By the numbers

The FBI’s 2024 Internet Crime Report recorded $2.77 billion in Business Email Compromise losses across more than 21,000 complaints. Most BEC attacks begin with a lookalike domain the target brand never knew existed. A typosquat checker is the fastest way to see what your brand looks like from an attacker’s perspective.

What Is a Typosquat Checker and Why Every Brand Needs One

Q: How do I know if someone is typosquatting my domain?

Run a scan with a typosquat checker. Key warning signs include lookalike domains that silently redirect visitors to your site for ad revenue, domains that combine your brand name with words like secure, login, or support, and recently registered domains with active MX records that allow the registrant to send email appearing to come from your brand.

Q: Is typosquatting illegal?

In most jurisdictions, typosquatting is illegal when the intent is to profit from brand confusion or deceive consumers. In the United States, the Anticybersquatting Consumer Protection Act (ACPA) allows trademark holders to pursue legal action, and the UDRP provides a faster arbitration path for domain recovery. Defensive and parody registrations occupy a legal grey area and are evaluated case by case.

Q: Can a free typosquat checker protect my business?

A free typosquat checker provides a valuable on-demand snapshot showing you which lookalike domains exist right now. But protection requires continuous monitoring, because attackers register new domains constantly, sometimes within hours of a brand announcement. Ongoing monitoring with real-time alerts is the only way to catch a new threat before an employee, customer, or partner falls for it.

Your domain is one character swap away from being used against your customers. Attackers do not need to hack your servers. They register yourcompany-login.com, build a convincing clone, and wait for someone to mistype or click a phishing link. The APWG tracked over 1.1 million unique phishing attacks in 2024, and most of them ran through lookalike domains the targeted brand had never scanned for.

A typosquat checker (also called a typosquatting checker or lookalike domain scanner) closes that blind spot. It generates every plausible misspelling and variant of your domain, checks each one against live DNS and WHOIS data, and surfaces the ones that are already registered and potentially staged for a campaign. This guide covers how that process works under the hood, what signals separate a real threat from a harmless coincidence, and what to do when you find something.

What Is Typosquatting?

Typosquatting is the practice of registering domain names that closely resemble a legitimate brand’s domain, with the intent to intercept traffic, run phishing campaigns, or profit from consumer confusion. Unlike most cyberattacks, it requires no technical skill. A $10 domain registration fee is the only barrier to entry.

Attackers rely on a small set of well-documented mutation techniques:

Character transposition: two adjacent letters swapped (payapl.com instead of paypal.com). Transposition is the most common keyboard typo humans make.
Character omission: a single letter dropped and easy to miss, like paypl.com or amazn.com.
Homoglyph substitution (IDN homograph attacks): Latin characters replaced with visually identical Unicode or Cyrillic equivalents. The “a” in pаypal.com may look identical in a browser address bar but resolves to a completely different domain.
TLD swapping: the same name registered under a different top-level domain such as .net, .co, .org, .io, or any of the hundreds of newer gTLDs.
Combosquatting: a high-trust word appended or prepended to the brand name, like paypal-secure.com or login-amazon.com. The Interisle Cybercrime Supply Chain report found combosquatting accounts for roughly 60% of brand-abusive domain registrations.
Subdomain abuse: registering a generic domain and placing the brand name in a subdomain, such as paypal.account-verify.com, which exploits users who check the subdomain rather than the registrable part.
Separator insertion: adding hyphens (pay-pal.com) or removing them from hyphenated brand names.
Double-character insertion: repeating a letter as in payypal.com or googgle.com.

Proofpoint’s 2025 State of the Phish report found over 94% of organizations experienced at least one phishing attack in 2024. Lookalike domains are the delivery mechanism behind the majority of those incidents.

How a Typosquat Checker Works: The Technical Breakdown

A modern typosquat checker is not a simple dictionary lookup. It runs a systematic pipeline of checks designed to surface genuine threats while filtering out noise. Here is what happens at each stage.

Permutation Generation

The engine applies a library of character-level mutation algorithms to the input domain. For a 12-character domain like yourcompany.com, this typically produces 500 to 2,000+ unique candidate domains depending on permutation depth. The mutations cover transpositions, insertions, omissions, substitutions, keyboard-adjacency swaps (keys that sit next to each other on a QWERTY layout), homoglyph replacements, TLD variants, combosquatting patterns, and dot-notation variants.

DNS Resolution

Each generated variant is queried for A and AAAA records. A resolved IP address means a live web server exists. This is the first hard signal that a domain has been activated. Unresolved domains are not discarded entirely, since an attacker may not yet have pointed DNS, but resolved ones are prioritized for deeper analysis.

MX Record Enumeration

Mail exchange records reveal whether a domain has email infrastructure configured. A live MX record on a lookalike domain is one of the most dangerous signals a typosquat checker can detect. It means the domain owner can already send and receive mail that appears to come from your brand. Research from PhishLabs indicates more than 15% of lookalike domains that resolve in DNS carry active MX records. That is not a passive squatter waiting to flip the domain. That is an inbox ready to launch a campaign.

