Your corporate domain portfolio is part of your security perimeter.
Your primary domain hosts your public website. It supports your email identity. It powers your customer portal and login flows. It may support application authentication or customer support channels. If your brand appears in an ad or social post, the primary domain may even support those links.
A similar domain can undermine that trust without accessing or disrupting your company’s actual infrastructure. All the attacker needs is a convincing typographical variant, a mail server to accept webmail traffic, and a basic phishing landing page.
Defensive domain registration is the process of registering variants that resemble or relate to a corporate brand. Companies typically don’t develop websites on every defensive domain. Instead, they prevent abusive registrations from phishers, cybersquatters, trademark trolls, and other parties who want to impersonate the brand.
Defensive registration has become more valuable over time. There are now many more top-level-domains than when Marks & Spencer, Nissan, and Samsung began their defensive portfolios.
Trademark owners used to focus on exact equivalents across dozens of extensions. Now brands register defensively across hundreds of extensions. And every newly delegated top-level-domain creates new naming opportunities for legitimate businesses — as well as new space for a recognizable brand to be abused.
Reminder: There are over 1300 top-level-domains represented in the IANA Root Zone Database. Not every one is available for registration, but that’s still a lot of namespace to protect.
Organizations cannot register every permutation of their brands. There are many TLDs, thousands of keyboard languages, and countless errors that humans can make while typing a URL. Defensive registrations are about risk mitigation, not volume.
Prioritize registration of expected combinations and misspellings. Identify domains you want to monitor via Registry Watch services. Automate when possible, tag all registrations internally, and create a response plan for when abusive domains are discovered.
Defensive registrations are part of risk management.
Focus on impact rather than quantity. Your defensive domain portfolio should not be measured by how many names you own. It should be measured by how effective your domains are at reducing risk.
Tip: Defensive registrations protect your brand when attacked directly. Threat intelligence monitoring addresses the domains that matter most — when you don’t own them.
A defensive portfolio is just one layer in your insurance strategy.
Companies register defensive domains before someone else buys them. Some brands redirect suspicious registrations to the corporate website. Others leave registrations parked with restrictive DNS settings.
There are three ways this can protect your brand:
Misspellings are taken offline before a phishing campaign starts.
Customers encountering a confusingly similar domain may fail to find your website. Those who locate your real site might question whether they’ve been hacked.
An attacker can send deceptive emails from a domain that looks similar to your primary domain.
Customers see lookexampl.e replacement on a phishing page may not notice subtle differences if the fake website looks authentic. Similar domains can also send emails that impersonate your brand.
Establish and maintain controls where they’re available.
Tip: Domain portfolios protect infrastructure. Protect your domains like they protect your business. Multifactor authentication is only available for domain owners at a handful of registrars. Prevent attacks before they happen by deploying phishing-resistant MFA where it’s available.
These domains don’t develop websites. They stop others from doing it first.
Periodically assess the risk each defensive domain mitigates.
Lookalike domains pose an elevated risk when connected to monetization tactics, user access controls, regulated industries, or sensitive customer journeys. Payment portals, login screens, recovery pages, transfer applications, brokerage services, and email encryption keys all qualify.
It’s reasonable to monitor other brands defensively. Abusive registrations that target someone else’s trademark usually don’t affect your security posture directly.
Redundancy creates opportunity for these mistakes to proliferate:
Inconsistent locking can cause dangerous gaps in coverage. When brands try to lock every defensive domain individually, it’s easy to miss a rarely-used foreign suffix or unintentionally reverse a lock on an important country-code domain.
Purchase decisions can be difficult to audit retrospectively. Did you really mean to register exampletech.ai for offensive purposes? Lacking clear requirements or better documentation, teams will struggle to justify aggressive registrations or articulate why they chose not to register a defensive variant.
Centralized portfolio visibility is difficult with numerous legacy accounts. Incomplete registrations create gaps in coverage. Disparate accounts hinder both registration and monitoring efforts.
Monitoring plus automation equals consistency.
Use a tiered approach to prioritize defenses across multiple TLDs.
When your company sits close to someone’s payment page or customer journey, that overlap justifies defensive registrations across multiple TLDs. If your organization doesn’t operate in nearly every country or industry category then registering thousands of blind variants is probably unnecessary.
Coverage gaps are dangerous, not registering every possibility is fine.
Large sets of defensive registrations should be prioritized in layers.
Tier 1: Domains you cannot afford to lose
Tier 2: Extensions customers might expect your company to register.
Tier 3: Typographical variants.
Tier 4: Everything else
Monitor continuously and investigate new registrations that match your predefined criteria.
Recovery is difficult when abusive registrations are discovered.
Domain recovery services are expensive. UDRP filings don’t guarantee your brand recoveries faster than abusive registrants generate new scams. (Example)
Even when you win your case, the attacker keeps their domain name.
Risk cannot always be mitigated after registration.
A typo typo typo is about to sell you poison
Buying typographical variations and using them to redirect traffic to the official website is a common defensive tactic. “Typosquatting” is catching mistakes before they reach your customers.
Each misspelling corrected manually increases the chance of a typo making it through to a customer.
Why reinvent the keyboard when phishing attacks follow predictable patterns?
If hackers and cybercriminals are inspired to mutate every character on a brand’s main website, they could register more than a trillion variations of amazon.com alone.
Instead of listing every misspelled combination that would redirect to amazon.com, companies focus on the most common variations that actual customers are likely to encounter.
