Does Your Domain Have an Evil Twin?
The Lookalike Domain Threat Hiding in Plain Sight
Estimated reading time: 9 minutes | Last Updated: 4/26/2026
The Domain You Don't Control
The email looked legitimate. It came from a trusted vendor requesting updated payment information. The domain matched. The signature looked right. The accounting team had worked with this supplier for years.
They updated the banking details. Processed the next invoice. Sent $47,000 to what they thought was their vendor's new account.
It wasn't.
The real vendor never changed their banking information. The email didn't come from vendor-company.com. It came from vendor-company-inc.com. One word added. Easy to miss. Completely different owner.
An attacker had registered a lookalike domain, impersonated the vendor, and walked away with $47,000. No hacking required. No sophisticated malware. Just a domain that looked close enough.
This is domain squatting. And it's happening to your company right now - whether you know it or not.
How Domain Squatting Works
Domain squatting, also called typosquatting or brandjacking, is the practice of registering domain names that are intentionally similar to legitimate business domains.
Attackers don't hack your domain. They don't spoof your email address. They simply register a new domain that looks close enough to yours that people won't notice the difference in a quick glance.
Common Variations Attackers Use
Let's say your business is Acme Industries, operating at acmeindustries.com.
An attacker might register:
• Hyphenated versions: acme-industries.com (added hyphen)
• Common suffixes: acmeindustries-portal.com, acmeindustries-secure.com, acmeindustries-services.com
• Additional words: acmeindustriesgroup.com, acmeindustriesinc.com, acmeindustriesltd.com
• Different TLDs: acmeindustries.co, acmeindustries.net, acmeindustries.org, acmeindustries.io
• Misspellings: acmeindustires.com (missing 'r'), acmeindustrries.com (double 'r')
• Character substitution: acme1ndustries.com (number '1' instead of letter 'i')
Each of these domains is legitimate. The attacker owns them. They can send email from them. They can build websites on them. They can impersonate your business using infrastructure they completely control.
Why It's Effective
People don't carefully examine domain names. They glance at an email sender, see something that looks familiar, and move on.
acme-industries.com looks like acmeindustries.com at first glance. The hyphen is easy to miss. The brain autocompletes to the familiar pattern.
Attackers exploit this cognitive shortcut. They're not trying to fool security systems. They're trying to fool humans. And it works.
Real-World Attack Scenarios
Domain squatting enables several types of impersonation attacks:
Fake Payment Portal Emails to Your Clients
An attacker registers acmeindustries-portal.com and sends emails to your client base:
"We've updated our payment portal for enhanced security. Please use this link to submit your next invoice."
The link goes to a fake portal that steals credentials or payment information. Your clients think they're dealing with you. You don't know it's happening until clients start calling about unauthorized charges or missing payments.
Vendor Impersonation to Your Company
An attacker registers a lookalike domain for one of your trusted vendors and emails your finance team:
"Our banking details have changed. Please update your records for future payments."
Your team updates the vendor information in the accounting system. Every subsequent payment goes to the attacker instead of the real vendor. The real vendor eventually contacts you about non-payment. By then, multiple transactions have been redirected.
Employee Credential Phishing
An attacker uses a lookalike domain to send phishing emails that appear to come from your IT department:
"Security Notice: Your password expires in 24 hours. Click here to update your credentials."
Employees see an email from what looks like the company domain and follow the link. They enter their username and password on a fake login page. The attacker now has access to internal systems.
Brand Damage from Phishing Campaigns
An attacker uses a lookalike domain to send mass phishing emails claiming to be from your company.
Recipients receive scam emails, malware, or fraudulent offers that appear to come from you. They report the phishing to anti-spam services. Your brand gets associated with fraud. Your legitimate emails start landing in spam folders because the lookalike domain has damaged your reputation.
You're not sending the emails. But your brand is taking the reputational hit.
Why This Bypasses Traditional Security
Domain squatting is particularly insidious because it circumvents most email security controls:
DMARC Can't Protect You
DMARC (Domain-based Message Authentication, Reporting, and Conformance) is designed to prevent spoofing of your domain. It verifies that emails claiming to come from acmeindustries.com actually originate from authorized mail servers.
But DMARC only protects your exact domain. It has no authority over acme-industries.com. That's a completely different domain, legitimately registered, with its own email infrastructure.
The attacker isn't spoofing your domain. They're using their own lookalike domain. DMARC doesn't apply.
Email Filters Can't Block Legitimate Domains
Email security systems are designed to block malicious content, detect phishing patterns, and identify spoofed addresses.
But acme-industries.com is a legitimate domain. It has valid DNS records. It has properly configured email servers. It passes SPF checks. There's nothing technically suspicious about it.
Email filters can't block it without also potentially blocking other legitimate domains. The domain itself isn't malicious. It's the intent behind it.
User Training Doesn't Catch Subtle Differences
Security awareness training teaches employees to look for red flags: poor grammar, suspicious requests, urgent language, mismatched URLs.
But these emails often don't have those red flags. They're well-written. They reference real projects, real people, real business relationships. The only tell is a single hyphen or an added word in the domain name.
Even security-conscious employees miss it. The difference is subtle enough that careful inspection is required, and most people don't inspect every email domain character by character.
How to Find Your Domain's Evil Twins
The first step in defending against domain squatting is understanding what's already out there. You need to know which lookalike domains exist before you can do anything about them.
