brands during the holiday shopping season alone. Many were active for fewer than 48 hours. They harvested credentials, collected payment card numbers, or distributed malware disguised as promotional apps.

The IRS warned U.S. taxpayers in 2024 about typosquat domains impersonating the official IRS.gov website during tax season. The fake sites collected Social Security numbers and banking information under the pretense of “processing refunds.”

Financial institutions face particularly aggressive campaigns. A 2022 study by Infoblox found that the average Fortune 500 bank had over 200 active typosquat domains registered against it at any given time. Some were credential phishing. Others were fake customer support portals designed for social engineering attacks conducted over the phone.

There is no single defense that eliminates the risk. Protection requires layering technical controls with employee awareness.

Defensive domain registration. Register common misspellings, adjacent-key typos, and TLD variants of your primary domain. This is expensive at scale, but it prevents the most obvious attacks. Redirect all defensive registrations to your real site.

DNS-level filtering. Configure corporate DNS resolvers to block known typosquat domains. Services like Cisco Umbrella, Cloudflare Gateway, and Zscaler maintain threat intelligence feeds that include recently registered lookalike domains.

Browser security policies. Use a managed browser or browser extension that warns users when they navigate to a domain that closely resembles a known corporate resource. Some endpoint protection platforms include this functionality.

Email authentication enforcement. DMARC, DKIM, and SPF will not prevent an attacker from sending email from a typosquat domain, but they make it harder for that email to pass authentication checks. Strict DMARC policies on your own domain also protect your brand by preventing spoofing of your exact domain.

Certificate transparency monitoring. Monitor certificate transparency logs for TLS certificates issued to domains similar to yours. If someone registers “yourcompany-login.com” and gets a certificate for it, that is an early warning signal.

Technical controls catch many typosquat domains, but they cannot catch all of them. Employees need to recognize the attack pattern themselves.

Teach URL reading as a skill. Most employees have never been taught to actually read a URL character by character. They glance at it and make a snap judgment. Training should include exercises where employees compare legitimate and typosquat URLs side by side, because the difference is often a single character. Our typosquatting awareness exercise puts employees through exactly this kind of comparison in realistic scenarios.

Reinforce direct navigation. The safest habit is typing known URLs directly or using bookmarks, never following links in emails or messages to log into sensitive services. This advice applies equally to credential protection and password security.

Explain the bookmark habit. For services employees use daily (email, cloud storage, internal tools), they should bookmark the login page and use only that bookmark. This eliminates the mistyped URL vector entirely.

Cover the mobile angle. Mobile browsers show less of the URL, and mobile keyboards increase typo rates. Employees who access corporate services on phones are more vulnerable to both typosquatting and smishing attacks that link to lookalike domains.

Typosquatting is one of several techniques that exploit domain trust. Understanding how they differ helps you build the right defenses.

The common thread is that all five techniques target the same human weakness: we trust URLs based on pattern recognition rather than character-by-character verification. Training needs to address this underlying habit, not just the specific technique.

Typosquatting awareness requires a different training approach than standard phishing training. The attack does not depend on urgency, fear, or social pressure. It depends on inattention. A tiny visual difference that the brain glosses over.

Use visual comparison exercises. Show employees pairs of URLs and ask them to identify the fake. Start easy (“faceboook.com” vs “facebook.com”) and progressively increase difficulty (“rn” vs “m,” “l” vs “I,” Cyrillic homoglyphs). This builds the habit of actually reading URLs instead of pattern-matching them.

Demonstrate real examples. Show employees actual typosquat domains that have been registered against your organization. If you can, show them the phishing pages those domains served. Seeing that attackers specifically target your company makes the threat concrete.

Connect it to browser habits. Typosquatting training fits naturally alongside browser security training. Teach employees to check the full URL after a page loads, not just before clicking. Some typosquat sites redirect through multiple domains, so the URL in the email may differ from the URL that ultimately loads.

Make it part of the simulation program. Include typosquat domains in your phishing simulation emails. An email from “hr@yourcompnay.com” (transposed letters) with a link to a lookalike portal tests whether employees catch the domain discrepancy. Our typosquatting awareness exercise and safe browsing exercise cover these scenarios specifically.

Train your team to catch the URLs that are one letter off. Try our free typosquatting awareness exercise and see how many lookalike domains your employees can spot. You can also explore exercises on browser security, HTTPS and website verification, and the full security awareness training catalogue.