What Is Typosquatting? Security Definition
On This Page
Quick Definition
Typosquatting is a trick where someone buys a web address that looks like a real website but has a small typo, like 'gooogle.com' instead of 'google.com'. When you make that typing error, you land on their fake site. Their goal is to steal your information or show you unwanted ads.
Commonly Confused With
DNS cache poisoning corrupts the DNS resolver's cache so that a legitimate domain name resolves to a malicious IP address. The user does not make a typo. In typosquatting, the user types a wrong domain, and the DNS resolution is correct for that wrong domain. The attack vector is different: one exploits DNS infrastructure, the other exploits user error.
If you type 'google.com' correctly but you are taken to a fake site because the DNS cache was poisoned, that is DNS poisoning. If you type 'gooogle.com' and land on a fake site, that is typosquatting.
Phishing is a broader category of social engineering attacks that use deceptive messages (email, SMS, phone) to trick users into revealing information. Typosquatting is a specific technique that can be used in phishing campaigns. Not all phishing involves typosquatting, and not all typosquatting is delivered via phishing emails. Typosquatting relies on the user voluntarily typing a wrong URL, while phishing often uses a direct link in a message.
A phishing email might contain a link that says 'Click here to reset your password' and the link goes to a typosquatting domain. The phishing is the email, the typosquatting is the fake domain.
Domain hijacking is when an attacker gains unauthorized access to a domain registrar account and transfers the legitimate domain to themselves. The legitimate owner loses control. In typosquatting, the attacker registers a new domain that is similar; they do not steal the existing domain. Domain hijacking is much harder to carry out, while typosquatting is easy because anyone can register a similar domain.
If an attacker changes the registration of 'company.com' to their own account, that is domain hijacking. If they register 'c0mpany.com' (with a zero), that is typosquatting.
Must Know for Exams
Typosquatting appears in a range of general IT certification exams, including CompTIA Security+, CompTIA Network+, CompTIA A+, and the Certified Information Systems Security Professional (CISSP). In CompTIA Security+, typosquatting is categorized under social engineering and phishing attacks, specifically as a type of 'phishing' or 'spear phishing'. The exam objective 1.1 on social engineering techniques includes typosquatting as a method attackers use to trick users. You may encounter a scenario where a user reports a strange website that looks like a corporate login page but has a different URL. The question will ask you to identify the attack type and recommend mitigation.
In CompTIA Network+, typosquatting appears in the context of DNS threats and network security. Objective 2.3 covers common network attacks, including DNS poisoning and domain hijacking. While typosquatting is not DNS poisoning, it exploits the DNS system in a different way. Exam questions might present a network log showing traffic to a suspicious domain that is a typo of a known site. You need to recognize that this is a typosquatting attempt and suggest blocking the domain at the network firewall or DNS filter.
For CompTIA A+, typosquatting appears in the security section of the 220-1102 exam. It is part of the broader category of social engineering and phishing. A+ questions are often more basic, asking you to define the term or identify it in a list of attack types. You might see a question like: 'A user types amazn.com instead of amazon.com and is prompted for their login credentials. What type of attack is this?' The correct answer is typosquatting.
In CISSP, typosquatting falls under the domain of Security and Risk Management (Domain 1) and Communication and Network Security (Domain 4). The exam expects you to understand the attack, its impact, and appropriate controls. You may need to evaluate a scenario where an organization has experienced credential theft due to a typosquatting domain. Questions will test your ability to recommend preventive measures such as user awareness training, domain monitoring, and defensive domain registration.
Other certifications, such as CEH (Certified Ethical Hacker) and SSCP, also cover typosquatting as a reconnaissance or social engineering technique. Regardless of the exam, the core concepts remain the same: recognize the attack pattern, understand how DNS is abused, and know the best defenses. Expect scenario-based questions where you must identify the attack or choose the most effective response.
Simple Meaning
Imagine you want to visit a well-known store downtown. You know the address is 123 Main Street. But there is a similar-looking building at 132 Main Street, one digit reversed. You type the address slightly wrong, and you end up at a fake store that looks almost identical to the real one. Inside, the fake store might try to sell you cheap knock-offs, or they might ask for your credit card and then disappear. That is exactly what typosquatting does in the online world.
Attackers register domain names that are very close to popular websites. They assume that a certain number of internet users will make a typing error when entering the web address. For example, if you type 'amazn.com' instead of 'amazon.com', the typosquatter owns that misspelled domain. Their site might look identical to the real Amazon page, but it is a trap. If you try to log in, the fake site captures your username and password. If you enter payment information, the attackers steal it.