These hurt the most common typos fueled nearly half of all traffic routed to this typo-redirect portfolio.
Customers literally cannot see these threats. The characters are swapped, missing, or duplicated without adding additional words that might cause suspicion. Low probability typos are not fun.
Time to take action: prioritize common misspellings for registration. Monitoring unless Amazon is your company name.
Approaches to typosquatting mitigation
Safe navigation can’t account for every human mistake. This post outlines one methodology for identifying risks worth registering in advance.
Additional reading: HEIMVERK published their extensive research on typo registration years ago. Alibis captured more than 100 million typographical errors using less sophisticated analysis.
Addition (e.g., example.com .amazon)
Deletion (e.mple.com .amzon)
Transposition (exmaple.com .amzdon)
Replacement (exampke.com .amxzon)
Reversed (elpmaxe.com .zonam)
Even DNS cannot correct these errors automatically.
If step 1 left you with too many names to
register, sort your list by probability. Focus on registering common
typographical variations that are “high risk” according to your policy.
Evaluate risky misspellings manually and determine whether each deserves
registration or monitoring.
Human error is predictable enough to quantify. There’s a formula for generating input errors called the Damerau–Levenshtein distance. To simplify that equation, several security firms analyzed billions of URLs and identified patterns consistently exploited by scammers.
These attacks rely on someone entering an incorrect URL. Nothing in this article will keep people from mistyping sensitive login pages or payment forms.
Strong security requires getting the typo you didn’t register.
Your typo redirection services won’t correct every user error. Imagine a customer notices something isn’t “right” but can’t identify the mistake.
Malicious registrants exploit brands when users miss-see…
1. Characters that sound the same (pharma@
legitmail.pharm).
2. Addresses that look identical (support@mybanking.com vs
support@mybanking.org).
3. Legitimate websites that contain typographical errors (burgerking.com).
In each of these cases, a prospective customer notices an issue but may not know where or how to report their concerns.
Drive attachments to your official domains wherever possible. Be sure to reserve exact equivalents (competebrand .com) when registering defensively. Use Registry Watch services to track abusive registrations you don’t own.
Domain squatting is baiting, whether you plan to sell the name or not.
Search typo squatting created the tips above. It’s embarrassing to admit that I copied an analysis published elsewhere, but running these searches again can help others find more ambiguous abuse cases.
If cybercriminals squat example.com account manipulation pages to distribute malware, they’re likely squatting on other brands too.
The tables below outline campaigns I discovered while researching typo redirection services. Neither of these brands sold typographical variations to prevent impersonation. The typo-redirect service buying every typographical combination wouldn’t have prevented abuse either.
Domain squatting 101: don’t legitimise test environments, invoice scams, and typosquatting.
Many smilar but phishing-resistant brands don’t redirect typos.
2. Misspellings purchased defensively by these brands landed in cybersquatting portfolios last year.
Brand X Typos Y Scams Redirected?
YES NO YES
A fake webpage that resembles your company branding usually doesn’t require exact matches across every letter. Big brands might register typographiccorrections.com defensively without seeing any benefits.
Note: This same principle applies to (almost) any keyword you consider registering defensively.
Parking typos is one thing. Squatting.
Do luxury watch brands have typo redirection services?
At least one typo redirect service was parked and not accepting user traffic at the time of this post.
Google indexed over 55 million result pages for one misspelled brand. Hackers might squall multiple typos of brand names that offer legitimate services.
If error trapping redirected to official domains, wouldn’t search engines surface actual scams more effectively?
Yes and no. The typo redirection services in this example protected users better than exact equivalents registered defensively.
Exact matches matter when intentional typos target sensitive journeys.
The typo redirection service didn’t protect branded keywords appearing in spoofed invoice scams or fake support pages asking customers to validate their login credentials. At least 50 customers submitted complaints after interacting with these phishing sites.
Was this parked typo squatting?. Possibly.
Had companies redirected these exact combinations typo customers would have landed on legit sites. Clean typosquatting except everyone loses….
Parking tells cybercriminals your business is active. Let’s say a threat actor registers amazon01.com and amazon999.com.
Buy defensively or lose your customers to scammers.
The registrar lists over 22 typo combinations defensively registered by this brand in October 2023. Monitoring subscriptions are sometimes less expensive than manual registrations.
Domain squatting lesson 2: register functional monetization pages defensively if your budget allows it.
Parking says you’re online. Throw up offensive pages and charge enough to cover your registrar’s price.
Time to panic: someone is squatting on all my favorite brands.
Google “find typo squatting domains” and wait for page 2 results to embarrass you.
I recommend BRAND / domain:parked intitle:@ example.com intitle:admin ssl
Squared vs rounded brackets creates dozens of examples I can’t legally link to.
Note the subdomain intext: ”Remote Desktop” lang:en which is parked and set to capture Remote Desktop users.
Consider reviewing your defensive posture before preemptively registering every TYPO_SQUATTED™ opportunity MarkMonitor offers.
Protect your corporate domain portfolio.
Phishing-resistant multi-factor authentication
Role-based access controls
Monitoring and prioritization
Don’t forget to document and audit your defenses.
If you haven’t already guessed, DNS reflects more than directory services.
Your domains facilitate communication, but every controlled typo is also another data point collected by scrapers.
Don’t assume your direct competitors monitor defensive registrations either. Malware authors re-used expired WordPress blogs across hundreds of typos recently.
Prioritize risk. Secure the domains that matter most. Brand defensively if your security budget allows.