Typosquatting & Lookalike Domains: How to Detect Them — and Whether They Actually Reach Users
On this page
Every brand-protection team has a spreadsheet of lookalike domains, and almost every one of those spreadsheets measures the wrong thing. It counts registrations — how many typosquatting and lookalike domains someone has registered that resemble yours. That number is easy to generate, alarming to look at, and only loosely connected to the question that actually matters: how many of these can a real customer reach?
Typosquatting — also called URL hijacking — is the practice of registering domains that closely imitate a legitimate brand’s domain to siphon its traffic, users, or trust; it is a form of cybersquatting that banks on the typos people make when typing a web address into the browser. The threat is real. But a registered domain that’s parked, dark, or invisible to search is a very different risk from one that ranks on page one when your customers search your name. This post does two things. First, it defines the full class of lookalike domains — typos, combosquats, homoglyphs, TLD-swaps — and who’s behind them. Then it shares an original cloro study that measures the part almost no one publishes: not how many typosquatting domains exist, but how many actually reach users through search.
One scope note up front, because this post is deliberate about it. Detecting typosquatting domains is a registry-layer job, and cloro does not do that layer — we say so plainly below. What cloro contributes is the visibility layer on top: given a list of suspect domains, which ones are actually findable and reaching people. Keep that division in mind; it’s the honest frame for everything that follows.
What typosquatting and lookalike domains actually are
“Typosquatting” in casual use means “a domain that looks like mine.” Precisely, it’s a family of techniques, and defending against it means recognizing all of them — because they share attackers, monetization, and takedown paths but evade different detection rules.
Typo domains. The original typosquatting form: a domain that exploits a predictable keystroke or spelling error. A dropped character (yourbrnd.com), a doubled one (yourbrandd.com), transposed letters (youbrand.com), or an adjacent-key substitution (yourbramd.com, where n becomes m). These bank on the small percentage of users who fat-finger a URL in the address bar rather than clicking a link.
Combosquatting. No misspelling at all — the exact brand name plus a plausible extra token: yourbrand-login.com, yourbrand-support.com, yourbrand-secure.com, yourbrandhelp.com. Combosquats are especially effective for phishing because the added word (login, verify, billing) matches exactly what a user expects to see on a legitimate account page. They also evade naive typosquatting detection, which looks for edit-distance-1 mutations of the bare domain and misses appended words entirely. And they are unusually durable: a longitudinal study of combosquatting abuse presented at ACM CCS 2017 found that almost 60% of abusive combosquatting domains stay live for more than 1,000 days, far outlasting the throwaway typo domains stood up for a single campaign.
Homoglyph and IDN attacks. These swap a character for one that’s visually identical or near-identical. A lowercase l rendered where users read a capital I; the digit 0 for the letter o; or — the harder case — internationalized domain names (IDNs) that substitute a Unicode character from another script for a Latin one that looks the same (a Cyrillic а for a Latin a). Rendered in a browser, yоurbrand.com (with one Cyrillic vowel) can be indistinguishable from the real thing. This homoglyph strain of typosquatting is a catalogued class of attack, not a theoretical one: the Unicode Consortium maintains a formal registry of ‘confusable’ characters in Unicode Technical Standard #39 precisely because strings like paypal and pаypаl are visually identical across scripts. Internationalized domain names are stored in ASCII as Punycode — the xn-- prefix you sometimes see in a URL — and browsers such as Firefox and Safari defend users by displaying suspicious IDNs in that raw Punycode form. That defense is uneven, though: it doesn’t fire in every context, and email clients, chat apps, and PDFs are weaker.
TLD-swaps. Keep the exact, correctly-spelled brand name and change only the extension: yourbrand.co (a single dropped m from .com), yourbrand.net, yourbrand.io, or one of the hundreds of cheap new gTLDs. A user who types your name perfectly can still be diverted if they guess the wrong ending — or if an attacker seeds links to the swapped TLD.
All four are lookalike domains — the umbrella term for any string engineered to be mistaken for your legitimate domain. Typosquatting is one species; the defensive posture has to cover the whole genus, because a customer who gets phished doesn’t care which technique fooled them.