Typosquatting is not new. It has been around since the early days of the web. The term itself combines 'typo' (a typing mistake) and 'squatting' (occupying a space without permission). It is a form of cybersquatting, which is the broader practice of registering domains that belong to someone else. Typosquatting specifically targets common typing errors. The attackers do not need any special hacking skills to pull it off. All they need is a few dollars to register the domain and some basic web design skills to copy the original site. It is a low-effort, high-reward scam for attackers, and a serious risk for users who are not careful.
From a user's perspective, typosquatting is dangerous because it is so easy to fall for. Even experienced IT professionals can make a typing mistake when they are in a hurry. The fake site can look perfectly legitimate. It might have the same logo, the same colors, and the same layout. Only the URL in the address bar reveals the trick, but most people do not check the URL carefully. That is why typosquatting remains a common threat in cybersecurity awareness training.
Full Technical Definition
Typosquatting is a form of domain name fraud that relies on registering domain names that are typographical variations of legitimate, high-traffic domains. The attacker takes advantage of the Domain Name System (DNS) infrastructure to resolve a misspelled domain to a server they control. Once the user enters the wrong URL into their browser, a DNS lookup returns the IP address of the attacker's server, and the user is served a webpage that may mimic the legitimate site.
Attackers use several patterns when selecting typosquatting domains. The most common include: omitting a character (e.g., googl.com instead of google.com), transposing two characters (e.g., goolge.com), repeating a character (e.g., gooogle.com), substituting a common typo based on keyboard layout (e.g., gogle.com if the 'o' key is missed), or adding an extra character (e.g., googlee.com). They also exploit homoglyphs, using characters from different scripts that look identical, such as replacing the Latin letter 'a' with the Cyrillic 'а'. This is known as IDN homograph attack and can bypass many visual inspections of the URL.
From a technical perspective, a typosquatting attack involves several components. First, the attacker registers the misspelled domain through a domain registrar. They must configure DNS records, typically A records or CNAME records, to point the domain to their web server. The attacker then builds a phishing page that mirrors the login, payment, or data-entry interface of the target website. This is often done using automated tools that scrape the original site and repackage its HTML, CSS, and JavaScript. The fake page may also include malicious scripts that capture keystrokes, form submissions, or session cookies.
Typosquatting can be monetized in multiple ways. Some attackers display pay-per-click advertisements on the fake site, earning revenue from every click. Others redirect users to competitor sites or affiliate links. The most dangerous form involves credential harvesting, where the attacker collects usernames, passwords, and other sensitive information. In some cases, the fake site acts as a man-in-the-middle proxy, forwarding legitimate traffic to the real site while intercepting all data exchanged between the user and the real server.
Defenses against typosquatting include domain monitoring services that alert companies when similar domains are registered, use of extended validation SSL/TLS certificates that provide stronger visual assurance, and browser-based protections that warn users when they navigate to a known phishing site. Organizations can also register common typo-variations of their own domains (called defensive registrations) to prevent attackers from using them. Security awareness training for users is a critical layer of defense, teaching employees to verify URLs before entering credentials.
Real-Life Example
Think about how you type a web address on your phone or computer. You are probably not looking at the keyboard. Your fingers know the pattern. If you want to go to Facebook, your fingers might type 'facebok.com' instead of 'facebook.com' because you forget the second 'o'. That tiny slip is exactly what typosquatters count on.
Imagine you are sitting in a coffee shop, trying to log into your favorite online store. You are in a hurry and your mind is on your shopping list. You type the address from memory. But the real address has two 'o's in the middle, and you only type one. Your browser loads a page that looks exactly like the store you intended to visit. The logo is the same. The colors match. The layout feels right. You enter your username and password without thinking. Then the site asks you to confirm your payment details. You do that too. Only later, when you notice a strange charge on your credit card, do you realize something is wrong.
This is not a hypothetical scenario. It happens to thousands of people every day. In 2019, researchers discovered over 200,000 typosquatting domains targeting the top 100 websites. Some of these fake sites were almost perfect copies, complete with SSL certificates that showed a padlock icon in the address bar. The padlock only means the connection is encrypted, not that the site is legitimate. Many users misinterpret that padlock as a sign of safety.
