What Are Lookalike Domains and How to Detect Them
Can you quickly spot the difference between these two domains: whoisxmlapi[.]com and whoisxrnlapi[.]com? Took you a few seconds, didn’t it? Your eyes can deceive you, and that’s exactly what threat actors hope for when they use lookalike domains.
Lookalike domains are one of the most effective tools cybercriminals use in modern cyberattacks, tricking people into thinking that they are visiting a legit website or receiving an official business email.
In this post, we explore what lookalike domains are, how dangerous they can be, and how organizations can detect and protect against them.
What Are Lookalike Domains?
Lookalike domains, also known as typosquatting domains, are deceptive web domains intentionally created to closely resemble a legitimate company's domain. These variations exploit human error and the way users quickly scan web addresses and email addresses to trick them into believing they are visiting a trusted site.
Think about how quickly you scan a URL. Attackers rely on subtle, hard-to-spot variations and register lookalike domains to set up fake websites or mail servers for their malicious campaigns. For example, a lookalike domain for microsoft[.] is rnicrosoft[.]com. As you can see, the lowercase "r" and "n" placed side-by-side are specifically chosen to mimic the letter "m," making the deception nearly invisible at a glance.
The Dangers of Lookalike Domains
Lookalike domains are used in phishing attacks and social engineering, malware distribution, and counterfeiting. What makes these domains dangerous is that they make the attacks more believable.
Phishing Campaigns
The typosquatting domain rnicrosoft[.]com, mentioned above, for example, was used in an actual phishing email where users received notifications about a password reset request. If someone clicks a link within that email, they will be redirected to a fraudulent website designed to steal their credentials.
Malware Distribution
Lookalike domains can also be used to trick users into unknowingly downloading malicious software. In a campaign by a threat group called “UNC6032” described by Mandiant, variations of the official domains of AI content generation tools were used to distribute information-stealing malware. The table below compares the official websites of the imitated tools against the indicators of compromise (IoCs) for the campaign.
| AI Tool | Official Website | Malware Distribution IoCs |
| Adobe Express | https://www.adobe[.]com/express/ | adobe-express[.]com |
| Canva Dream Lab | https://www.canva[.]com/ai | canva-dreamlab[.]com canvadreamlab[.]com canvaproai[.]com canvadream-lab[.]com canvadreamlab[.]ai |
| Capcut AI Video Maker | https://www.capcut[.]com/ai-creator/ | capcutproai[.]com |
| Kling AI | https://klingai[.]com/ | aikling[.]ai ai-kling[.]com klings-ai[.]com klingxai[.]com |
| Luma AI | https://lumalabs[.]ai/ | lumaailabs[.]com lumalabsai[.]in luma-aidream[.]com lumaai-lab[.]com lumaai-labs[.]com |
Counterfeiting
Other lookalike domains are used to impersonate legitimate brands in selling counterfeit items. Global luxury brands are among the favorite targets. Take a look at the screenshot of the current web content of the lookalike domain gucccii[.]com taken by our Website Screenshot API. It’s clear that the typosquatting domain was previously used to sell counterfeit Gucci products until the luxury brand took it down.
However, there are still more Gucci-lookalike domains that continue to sell products, such as guccix1[.]shop. Their website content, as of the time of writing, is shown below.
How To Check If A Domain Is Real or a Lookalike
The quickest way for your security team to check a suspicious domain is by performing a WHOIS lookup. Here are a couple of side-by-side comparisons of the WHOIS details of legitimate and lookalike domains.
![WHOIS details of legitimate microsoft[.]com.](https://publishing-platform-legacy.whoisxmlapi.com/wordpress/wp-content/uploads/2025/11/4-whois-microsoft.png)
WHOIS details of legitimate microsoft[.]com. ![WHOIS details of lookalike rnicrosoft[.]com.](https://publishing-platform-legacy.whoisxmlapi.com/wordpress/wp-content/uploads/2025/11/5-whois-rnicrosoft.png)
WHOIS details of lookalike rnicrosoft[.]com. ![WHOIS details of legitimate gucci[.]com.](https://publishing-platform-legacy.whoisxmlapi.com/wordpress/wp-content/uploads/2025/11/6-whois-gucci.png)
WHOIS details of legitimate gucci[.]com. ![WHOIS details of lookalike guccix1[.]shop.](https://publishing-platform-legacy.whoisxmlapi.com/wordpress/wp-content/uploads/2025/11/7-whois-gucci-lookalike.png)
WHOIS details of lookalike guccix1[.]shop.
The data points to keep an eye on are:
- Creation date: Official domains of legitimate brands are usually created many years before the lookalike domains (e.g., Microsoft’s domain was registered in 1991, while the typosquatting domain was only created 21 years later). For newer AI tools’ domains, the difference may not be as stark.
- Registrant details: Despite the WHOIS data redaction, there is still a significant difference between the registrant information of legitimate domains and their lookalikes. Legitimate brands often prefer not to use complete domain privacy and to ensure their brand name is shown in the WHOIS details.
