What is Domain Typosquatting and Why Should Your MSP Care?

What is Typosquatting?

Typosquatting, also known as URL hijacking, is an attack technique where bad actors register domain names that closely resemble legitimate businesses. The goal is simple: trick employees, customers, or partners into believing they are interacting with a trusted organization when they are actually on a malicious site or responding to a fraudulent email.

An attacker targeting a company that owns acmecorp.com might register acrnecorp.com, acmecorp.co, or acmec0rp.com. To an employee scanning their inbox at 8 AM on a Monday, these domains look close enough to the real thing. One click, one credential entry, one wire transfer approval — and the damage is done.

Common Typosquatting Techniques

Attackers use a range of techniques to generate convincing lookalike domains. The most common include:

Character substitution (typos). Swapping, inserting, or removing a single character. googel.com instead of google.com, or amazom.com instead of amazon.com. These exploit the kinds of mistakes people make when typing quickly.

Homoglyph attacks. Replacing characters with visually identical ones from different alphabets. The Cyrillic letter "a" (U+0430) looks identical to the Latin "a" (U+0061) in most fonts. A domain using Cyrillic characters can be visually indistinguishable from the real domain in an email client or browser bar.

TLD swaps. Registering the same name under a different top-level domain. If your client owns clientbrand.com, an attacker registers clientbrand.co, clientbrand.net, or clientbrand.io. Many of these TLDs are cheap and have minimal registration verification.

Hyphen insertion. Adding hyphens to break up a domain name: acme-corp.com or my-clientbrand.com. These are often used in phishing emails where the full URL is not visible.

Subdomain tricks. Creating domains like login.acmecorp.phishingsite.com where the legitimate brand name appears as a subdomain of an attacker-controlled domain.

Bitsquatting. Registering domains that differ by a single bit from the target domain's binary representation. While rare, this exploits hardware memory errors that can cause a computer to resolve a slightly different domain name without any user mistake.

Real-World Impact

Typosquatting is not a theoretical risk. It is actively used in business email compromise (BEC) attacks, which accounted for over $2.9 billion in reported losses in the United States in 2023 according to the FBI's Internet Crime Complaint Center. Attackers register lookalike domains, set up mail servers, and send emails that appear to come from a trusted vendor, executive, or partner. The requests are simple and urgent: update payment details, approve a wire transfer, or share login credentials.

For small and mid-size businesses — the exact clients most MSPs serve — these attacks can be devastating. A single successful BEC attack can result in six-figure losses, and the funds are rarely recoverable.

Why MSPs Should Care

As a Managed Service Provider, you are responsible for your clients' security posture. You have likely already deployed endpoint protection, email filtering, and DMARC/SPF/DKIM configuration. But none of those controls protect against an attacker who registers a brand-new domain that looks like your client's domain and sends emails from it. That is a completely separate domain with its own valid DNS records, its own mail server, and potentially its own SSL certificate.

Domain typosquatting sits in a gap that traditional security tools do not cover. Your clients do not know to look for it. Their employees cannot tell the difference between a real domain and a well-crafted lookalike. And by the time anyone notices, the damage is usually done.

Closing the Gap with Domain Monitoring

The defense against typosquatting starts with visibility. You cannot take action against a malicious lookalike domain if you do not know it exists. Continuous domain monitoring scans for newly registered permutations of your clients' domains, scores them by threat level based on DNS records, MX configuration, and web content, and alerts you when something needs attention.

For MSPs, this translates into a proactive security service that catches threats before they reach your clients' inboxes. It is also a clear, demonstrable value-add that can be presented at every QBR with concrete data: domains discovered, threats assessed, and incidents prevented.