The most effective way to avoid this trap is to use bookmarks or typed shortcuts instead of manually typing URLs. If you must type the address, double-check it before hitting Enter. Also, pay attention to the browser's address bar after the page loads. If the URL looks slightly off, leave the site immediately. For IT professionals, automated domain monitoring and browser extensions that detect typosquatting domains can provide additional protection.
Why This Term Matters
Typosquatting matters because it is a low-cost, high-impact attack that targets the most fundamental human behavior on the internet: typing a web address. It bypasses many traditional security controls because it does not require exploiting a technical vulnerability. Instead, it exploits human error, which is the hardest weakness to patch. For IT professionals, understanding typosquatting is essential for designing effective security awareness programs and implementing technical defenses.
In a corporate environment, one employee falling for a typosquatting site can lead to a data breach. Attackers can use stolen credentials to access internal systems, send phishing emails from a trusted account, or exfiltrate sensitive data. The cost of a single breach often far exceeds the cost of implementing preventive measures. Organizations that ignore typosquatting are leaving a gap in their security posture that attackers will exploit.
From a compliance perspective, regulations like GDPR, HIPAA, and PCI DSS require organizations to protect user data. A typosquatting attack that leads to a data breach can result in fines, legal liability, and reputational damage. Companies that register defensive domains and monitor for typosquatting demonstrate due diligence in protecting their users. Many cybersecurity frameworks, such as NIST and ISO 27001, include controls related to domain name security.
Typosquatting also has implications for brand protection. When a typosquatter registers a domain similar to your company's name, they can damage your reputation. If customers have a bad experience on the fake site, they may blame your company. Worse, the fake site might distribute malware that infects visitors, and the malicious activity is attributed to your brand. Therefore, typosquatting is not just a security issue but also a brand management concern.
How It Appears in Exam Questions
In IT certification exams, typosquatting questions usually appear as part of a broader security scenario. A typical question might describe an employee who received a warning from the IT department about visiting a suspicious website. The employee states they typed the company's web address but forgot to include a character. The question asks: 'What type of attack has occurred?' The answer choices could include typosquatting, phishing, vishing, DNS poisoning, or man-in-the-middle. The correct answer is typosquatting, because the attack relies on a misspelled URL.
Another common question format is a troubleshooting scenario. For example: 'Several users report that when they type 'drive.goole.com', they see a login page that looks different from the usual Google Workspace page. The URL in the address bar is correct except for a missing 'g'. Which of the following is the most likely cause?' Options: DNS cache poisoning, typosquatting, ARP poisoning, or a misconfigured proxy server. The correct answer is typosquatting. The clue is the misspelling in the URL.
Some questions focus on mitigation. A scenario might describe a company that has experienced several credential theft incidents traced back to typosquatting domains. The question asks: 'Which of the following would be the most effective preventive control?' Options: Enable multi-factor authentication, implement a web content filter, register common misspellings of the company domain, or deploy an IDS. The best answer is registering common misspellings (defensive registration), because it directly prevents the attacker from using those domains. However, multi-factor authentication can mitigate the impact if credentials are stolen.
There are also questions that test your understanding of why typosquatting works. For instance: 'An attacker registers a domain that is a common misspelling of a popular banking website. Users who visit the fake domain are prompted to enter their online banking credentials. Why does this attack succeed?' Answer options: The fake site uses a valid SSL certificate, the users are not paying attention to the URL, the attacker has compromised the DNS server, or the attacker has performed a social engineering call. The correct reasoning is that users are not paying attention to the URL. Understanding the human factor is key.
Finally, some questions differentiate typosquatting from similar attacks. You might see: 'What is the difference between typosquatting and DNS spoofing?' The answer: typosquatting uses a misspelled domain that the user types, while DNS spoofing corrupts the DNS cache to redirect the user to a malicious IP address without a typo. Being able to compare and contrast these attacks is essential for passing security exams.
Practise Typosquatting Questions
Test your understanding with exam-style practice questions.
Example Scenario
You work as a junior IT support technician for a mid-sized company. One morning, you get a ticket from a user named Sarah. Sarah says she cannot log into the company's webmail system. She is entering her username and password, but the page just refreshes and asks her to log in again. She is frustrated because she knows her password is correct.
You remotely connect to her workstation and ask her to show you exactly what she is doing. She opens a browser, clicks the address bar, and types 'webmail.company.co' and presses Enter. The page loads and looks identical to the company's login page. She enters her credentials and clicks 'Sign In'. The page refreshes and shows the same empty login form. She tries again with the same result.