Who registers them, and why
Typosquatting isn’t a single threat — it’s a monetization market with several distinct buyers, and lookalike domains get registered for each of them:
- Phishing and credential harvesting. The most dangerous use. A combosquat like
yourbrand-login.comhosts a pixel-perfect clone of your sign-in page and captures credentials, payment details, or MFA codes. The volume behind this is not shrinking: the Anti-Phishing Working Group recorded 1,003,924 phishing attacks in the first quarter of 2025, its highest quarterly count since late 2023. These pages are often short-lived — stood up, blasted out in an email campaign, and abandoned within days — which is exactly why detection has to be continuous, not quarterly. - Ad arbitrage and traffic monetization. Many squats are simply parked: they resolve to a pay-per-click landing page stuffed with ads, some of which point to your actual competitors. The squatter earns on every misdirected click. Low-effort, low-harm individually, but a persistent tax on your brand’s type-in traffic.
- Traffic resale and affiliate hijacking. Some lookalikes redirect through affiliate links so the squatter collects a commission on sales that would have been yours anyway, or resell the accumulated traffic to third parties.
- Defensive and speculative holding. Not every registration is hostile. Some are held by domainers hoping you’ll buy them, some by well-meaning fans or resellers, and some by you — brands routinely register their own high-risk permutations. This is why raw registration counts mislead: a chunk of any permutation set is inert or benign.
That last point is the crux. If a meaningful share of “squats” are parked, defensive, or dark, then a registration count dramatically overstates the reachable threat. To size the real risk you have to measure reach — which brings us to monitoring.
Domain monitoring: the registry layer (which cloro does not do)
Ongoing defense against typosquatting is a monitoring problem, not a one-time audit, because the permutation space is continuously re-registered as old squats expire and new campaigns spin up. A healthy program watches on a schedule and layers two very different kinds of signal. Being honest about which layer cloro operates is the whole reason this section exists.
The registry layer is the core — and it isn’t cloro
The foundational layer of typosquatting detection lives at the domain registry and DNS level, and it works like this:
- Enumerate the permutation space. Tools like dnstwist and urlcrazy take your domain and generate the full universe of plausible lookalikes — typos, homoglyphs, combos, TLD-swaps, bit-flips — often hundreds to thousands of candidates per brand.
- Check registration and resolution. For each candidate: is it registered? Does it resolve to a live host? What’s the A record, the registrar, the creation date?
- Look for weaponization signals. MX records (the domain can send/receive email — a phishing precursor), a TLS certificate issued for it, or an A record pointing at known-malicious infrastructure.
- Alert on change. Registrar-feed and DNS-monitoring services (and dedicated brand-protection platforms) watch newly-registered domains matching your patterns and notify you within hours of a new lookalike appearing.
This registry layer is the core of typosquatting detection, and cloro does not do it. cloro is a SERP and AI-answer scraping API. It does not scan the domain registry, it does not enumerate permutations, and it does not watch DNS or registrar feeds. If you need that layer — and you do — it comes from dnstwist/urlcrazy in-house, from registrar alert feeds, or from a dedicated brand-protection vendor. We’re stating this plainly because the easy marketing move would be to blur it, and blurring it would leave a real gap in your defenses.
The visibility layer is what cloro adds
Here’s the problem the registry layer leaves open: it tells you a domain exists and resolves. It does not tell you whether a customer will ever encounter it. A parked homoglyph that Google never indexed and that ranks nowhere for your brand terms is a footnote; a combosquat sitting at position 3 for “yourbrand login” is an active incident. The difference between those two is exactly the typosquatting risk a visibility layer surfaces — registration is not reach.
cloro operates the visibility layer on top of whatever domain list your registry monitoring produces. Because cloro scrapes Google SERPs, paid ads, and AI-answer citations, it can answer the reachability questions the registry layer can’t:
- Do the permutations rank in Google for your brand terms? Feed cloro your brand queries and see whether any lookalike domain appears in the organic results a real user sees.