WHOIS Enrichment

For each resolved domain, the scanner fetches publicly available registration metadata: creation date, registrar, registrant country, and privacy proxy status. Domains registered within the last 30 days receive a high-risk flag. Attackers typically register campaign-specific lookalikes immediately before a phishing launch, so finding a fresh registration before the campaign fires is the best possible outcome of a scan.

Risk Scoring

Individual signals are weighted and combined into a composite risk score. The table below shows how those signals stack up. When active DNS, a live MX record, and a registration age under 30 days align on the same domain, that combination reliably identifies a domain that is operationally ready for a phishing campaign regardless of whether abuse has been reported yet.

Signal	Why It Matters	Risk Weight
Live DNS (A record resolves)	Domain is active and hosted	Medium
MX record present	Can send phishing email right now	High
Registered under 30 days ago	Freshly registered, likely pre-campaign	High
SSL certificate issued	Padlock makes phishing page convincing	Medium
Redirect to the real domain	Traffic hijacking or ad arbitrage	Medium
Known-risk registrar or registrant country	Correlates with abuse patterns in threat data	Low-Med

The Typosquatting Threat Landscape by the Numbers

Typosquatting is not a theoretical risk. It is one of the most cost-effective attack vectors available to criminals, and the data makes that clear.

$2.77B

BEC losses reported to FBI IC3 in 2024

1.1M+

Unique phishing attacks tracked across 2024 (APWG)

1.1M

Phishing domains identified in one year (Interisle 2022)

94%+

Organizations experienced phishing attacks in 2024 (Proofpoint 2025)

Phishing ranked top initial access vector in breaches for 3rd straight year (Verizon DBIR 2024)

15%+

Of resolved lookalike domains carry live MX records (PhishLabs)

The economics strongly favor the attacker. A domain registration costs under $15. A successful BEC attack nets an average of $125,000 per incident according to FBI IC3 data. Digital risk protection research consistently finds that every major global brand has 15 to 50 or more registered lookalike domains at any given time. A typosquat checker makes the attack surface visible so defenders can respond before a campaign launches.

What Makes a Lookalike Domain High-Risk?

Not every registered lookalike is a threat. Some are defensive registrations by the brand itself; others are genuinely coincidental overlaps with unrelated businesses. These are the signals that separate actionable threats from background noise.

Active DNS Resolution

A domain that resolves to an IP address is being hosted somewhere. This is the minimum threshold for active use. Parked domains with a registrar’s placeholder page are less immediately dangerous than domains pointing to a real server, but the registrar parking page itself can contain pay-per-click ads that monetize misdirected traffic.

Live MX Records

This is the most dangerous signal a typosquatting checker can surface. MX records are not needed for a website. They exist to route email. A lookalike domain with an MX record is configured to send or receive messages, which means an attacker is one spoofed invoice away from a successful BEC attack. When a scan surfaces a newly registered lookalike with an active MX record, it should be treated as an immediate priority.

Recent WHOIS Registration

Domains registered within the past 30 days deserve immediate attention. Attackers do not register campaign infrastructure months in advance. They spin up fresh domains as close to the campaign launch as possible to stay ahead of blocklists. Finding a recently registered lookalike during a scan is the closest a defender gets to catching an attack in its preparation phase.

SSL Certificate Presence

Free SSL certificates are available to anyone within minutes of domain registration. A lookalike with HTTPS enabled shows a padlock in the address bar, and a significant percentage of users still treat that padlock as a trust signal. Certificate Transparency logs also allow retrospective detection. Even if a domain’s DNS is later cleaned up, its SSL issuance history persists in publicly accessible logs.

Redirect Behavior

A lookalike domain that 301-redirects to the legitimate site may be engaged in traffic arbitrage, intercepting users who mistyped and monetizing that traffic through affiliate links or ad networks before passing them through. While less obviously malicious than a phishing clone, this still diverts revenue and exposes visitors to intermediary tracking.

Free vs. Paid Typosquat Checkers

Both have a place in a brand protection strategy, but they serve different needs.

Feature	Free Typosquat Checker	Paid / Continuous Monitoring
Permutation scan	On demand	Continuous
Live DNS + MX detection	✓	✓
WHOIS enrichment	Limited	Full history
Real-time new-registration alerts	✗	✓
Historical change tracking	✗	✓
Takedown support	✗	✓
Multiple domains	One at a time	Portfolio-wide

For a founder running a one-time audit before a product launch, a free typosquatting checker is the right starting point. For any brand running paid advertising, processing transactions, or operating in a regulated industry, continuous monitoring is not optional. The threat landscape changes daily, and a lookalike domain found 48 hours after a campaign launch has often already reached thousands of inboxes.

Frequently Asked Questions About Typosquat Checkers

What is a typosquat checker?

A typosquat checker is a security tool that automatically generates hundreds of lookalike variants of your domain name, including misspellings, character swaps, homoglyph substitutions, and TLD variations, then checks each one to see whether it is registered and active. Variants that resolve in DNS, carry live email infrastructure, or were registered very recently are flagged as potential threats, giving brand owners a prioritized list of domains to investigate or escalate.

