SOMEONE REGISTERED A DOMAIN THAT LOOKS LIKE MINE - now what?

By Ṣọ Email Security5 min read

Discovered a lookalike domain impersonating your business? Learn how to assess the threat, take action, and protect your brand from domain spoofing attacks.

Domain SecurityTyposquattingBrand ImpersonationEmail SecurityPhishingBusiness Email CompromiseDomain Protection

Someone registered a domain that looks like mine - now what?

2025-12-18

You search for your company name and find something disturbing: someone has registered a domain that's nearly identical to yours. Maybe it's yourcompany.co instead of yourcompany.com. Maybe it's your-company.com with a hyphen. Maybe it's yourconpany.com with a subtle typo.

Your stomach drops. Is someone planning to impersonate you? Are they already sending emails to your clients? What can you actually do about this?

Let's work through it.

First: assess the Situation

Not every lookalike domain is malicious. Before you panic, consider the possibilities:

It could be a different business. "BlueSky" might be your marketing agency in Denver and also a roofing company in Tampa. Both have legitimate claims to similar domains.

It could be a domain squatter. Some people register domains speculatively, hoping to sell them later. Annoying, but not immediately dangerous.

It could be defensive registration. A company might register typos of their own domain to prevent misuse.

It could be malicious. Someone might be planning or already conducting phishing attacks, invoice fraud, or impersonation schemes using your brand.

The appropriate response depends on which scenario you're facing.

Investigate before acting

Start with basic reconnaissance:

Check what's on the domain

Visit the lookalike domain directly (carefully consider using your browser's private mode). What do you see?

  • A parked page with ads? Likely a squatter.
  • An unrelated legitimate business? Different company, same naming idea.
  • A copy or imitation of your website? Red flag.
  • An error or blank page? Could be newly registered, purpose unclear.

Look up registration information

Use a WHOIS lookup service to see when the domain was registered and by whom. Registration information is often private now, but you can still see:

  • Registration date (recent registration of a lookalike is more suspicious)
  • Registrar used
  • Name servers (do they match services associated with phishing?)

Check if it's sending email

This is the critical question. A parked domain is annoying. A domain actively sending emails as you is an emergency.

Use email authentication lookup tools to see if the domain has SPF, DKIM, or DMARC records configured. If a typosquatted domain has email infrastructure set up, someone is planning to or already is sending emails from it.

If you have a DMARC reporting system, review your reports. They won't show emails from the lookalike domain directly, but they might reveal patterns suggesting coordinated impersonation.

Search for the domain online

Google the lookalike domain. Has it appeared in phishing reports? Security forums? Spam blacklists? Someone else may have already flagged it as malicious.

If the domain appears malicious

When evidence suggests the domain is being used to impersonate your business or target your contacts:

Document everything

Screenshot the lookalike website. Save WHOIS records. Document any emails you've received or heard about from the domain. This evidence matters for takedown requests and potential legal action.

Report to the registrar

Every domain registrar has an abuse policy. Domains used for phishing or fraud typically violate terms of service. Find the registrar through WHOIS, locate their abuse reporting process, and submit a detailed complaint with your documentation.

Success rates vary. Some registrars act quickly; others move slowly or require substantial evidence.

Report to hosting providers

If the domain hosts a website, identify the hosting provider (tools like VirusTotal can help) and report the fraudulent content. Hosting companies generally respond faster than registrars to clear-cut impersonation.

Report to email providers

If the domain is sending email, report it to major email providers:

  • Google: Report phishing through Gmail or at safebrowsing.google.com
  • Microsoft: Report through Outlook or via microsoft.com/reportphishing
  • The domain's email provider (if identifiable): Direct abuse report

Alert your contacts

If there's evidence the lookalike domain is targeting your clients or partners, warn them directly. A brief, factual email:

"We've become aware of a fraudulent domain [lookalike.com] that may be used to impersonate our company. Please note that all legitimate communication from us comes from @yourcompany.com. If you receive any emails from [lookalike.com], do not click links or respond forward them to us immediately."