- Are they running ads against you? cloro captures the paid layer of the SERP, surfacing squats bidding on your brand name.
- Are they indexed at all? A
site:-scoped check per suspect domain tells you whether Google has the squat in its index — the difference between “registered” and “findable.” - Do AI answers cite them? If an assistant starts sourcing a lookalike domain as if it were you, that’s a new and growing exposure surface. (We measured how AI engines pick their sources in the LLM citations study.)
The two layers are complementary, not competing. Registry monitoring finds the typosquatting candidates; the visibility layer ranks them by real-world reach so you can triage. The study below is what happens when you actually run the second layer against the first.
Data study: how much typosquatting reaches users
Almost all typosquatting coverage stops at a registration count — “we found 800 lookalikes for your brand.” That number answers how many exist. It says nothing about how many reach people. In July 2026 we ran the measurement that closes that gap.
Method (aggregate and sanitized). We generated 400 dnstwist-style typosquatting permutations across 15 brands — a mix of large, mid-sized, and small brands, plus our own domain as a control. For each permutation we measured resolution (does it point to a live site?), and for the resolving squats we sampled up to 8 per brand and checked whether Google had indexed them — the concrete test of whether a searching user can actually reach the domain. Everything here is reported in aggregate; we never name an individual resolved or indexed domain, by design.
Headline finding. Across all 400 typosquatting permutations, 66% resolved to a live site. Of the resolving squats we checked, 53% were Google-indexed — meaning a user who searches can land on them, not merely that the domain is registered. Roughly half of live squats are also findable; the other half resolve but don’t surface in search. That split is the entire argument for measuring reach instead of registrations.
Broken out by brand size:
| Brand tier | Permutations resolving | Of checked resolving squats, Google-indexed |
|---|---|---|
| Large | 81.5% | 45% |
| Mid | 47.8% | 57.5% |
| Small | 78.2% | 50% |
| Aggregate | 66% | 53% |

A few things stand out. Large brands have the highest resolution rate (81.5%) — their names are valuable enough that nearly every plausible typosquatting permutation is worth registering to someone — but a lower share of those live squats are indexed (45%), consistent with a large fraction being parked or defensively held rather than actively promoted. Mid-sized brands show the inverse shape: fewer permutations resolve (47.8%), but a higher share of the live ones are indexed (57.5%) — a leaner, more opportunistic squat footprint where what does exist is more likely to be working for search traffic. Small brands land in between on both axes.
The headline no one else publishes is the second column. Registration counts and even resolution rates are widely quoted; the indexed share — the fraction that actually reaches users through search — is the number that should drive triage, and it’s routinely missing from typosquatting reports. A brand looking only at the 66% resolution figure would over-invest in inert typosquatting domains; a brand looking at the ~53% indexed figure knows which half to chase first.
Two honest caveats. This is one measurement from one corpus with a small brand panel (15 brands, 400 permutations) and an 8-per-brand indexing sample cap — treat the tier percentages as directional signals, not universal constants. And “indexed” is a floor for reachability, not a ceiling: a squat can reach users through email, ads, or direct links without ranking in organic search at all, so the true reachable share is somewhat higher than the indexed share alone. The point isn’t the exact number. It’s that reach and registration are different quantities, and only one of them tells you where the risk is.
Domain takedown: the response playbook
Detection and reachability ranking tell you what to act on. Taking a typosquatting or lookalike domain down is a separate discipline with four escalating paths — and, like monitoring, it is not something cloro does. cloro measures reach; removal is the job of the registrar, the host, ICANN’s dispute process, and your counsel or a takedown vendor.
1. UDRP / URS — the ICANN dispute route. The Uniform Domain-Name Dispute-Resolution Policy lets a trademark holder file to have a bad-faith, confusingly-similar domain transferred or cancelled.
Under the UDRP — administered by WIPO, the global leader in domain-name dispute resolution — a complainant must prove all three elements: that the domain is identical or confusingly similar to a trademark they hold, that the registrant has no rights or legitimate interest in it, and that it was registered and is being used in bad faith. The lighter-weight Uniform Rapid Suspension (URS) complements the UDRP with a lower-cost, faster path to relief for the most clear-cut cases of infringement, suspending the domain rather than transferring it. Powerful and durable — it removes the domain from the attacker’s control — but slower (weeks) and with filing fees, so it’s the tool for persistent or high-value squats, not one-off phishing pages.