How do I know if someone is typosquatting my domain?

The most reliable method is running a typosquatting checker. Manual warning signs include unexpected spikes in support tickets from customers who visited “your site” but saw something unfamiliar, reports from partners of emails sent from slightly-off addresses, or mentions in threat intelligence feeds. Most typosquatting goes unreported until it is too late. Pay particular attention to domains combining your brand name with words like secure, login, support, or account, and any recently registered domain carrying an active MX record.

Is typosquatting illegal?

In most jurisdictions, typosquatting is illegal when the registrant’s intent is to profit from brand confusion, intercept traffic, or deceive consumers. In the United States, the Anticybersquatting Consumer Protection Act (ACPA) allows trademark holders to sue for statutory damages between $1,000 and $100,000 per domain and to obtain domain transfers through federal court orders. The UDRP (Uniform Domain-Name Dispute-Resolution Policy), administered by ICANN-accredited providers like WIPO and NAF, offers a faster arbitration path that typically resolves in 45 to 60 days. Defensive registrations, parody sites, and criticism domains occupy a legal grey area evaluated on a case-by-case basis.

How many lookalike domains does the average brand have?

More than most brands expect. Analysis of Fortune 500 domains by digital risk protection researchers consistently finds 15 to 50 or more registered lookalikes per major brand at any given time. Mid-market brands typically have fewer ambient lookalikes, but targeted phishing campaigns can produce dozens of new registrations within a single 24-hour window, particularly around product launches, earnings announcements, or high-profile media coverage. Running a typosquat checker at regular intervals (monthly at minimum, weekly for high-value brands) is the only reliable way to track what exists.

Can a free typosquat checker protect my business?

A free typosquatting checker gives you an accurate snapshot of the lookalike landscape as it stands today. But protection requires continuous monitoring. Attackers register new campaign domains constantly, and the window between registration and campaign launch can be as short as a few hours. Real-time monitoring with email alerts means your team learns about a new threat as soon as it appears in DNS, not days later when customers start reporting it. Use the free checker to understand your current exposure and ongoing monitoring to stay ahead of it.

Conclusion: Do Not Wait for a Customer to Report It

Every day your domain goes unmonitored is a day an attacker could register yourbrand-secure.com, configure an inbox, and start targeting your customers. The tools to prevent that are not expensive, and the first scan takes under a minute.

A typosquat checker turns an invisible threat into a visible, prioritized list of domains you can act on. Whether that means filing a UDRP complaint, reporting a phishing domain to its registrar, or simply knowing which MX-equipped lookalike to watch most closely, the data above makes clear this is not a hypothetical category. It is the most common delivery mechanism behind the most financially damaging type of cybercrime operating right now.

See What Lookalike Domains Are Targeting Your Brand

Live DNS checks, MX record detection, WHOIS registration age, and risk scoring. No account required.

Free Typosquat Checker

Scan your domain for typosquatting and lookalike domains — enter your work email and we’ll check for registered lookalike domains and send you the results, free.

Typo Permutations

Generates hundreds of lookalike domain variations using character swaps, insertions, deletions, homoglyph substitutions, and TLD variations — covering every technique attackers use to impersonate your domain.

DNS Registration Check

Queries live DNS records to identify which lookalike domains are actively registered. Only real, reachable domains are flagged — no false positives from unregistered variants.

✉

Mail Server Detection

Checks whether registered lookalike domains have MX records configured, identifying active phishing infrastructure that can send email impersonating your brand.

More free tools

Spoof Checker NPM Typosquat Check

About Typosquat Checking

What is a typosquat checker?

A typosquat checker (also called a lookalike domain scanner) scans the internet for domains that are slight misspellings or visual variations of your domain — for example, g00gle.com or gooogle.com targeting google.com. These typosquatting domains are registered by attackers to intercept email, impersonate your brand, or run phishing campaigns against your employees and customers.

What is typosquatting?

Typosquatting is a cyber attack where an adversary registers domain names that closely resemble a target’s legitimate domain. Common techniques include letter transposition (e.g. acme vs amce), character insertion or deletion, homoglyph substitution (replacing letters with visually similar characters), and TLD variations (e.g. .net instead of .com). Typosquatted domains are frequently used for business email compromise (BEC), phishing, and brand impersonation.

How does this free typosquat checker work?

Enter your work email address and SpoofChecker extracts your domain, generates hundreds of typo permutations — character swaps, insertions, deletions, homoglyphs, and TLD variations — then checks DNS records in real time to find which ones are actively registered. Results appear in seconds and are emailed to you for free.

What’s the difference between the free scan and a full scan?

The free scan checks DNS-registered lookalike domains in real time. The full scan also detects WHOIS-only registrations (domains registered but not yet live in DNS), identifies mail servers on lookalike domains indicating active phishing infrastructure, provides registrar and threat intelligence data, and monitors for new typosquatting registrations 24/7 with automated alerts.

Need continuous monitoring and real-time alerts? View monitoring plans