Frequently Asked Questions

Spoof Checker is a brand protection and domain impersonation monitoring platform that continuously scans the public internet for look-alike domains, phishing domains, and typosquats targeting your brand, partners, or vendors. When we detect a suspicious registration, we notify you so you can act before criminals launch a phishing campaign or defraud your customers.

A typosquat checker is an automated tool that scans domain registries for misspelled or look-alike versions of your brand’s domain. Instead of manually searching for variations like “gooogle.com” or “amaz0n.com,” a typosquat checker continuously monitors hundreds of permutations — including character swaps, missing or extra letters, homoglyphs, and TLD variations — and alerts you when a new one is registered. Spoof Checker is a dedicated typosquat checker that runs 24/7 so your security team doesn’t have to.

Absolutely. We offer a Demo plan that lets you explore the dashboard with an example domain — no payment information required. If you’re ready to monitor your own brand, the Standard plan comes with the first month free.

Monthly:
• Standard – First month free, then $20 / month (single domain)
• Premium – $50 / month (up to five domains, abuse-report assistance, site-change monitoring)

Yearly:
• Standard – $200 / year (2 months free)
• Premium – $500 / year (2 months free)

Need to cover more than five domains or add domain-parking services? Contact us for a custom quote.

We combine fuzzy-matching algorithms, newly registered domain (NRD) feeds, DNS zone monitoring, SSL certificate transparency logs, and passive DNS sources to spot permutations of your domain across hundreds of TLDs — including typos, homoglyphs, combo-squats, and character substitutions. Our engine monitors 24/7 so phishing domains and brand-impersonation registrations are caught as soon as they appear.

Newly registered look-alike domains will be alerted on within 24 hours.

You can choose daily, weekly, or monthly reporting. You can switch frequencies any time from the report preferences page.

Spoof Checker’s typosquat reports provide screenshots, whether the domain has an email server, and if the domain can receive emails. These are good clues to determine if a domain can act maliciously. This is why we monitor for changes — with our Premium package we track changes made to the site itself to detect if a site may suddenly be impersonating yours.

Yes. Newly registered domains (NRDs) are one of the highest-risk signals in threat intelligence — attackers typically register a look-alike domain and begin using it for phishing within days of acquisition. Spoof Checker continuously ingests NRD feeds and will alert you within 24 hours of a look-alike domain being registered.

Yes. Spoof Checker monitors across hundreds of top-level domains, including legacy TLDs (.com, .net, .org), country-code TLDs, and newer TLDs that are frequently abused (.ai, .io, .co, .zip, .mov). If you have specific TLDs or subdomain patterns you want watched, contact us to discuss custom coverage.

Typosquatting is a form of cybersquatting where a person registers a domain name that is a close misspelling of a legitimate website’s domain name, often with the intent to redirect users who make typing errors to a fake or malicious site. The purpose is usually to send phishing campaigns, commit fraud, or set up websites tricking your customers.

Yes, you can block a domain by adding it to your organization’s email filtering policies and firewall/proxy blocklists to prevent both inbound email and web traffic to the malicious site. Spoof Checker also offers a service to register look-alike domains on your behalf to prevent them from being registered by bad actors.

A homoglyph attack (also called an IDN homograph attack) replaces characters in a legitimate domain with visually identical or near-identical characters from other scripts. For example, the Latin “a” can be swapped for a Cyrillic “а,” or “rn” can mimic “m.” The resulting domain looks identical to the real one in most fonts, making it exceptionally effective for phishing. Spoof Checker detects homoglyph domains by scanning Unicode character substitutions across all monitored domains.

Combo-squatting is a domain impersonation technique where an attacker appends or prepends a common word to a legitimate brand name — for example, yourbank-secure.com, paypal-login.net, or amazon-support.co. These domains appear trustworthy because they contain the real brand name, and are frequently used in phishing emails, fake customer-support scams, and credential-harvesting sites. Spoof Checker detects combo-squatted domains by monitoring for your brand name appearing as a substring in newly registered domains.

Domain spoofing involves registering a look-alike domain (e.g., paypa1.com) to host phishing sites or send fraudulent email from an entirely separate domain. Email spoofing involves forging the “From” header of an email to make it appear to come from your legitimate domain — without registering anything new. Email spoofing is typically addressed by DMARC, SPF, and DKIM policies on your own domain.

These attacks are often combined: an attacker registers a look-alike domain and then spoofs it in emails. DMARC protects your domain from being forged; Spoof Checker protects against look-alike domains that DMARC cannot see.

Brand impersonation is when a bad actor uses your company’s name, logo, or identity — typically via a look-alike domain — to deceive your customers, partners, or employees. Common harms include:

• Customer trust damage when users land on fraudulent pages impersonating your site
• Financial losses from wire-transfer fraud (BEC attacks often use look-alike domains to impersonate executives or vendors)
• Credential theft targeting users who enter passwords on phishing pages
• Legal and regulatory exposure if customers are defrauded using your brand identity

Early detection through domain impersonation monitoring dramatically reduces your window of exposure.

Financial services (banks, fintech, crypto exchanges), healthcare organizations, e-commerce retailers, SaaS companies, and government agencies face the highest rates of brand impersonation. Attackers target brands that handle financial transactions or sensitive credentials because the payoff is higher. That said, any brand with recognizable online presence is a target — including mid-market companies whose security teams may be less resourced than enterprise counterparts.

A domain impersonation monitoring service continuously scans public data sources — including newly registered domain (NRD) feeds, WHOIS records, DNS zone files, and certificate transparency logs — for domains that resemble your brand. When a match is found, the service evaluates it for active threats (live web content, functioning mail servers, phishing indicators) and sends an alert. Spoof Checker automates this entire workflow: detection, risk enrichment, alerting, and abuse report submission.

You should add it to your organization’s email filtering policies and firewall/proxy blocklists to prevent both inbound email and web traffic to the malicious site. You can reach out to our team for assistance with the takedown process.

We draft and submit registrar abuse reports for you, but the final takedown decision rests with the registrar or hosting provider. We will also need evidence that the fraudulent domain is acting in a malicious manner that warrants takedown. While we can’t guarantee removal, our evidence-rich submissions maximize success and save your team time.

Spoof Checker delivers alerts by email on your chosen cadence (daily, weekly, or monthly). For teams that need webhook delivery or direct integration with a SIEM, Slack workspace, or ticketing system, contact us to discuss API access and integration options.

Several widely-used frameworks now call for blocking or monitoring malicious or spoofed domains. ISO/IEC 27001 (Annex A 8.23) and CIS Critical Security Controls v8 (Safeguard 9.2) both require DNS or web filtering to stop users from reaching fraudulent sites. NIST SP 800-53 Rev. 5 (SC-20/SC-21) and NIST CSF 2.0 (PR.PT-4) emphasize secure, validated DNS services to detect spoofed look-ups. PCI DSS 4.0 (Req. 1.3.2) mandates restricting outbound traffic to approved domains, while SOC 2’s CC6.7/CC7.2 expects evidence that unauthorized external connections — including to rogue domains — are prevented or detected.