You look carefully at the address bar. The URL reads 'webmail.company.co' but your company's actual webmail domain is 'webmail.company.com'. The difference is the top-level domain: .co instead of .com. Sarah did not notice that. She typed the wrong address. Someone has registered 'webmail.company.co' and set up a fake login page. Every time Sarah enters her credentials, the fake page captures them and simply reloads to avoid suspicion.
You immediately tell Sarah to close the browser and change her password. You report the typosquatting domain to your supervisor and recommend adding it to the company's web filtering blocklist. You also suggest that the IT department register common variations of the company domain to prevent future attacks. Sarah learns a valuable lesson: always double-check the full URL before entering credentials.
This scenario illustrates how simple a typosquatting attack can be. Sarah did nothing wrong except make a small typing error. The attacker did not need to hack the company's server or crack any passwords. The attack succeeded because of a moment of inattention. For IT professionals, this highlights the importance of both technical controls and user awareness training.
Common Mistakes
Thinking typosquatting only targets major companies like Google or Amazon.
While typosquatting on big brands is common, attackers also target smaller companies, educational institutions, government agencies, and even personal blogs. Any domain with user logins or traffic can be a target.
Assume any domain you manage could be typosquatted. Register defensive variations for your own domains, regardless of your organization's size.
Believing that an SSL/TLS certificate (padlock icon) means the site is safe.
Attackers can easily obtain free SSL certificates from services like Let's Encrypt for their typosquatting domains. The padlock only indicates that the connection is encrypted, not that the site is legitimate.
Train users to check the actual domain name in the URL, not just the padlock icon. Use browser extensions that flag suspicious domains.
Confusing typosquatting with DNS cache poisoning.
DNS cache poisoning corrupts the DNS resolver so that even correctly typed domains resolve to malicious IPs. In typosquatting, the user types the wrong domain, and the DNS resolution works correctly for that wrong domain.
Remember that typosquatting relies on user typing error, while DNS poisoning works without any user mistake. They are different attack vectors.
Assuming that registering one defensive domain is enough.
There are many possible typographical variations of a domain. A single defensive registration cannot cover all omitting, transposing, and substituting patterns. Attackers can still find other misspellings.
Use automated domain monitoring services that alert you to new registrations similar to your domains. Register the most common variations and monitor for others.
Exam Trap — Don't Get Fooled
{"trap":"A question describes a scenario where a user types a correct URL but is redirected to a fake site. The answer choices include both typosquatting and DNS poisoning. The learner might choose typosquatting because it sounds similar to the scenario, but the correct answer is DNS poisoning because there was no typo."
,"why_learners_choose_it":"Learners often associate any attack involving fake websites with typosquatting. They overlook the key detail that the user typed the correct URL. Without a typo, it cannot be typosquatting."
,"how_to_avoid_it":"Read the scenario carefully. If the question states the user typed the correct domain, cross out typosquatting immediately. Look for clues about DNS poisoning, ARP spoofing, or man-in-the-middle attacks that can redirect traffic without a typo."
Step-by-Step Breakdown
Identify a target domain
The attacker chooses a popular website with high traffic, such as a bank, social media platform, or email provider. The goal is to maximize the number of users who might mistype the domain. The target must have a login or data-entry function to make the attack profitable.
Generate typo variations
The attacker brainstorms or uses automated tools to generate common misspellings of the target domain. Patterns include omitting a character, transposing two characters, repeating a character, substituting a visually similar character (e.g., 'rn' for 'm'), or using a different top-level domain like .net instead of .com. The attacker selects the most plausible typos.
Register the typosquatting domain
The attacker purchases the misspelled domain through a domain registrar. This typically costs around $10 to $15 per year. The registrar requires the attacker to provide contact information, but many use privacy protection services to hide their identity. The registration is the only technical barrier, and it is very low.
Configure DNS and hosting
The attacker sets up DNS records (usually an A record) pointing the typosquatting domain to a web server they control. They may use cheap or compromised hosting. The page must load quickly to avoid alerting the user that something is wrong. The attacker also obtains an SSL certificate to show a padlock icon, increasing trust.
Create the fake webpage
The attacker copies the look and feel of the legitimate website. They may use browser extensions to download the HTML, CSS, and JavaScript of the real site. The fake page includes forms to capture usernames, passwords, and other sensitive data. The attacker also adds a script that logs the submitted data and sends it to their server.