Tools to Use
Several free and paid tools can help you discover lookalike domains:
• DNSTwister (dnstwister.report) - Free tool that generates permutations of your domain and checks which ones are registered
• DomainTools - Domain search and monitoring with free and paid tiers
• URLCrazy - Command-line tool for typosquatting detection
• VirusTotal - Can show related domains and historical data
What to Search For
When auditing lookalike domains, look for:
• Your domain with hyphens added or removed
• Common business suffixes: -portal, -secure, -services, -group, -inc, -llc, -online
• Popular alternate TLDs: .co, .net, .org, .io, .tech, .online
• Common misspellings of your company name
• Character substitutions (1 for i, 0 for o)
What You Might Find
Don't be surprised if you discover:
• Multiple variations already registered, some years old
• Domains registered immediately after your company got press coverage
• Parked domains (registered but not actively used yet)
• Active websites impersonating your business
• Email servers configured and sending messages
Many businesses discover 10-20 lookalike domains in their first audit. Some find more.
What to Do About It (Priority Order)
Once you understand the scope of the problem, here's how to address it effectively:
1. Register Defensive Domains First
The most effective defense is prevention. Register the obvious variations before attackers do.
Focus on:
• The hyphenated version of your domain
• Common suffixes that would sound legitimate (-portal, -secure, -services)
• Popular TLDs (.co, .net, .org)
• Obvious misspellings
Yes, this costs money upfront. But registering a handful of defensive domains is cheaper than dealing with the aftermath of impersonation.
Once registered, you can redirect these domains to your main site, park them, or simply hold them to prevent misuse.
2. Monitor for New Registrations
You can't register every possible variation. But you can know immediately when someone else does.
Brand monitoring services (free and paid) will alert you when:
• A new domain matching your company name is registered
• An existing lookalike domain changes ownership
• DNS records are configured (indicating the domain is being set up for use)
• Websites or email servers go live
Early detection gives you time to respond before the domain is weaponized.
3. Report Active Impersonation
If you find lookalike domains being actively used for impersonation, you have options:
• Contact the domain registrar: Report the domain as being used for fraud or trademark infringement. Many registrars will suspend or transfer domains used for malicious purposes.
• Contact the hosting provider: If the domain hosts a phishing site, report it to the web hosting company for takedown.
• Report to email providers: If the domain is sending phishing emails, report it to major email providers so they can block messages from that domain.
• File a UDRP complaint: If you have a registered trademark, you can file a Uniform Domain-Name Dispute-Resolution Policy complaint to have the domain transferred to you.
These processes take time (days to weeks), and you're already playing catch-up. But they can shut down active threats and prevent further damage.
4. Communicate Your Official Domain to Stakeholders
Make it clear what your official domain is:
• Add "Official emails only from @acmeindustries.com" to all email signatures
• Include your official domain on invoices, contracts, and business cards
• Post it prominently on your website
• Tell clients and vendors during onboarding: "We will never email you from any other domain"
• Train internal staff to verify any request from a domain variation through a phone call
This is the weakest layer of defense because it relies on human vigilance. People forget. People don't read disclaimers. People still click suspicious links.
But combined with the other defenses, it adds a layer of awareness that can catch some attacks.
The Cost of Doing Nothing
Ignoring domain squatting doesn't make it go away. It just means you won't know it's happening until the damage is done.
Reputational Damage
When your clients, vendors, or partners receive phishing emails that appear to come from your company, they question your security practices and your trustworthiness.
Even after you explain that the emails came from a lookalike domain, the association sticks. Your brand becomes linked with fraud in their minds.
Reputational damage takes years to rebuild. Some client relationships never recover.
Lost Client Trust
If a client gets scammed by a lookalike domain impersonating you, they'll hold you partially responsible - even though you didn't send the email.
They'll question whether they can trust future communications from you. They'll implement additional verification steps that slow down business. Some will quietly move to competitors who haven't had these issues.
Financial Fraud
Wire transfer fraud through lookalike domains can result in losses ranging from thousands to millions of dollars.
Some of these losses are recoverable if caught quickly. Many are not. And the disruption to business operations while investigating and attempting recovery is significant.
Legal Liability
If client data is compromised through a lookalike domain phishing attack, you may face:
• Regulatory fines for inadequate security measures
• Lawsuits from affected parties
• Breach notification requirements and associated costs
• Increased cyber insurance premiums
Even if you argue that a lookalike domain isn't technically your responsibility, regulators and courts may still hold you accountable for not taking reasonable steps to protect your brand and your stakeholders.
Conclusion: Check Your Domain Today
Domain squatting is not a theoretical threat. It's happening right now. Attackers are registering lookalike domains, building infrastructure, and impersonating businesses every day.
Your domain might already have an evil twin. You might not know it exists until it's used to scam your clients, defraud your vendors, or phish your employees.
The good news is that you don't have to wait for that to happen.
Start today:
• Use free tools like DNSTwister to audit what lookalike domains already exist
• Register the most obvious defensive variations of your domain
• Set up monitoring to be alerted when new similar domains are registered
• Communicate your official domain clearly to clients, vendors, and employees
Domain squatting thrives in the shadows. The longer you wait to shine a light on it, the more time attackers have to build infrastructure, establish credibility, and launch campaigns.
Don't wait until you're explaining to a client how they got scammed by an email that looked like it came from you.
Check your domain today.
Need help monitoring your domain for lookalike threats?
THINKFLEX provides brand monitoring, domain protection guidance, and comprehensive email security services to help businesses reduce impersonation risk. Contact us to learn more.