2. Registrar abuse reports. Every registrar has an abuse contact and a terms-of-service that prohibits phishing and fraud. Reporting a lookalike domain with evidence (screenshots, the phishing URL, timestamps) asks the registrar to suspend it directly. Faster than UDRP for obvious abuse, though registrar responsiveness varies widely.
3. Hosting and CDN takedowns. Often the fastest route to killing an active phishing page: report the malicious content to the hosting provider or CDN serving it. You don’t recover the domain, but you pull the live page — which stops the immediate credential harvest while a slower UDRP proceeds in parallel. For a live phishing campaign, this is usually the first call.
4. Defensive registration. The cheapest long-term control is to not let the domain exist in hostile hands in the first place. Register your highest-risk typosquatting permutations yourself — the common typos, the .co/.net TLD-swaps, the obvious -login/-support combos — and point them at your real site. Your reachability data tells you which permutations are worth the ~annual registration fee: the ones attackers are actually indexing and ranking.
DIY vs. a brand-protection service, honestly
For a handful of clear-cut cases — a couple of obvious typos, one live phishing clone — the DIY path is entirely reasonable: file a registrar abuse report, send a hosting takedown, register the two or three permutations you can’t afford to lose. The tooling (dnstwist, a registrar account, a WHOIS lookup) is free or cheap.
The calculus flips toward a dedicated brand-protection / takedown service (the Corsearch / Red Points / MarkMonitor / BrandShield tier) once any of three things is true: the volume of typosquatting domains exceeds what a person can manually chase; the legal complexity rises (contested UDRP filings, international registrars, repeat offenders); or you need evidence-grade documentation and enforcement at scale for legal or compliance reasons. Those platforms industrialize detection, evidence collection, and takedown execution across thousands of domains — the part that doesn’t scale by hand.
Where does cloro sit in that picture? Neither as the registry monitor nor the takedown service, but as the visibility layer that prioritizes both: it tells you which of the flagged domains are actually reaching your customers through search, ads, and AI answers, so your takedown effort — DIY or vendor — goes to the domains that matter first.
Where cloro fits — and where it doesn’t
To be exact about scope, because this whole post has been:
- cloro does not enumerate typosquatting permutations, scan the registry, watch DNS/registrar feeds, or file takedowns. Use dnstwist/urlcrazy and a brand-protection vendor for that.
- cloro does measure the visibility layer: given a list of suspect lookalike domains, it uses SERP and AI-answer scraping to tell you which ones actually reach users — whether they rank for your brand terms, run ads against you, are indexed by Google, or get cited by AI assistants.
That’s the reachability signal the study above is built on, and it’s the piece a registration count can’t give you. Point cloro’s brand protection monitoring at your brand terms and suspect-domain list and it surfaces the squats a customer can actually encounter — the ones worth taking down first. It pairs naturally with the broader defensive posture in the brand protection guide, its content-layer sibling, content theft and piracy, and the attack surface management view of which parts of your own footprint are search-indexed — all facets of the same open-web threat hunting practice.
Get started with 500 free credits — enough to run your brand terms and a first pass of suspect typosquatting and lookalike domains through the visibility layer and see which ones are reaching your users. Bring the registry list; we’ll tell you which of them matter.
Frequently asked questions
What is typosquatting?+
Typosquatting is the registration of domains that closely resemble a legitimate brand's domain in order to capture traffic, users, or trust that belongs to the brand. The classic form is a single-character typo of the real domain (a dropped letter, a doubled letter, adjacent-key substitutions), but the category is broader: combosquatting appends a plausible word ('-login', '-support', '-secure'), homoglyph and IDN attacks swap visually identical characters (a Latin letter for a Cyrillic one, a lowercase 'l' for a capital 'I'), and TLD-swaps keep the exact brand name but change the extension (.com to .co, .net, or a cheap new gTLD). All of them are lookalike domains: strings engineered to be mistaken for you.