How Lookalike Domains Are Created
Threat actors use various deception tactics to create believable lookalikes. All the lookalike domain examples from the table below are known to be malicious and are present either in our Threat Intelligence Data Feeds or on Virustotal.com.
| Tactic | Examples |
| Typo variationsRegistering a slight misspelling that users commonly make. | gogle[.]com watsapp[.]com |
| Using similar-looking letters Exploiting letters that resemble each other, such as uppercase 'i' for 'l', or using an 'r' next to an 'n' to mimic the letter 'm'. | rnicrosoft[.]com Iinkedin[.]com |
| Replacing letters with numbers Substituting letters with visually similar numbers, most commonly the number zero for the letter 'o'. | faceb00k[.]com 1nstagram[.]com |
| Homoglyphs Using Unicode characters from different alphabets that look identical to Latin letters (e.g., Cyrillic), a form of homograph attack using internationalized domain names (IDNs). | paypaɩ[.]com applé[.]com |
| URL manipulation Using strings commonly found in a URL or replacing the top-level domain (TLD) with a different one. | httpss-whatsapp[.]com irsgov[.]top |
| Pseudo subdomain spoofing This type of attack resembles domain spoofing and involves registering domains that closely resemble a legitimate subdomain by replacing the dot separator with a hyphen. | account-apple-id[.]com billing-update-netflix-managment[.]com |
Mitigating Lookalike Domains
Defensive Registration
The most aggressive measure against lookalike domains is for the organization to preemptively register as many lookalike domains as possible, from common misspellings to different TLD variations. For example, Bank of America is doing this. To date, the company has registered hundreds of lookalike domains.
Request Takedown
If a lookalike domain attack targeting your organization occurs, where the domain becomes involved in a malicious activity, you can request a takedown from the domain registrar or hosting provider.
For example, Namecheap, like most registrars, has an official process for filing abuse complaints, particularly for phishing or trademark complaints. You need to submit an email to abuse@namecheap.com, containing evidence and other relevant information, such as screenshots and proof of your brand’s trademark.
Similarly, GoDaddy has an Abuse Report Form for reporting various types of internet abuse, including phishing, malware, spam, and trademark or copyright infringement.
User Education
Lookalike domains exploit human error, so training is one of the most effective preventive measures. Train employees to spot telltale signs that a domain is a lookalike (e.g., different TLDs) and how to check if a domain is legit or a lookalike. Aside from that, education should also focus on the risk that these types of domains pose, particularly the financial and reputational damage they can inflict on both the user and the organization.
Awareness should also extend beyond employees, to end users. Most financial institutions include a warning in their communications that says, "We will never ask you for your password, PIN, or other confidential information via email or text message. Always log in directly to our website by typing the address yourself." They also issue regular alerts via email or within their app, such as the one below.
Technical Security Measures
Organizations can implement security measures that enhance user and employee protection against lookalike domains. These measures include:
- Enforcing multi-factor authentication (MFA): Even if the user is tricked into giving away their login credentials on a fake landing page, the attacker cannot gain access to the account without the second factor, like a time-based code from an authenticator app, SMS, or a push notification sent to the user’s phone.
- Email filtering: Email security systems and email filtering tools can detect and block spoofed domains and fraudulent email messages that exhibit characteristics of email impersonation or email spoofing, such as reply-to mismatch or a newly registered email domain. They can also verify proper email authentication, such as Sender Policy Framework (SPF) authentication.
- Domain monitoring: Implementing a domain monitoring service to constantly track newly registered domains that are similar to your owned domains allows your security team to be proactive and request takedowns immediately.
Tools for Lookalike Domains Detection
A strong defense against typosquatting requires organizations to implement technical security measures alongside the mitigation tactics described above. You also need to know which lookalike domains already exist and which are newly registered. Below are some solutions you can use to find lookalike domains.
Brand Monitor
Brand Monitor is a tool within the Domain Research Suite that allows you to keep track of domain registrations that contain your brand or trademarked name, including their typo variants.
The tool scans domain registrations daily and notifies you when domains containing the search term are registered, updated, or dropped on a specific day.
Reverse WHOIS Search
For identifying lookalike domains registered within a specific period, Reverse WHOIS Search can help. You can narrow down the list of results by specifying the creation date, update date, or expiration date range. You can also add or exclude other search terms (i.e., WHOIS data points). For example, you can configure a search for all domains registered from January 1 to October 31, 2025, that contain “PayPal” but are not registered by PayPal Inc. The filters would look like this:
Those search parameters on Reverse WHOIS Search returned 1,799 PayPal-lookalike domains.
If you know the email address or other registrant details of a malicious lookalike domain, you can input them on Reverse WHOIS Search to uncover an entire network of fraudulent websites.
First Watch Malicious Domains Data Feed
For protecting employees from a threat of lookalike domains connected to other organizations, such as vendors or business partners, you can integrate First Watch Malicious Domains Data Feed into email filtering tools and other security systems. First Watch predicts potential malicious domains (including lookalike domains) often within hours of the domain being registered. This helps neutralize threats before they can launch a successful brand impersonation attack against your employees or business partners.
Conclusion
Lookalike domain attacks are very common and effective, as they rely on psychological tricks to execute successful phishing campaigns, which can pave the way for malware distribution or sensitive information theft. Organizations must adopt a proactive strategy that combines predictive threat intelligence and aggressive domain monitoring with email filtering, two-factor authentication, SPF authentication (to prevent spoofing of their own domains), and regular user awareness training to ensure effective brand protection.