Consider legal action

For serious, ongoing impersonation:

  • UDRP (Uniform Domain-Name-Dispute Resolution Policy): A formal arbitration process for trademark-related domain disputes. Costs roughly $1,500-5,000 and takes 2-3 months.
  • Cease and desist letter: If you can identify the registrant, an attorney's letter sometimes prompts voluntary transfer.
  • Trademark claims: If you have a registered trademark, you have stronger legal footing for domain disputes.

Legal action is expensive and slow. Reserve it for cases where the financial or reputational damage justifies the investment.

If It's a Squatter (not actively malicious)

Squatters register domains hoping you'll buy them at a premium. Your options:

Ignore it

If the domain sits parked with no active use, the risk may be low. Squatters sometimes let domains expire when they fail to find buyers.

Negotiate purchase

Squatters often have inflated expectations but may accept reasonable offers. Domain brokers can handle negotiations anonymously (preventing the squatter from knowing it's you, which would inflate their price).

Typical typo-squat domains sell for $200-2,000. Exact-match desirable domains can cost much more.

Wait for expiration

Domains require annual renewal. Set a reminder to check if the domain expires and becomes available. Services can alert you when specific domains are about to drop.

Use UDRP if you have trademark rights

If the lookalike incorporates your registered trademark and the squatter has no legitimate claim to it, UDRP can force transfer even without evidence of active misuse. But this requires an actual registered trademark, common words or generic terms usually don't qualify.

Defensive measures going forward

Prevention is cheaper than response:

Register obvious variations

Consider registering common typos, alternative TLDs (.co, .net, .io), and hyphenated versions of your domain. The annual cost is minimal compared to the potential damage of impersonation.

Prioritize:

  • Common typos (doubled letters, adjacent key substitutions)
  • Missing or added letters
  • Popular alternative TLDs
  • Hyphenated versions

Monitor for new registrations

Services exist that alert you when domains similar to yours are registered. This early warning lets you investigate and respond before damage occurs.

Some tools compare new registrations against your domain daily and flag potential typo-squats using algorithms that detect visual similarity, keyboard proximity, and other patterns.

Strengthen your email authentication

Strong DMARC with a reject policy (p=reject) won't stop emails from a lookalike domain, but it will:

  • Protect your actual domain from being spoofed directly
  • Make your legitimate emails more trustworthy by comparison
  • Provide visibility through reports about your email ecosystem

Educate your team and contacts

People who know to expect emails only from yourcompany.com are less likely to fall for messages from yourconpany.com. Regular security awareness, especially for finance teams and anyone who handles payments, significantly reduces BEC success rates.

When to Involve Professionals

Some situations warrant expert help:

  • Active phishing campaign against your clients: Incident response specialists can help with rapid takedown and damage control.
  • Significant financial fraud: Law enforcement and forensic specialists may be appropriate.
  • Trademark disputes: Intellectual property attorneys for UDRP or litigation.
  • Ongoing harassment: If someone is persistently registering domains to target your business, legal counsel can advise on options.

The bigger picture

A lookalike domain is a symptom of a broader challenge: your business identity exists in a space where impersonation is technically easy. The domain system wasn't designed with verification in mind, and criminals exploit that.

Your response to a discovered lookalike should be part of a larger security posture:

  1. Protect your actual domain with proper email authentication (SPF, DKIM, DMARC)
  2. Monitor for impersonation attempts through DMARC reports and domain monitoring
  3. Train your people to verify unusual requests regardless of apparent source
  4. Establish verification procedures for sensitive actions like payment changes
  5. Build relationships with clients and vendors that include out-of-band verification

The existence of a lookalike domain is concerning. But it's also a reminder to shore up defences across your entire email security posture.

Worried about lookalike domains targeting your business? Ṣọ Email Security detects typosquatting and domain impersonation attempts in real-time. Our BEC protection analyses sender domains against known patterns of impersonation, alerting you before fraudulent emails reach your team or clients.

Scan your domain for vulnerabilities →