Are typosquatting and lookalike domains the same thing?+
Lookalike domains is the umbrella term; typosquatting is one species within it. A typosquat specifically exploits keyboard and spelling mistakes. Lookalike domains also include combosquats, homoglyph/IDN spoofs, and TLD-swaps that involve no typo at all — a user who types your name perfectly can still land on 'yourbrand.co' or 'yourbrand-support.com'. When defending a brand, treat the whole lookalike class as one problem: they share attackers, monetization models, and takedown paths.
How do I detect typosquatting domains?+
Detection starts at the registry layer: generate the permutation space of your domain (tools like dnstwist and urlcrazy enumerate typos, homoglyphs, combos, and TLD-swaps), then check which permutations are registered, which resolve to a live host, and which have MX records suggesting email/phishing use. Registrar and DNS-based brand-monitoring services do this continuously and alert on new registrations. That registry layer is the core of typosquat detection. cloro does not operate it. What cloro adds is the visibility layer on top: of the domains the registry layer flags, which ones actually reach users — do they rank in Google for your brand terms, run ads against you, or get cited by AI answers?
Does a registered typosquat domain actually reach real users?+
Not necessarily — and that gap is the whole point. Registration counts overstate real-world risk because many squats are parked, dark, or never indexed. In cloro's July 2026 study, 66% of 400 domain permutations resolved to a live site, but reachability through search is a separate question: of the resolving squats we checked, 53% were indexed by Google, meaning a user who searches can actually land on them. The other ~47% resolved but weren't findable via search. Prioritizing takedowns by reachability — indexed, ranking, advertising, or AI-cited — focuses effort on the squats a customer can realistically encounter.
How do I take down a typosquatting or lookalike domain?+
There are four escalating paths. (1) A UDRP or URS complaint through ICANN's dispute process transfers or suspends a domain registered in bad faith that's confusingly similar to your mark — powerful but slower and with filing fees. (2) A registrar abuse report asks the registrar to act on terms-of-service violations like phishing. (3) A hosting/CDN abuse report targets the provider serving the malicious content, which is often the fastest route to pulling a live phishing page. (4) Defensive registration pre-empts the highest-risk permutations so no one else can grab them. DIY works for a handful of clear-cut cases; brand-protection services are worth it once the volume, legal complexity, or need for evidence-grade documentation grows.
Does cloro do domain monitoring or takedowns?+
No — and we say so plainly. cloro does not scan the domain registry, enumerate permutations, or file takedowns. Those are the job of dnstwist/urlcrazy-style tooling, registrar alert feeds, and dedicated brand-protection/takedown platforms. cloro operates the visibility layer only: it measures whether a lookalike domain reaches users through the surfaces cloro scrapes — Google SERPs for your brand terms, paid ads, and AI-answer citations. Use cloro to prioritize which flagged domains are actually reaching customers; use registry monitoring and takedown services to find and remove them.
Related reading

Brand Protection in 2026: Monitoring Search — and Now the AI Answer Layer
Across 40 major brands × 60 prompts × 6 AI engines, 31%–72% of triggered answers cited only third-party domains — never the brand's own site. On Perplexity, the brand's own domain is cited in ~0% of answers. Trustpilot, BBB, ConsumerAffairs, and Reddit narrate your brand when you're absent.

Content Theft and Anti-Piracy: How to Find Who's Copying Your Work (and Get It Taken Down)
We ran the exact-phrase pipeline on 18 of cloro's own articles: 27.8% had a detected non-cloro copy, a copy outranked the original 22.2% of the time, and 39 distinct republisher domains showed up. Here's the build recipe — plus how to get copies taken down.

Attack Surface Management: The Search-Indexed Layer Most EASM Tools Underuse
In an own-scope study of cloro.dev, Certificate Transparency surfaced 15 hostnames but only 3 were search-indexed — while a defensive site: sweep found ~20 exposed URL paths host enumeration never sees. The two layers are complementary, not redundant.