Wait for victims and collect data
The attacker does nothing actively; they rely on internet users making typing mistakes. When a victim accesses the typosquatting domain, the fake page is served. If the victim enters credentials, the attacker's server logs them. The attacker can then use the stolen credentials to log into the real site, access accounts, and potentially launch further attacks.
Practical Mini-Lesson
Typosquatting is a practical threat that every IT professional should know how to defend against. The first line of defense is user awareness. Teach users to always examine the URL in the address bar before entering any information. They should look for misspellings, extra characters, or unusual top-level domains. Encourage the use of bookmarks for frequently visited sites. When a user must type a URL, they should type slowly and verify after pressing Enter.
On the technical side, organizations should implement a web content filter that can block known typosquatting domains. Many security vendors maintain threat intelligence feeds that include recently registered typosquatting domains. DNS filtering services like OpenDNS or Cisco Umbrella can automatically block access to domains that are similar to known legitimate sites. These tools use algorithms to detect typo-squatted domains based on edit distance (Levenshtein distance) and character substitution patterns.
Another effective control is defensive domain registration. The company should register common misspellings of their own primary domain and redirect them to the real website. This prevents attackers from registering those domains. For example, if your company domain is 'mybank.com', you should register 'mybannk.com', 'mybnak.com', 'mybankk.com', and so on. While you cannot cover every possible variation, registering the most obvious ones significantly reduces risk.
Organizations should also monitor for new domain registrations that are similar to their brand. This can be done through automated services like DomainTools or PhishLabs. When a suspicious domain is found, the organization can issue a takedown request to the registrar if the domain is being used for phishing. Some companies also use legal action under the Anti-Cybersquatting Consumer Protection Act (ACPA) to recover domains.
What can go wrong? Without defenses, a typosquatting attack can lead to credential theft, financial fraud, data breaches, and reputational damage. Attackers can also use typosquatting domains to distribute malware by hosting drive-by download exploits on the fake site. A visitor who merely browses the fake site could have malware installed on their computer. This is why a layered defense is critical. Typosquatting may seem like a simple trick, but its consequences can be severe. IT professionals should treat it with the same seriousness as other cyber threats.
Memory Tip
Type 'typo' + 'squat' = attacker sits on a typo domain waiting for you to stumble in.
Covered in These Exams
Current Exam Context
Current exam versions that test this topic — use these objectives when studying.
SY0-701CompTIA Security+ →CS0-003CompTIA CySA+ →Related Glossary Terms
Two-factor authentication (2FA) is a security method that requires two different types of proof before granting access to an account or system.
AAA (Authentication, Authorization, and Accounting) is a security framework that controls who can access a network, what they are allowed to do, and tracks what they did.
An A record is a type of DNS resource record that maps a domain name to an IPv4 address.
An AAAA record is a DNS record that maps a domain name to an IPv6 address, allowing devices to find each other over the internet using the newer IP addressing system.
802.1Q is the networking standard that allows multiple virtual LANs (VLANs) to share a single physical network link by tagging Ethernet frames with VLAN identification information.
802.1X is a network access control standard that authenticates devices before they are allowed to connect to a wired or wireless network.
Frequently Asked Questions
Is typosquatting illegal?
Typosquatting can be illegal under laws like the Anti-Cybersquatting Consumer Protection Act (ACPA) in the US, especially if the domain is registered in bad faith with intent to profit from a trademark. However, enforcement can be challenging, and many typosquatting domains remain active until a complaint is filed.
Can typosquatting be used for good purposes?
Yes, some organizations register typo domains to redirect users to the correct site. This is called defensive registration and is considered a legitimate security practice. It prevents attackers from using those domains.
Does using HTTPS protect against typosquatting?
No. Attackers can obtain SSL certificates for their typosquatting domains, so the padlock icon appears. HTTPS encrypts the connection but does not verify the legitimacy of the site owner.
How common is typosquatting?
Very common. Studies have found hundreds of thousands of typosquatting domains targeting the most popular websites. The low cost of domain registration makes it a persistent threat.
Can a firewall block typosquatting?
A firewall can block specific domains if configured with a blocklist. However, new typosquatting domains are registered daily, so a static blocklist is insufficient. DNS filtering services that use dynamic threat intelligence are more effective.
What is the difference between typosquatting and cybersquatting?
Cybersquatting is registering a domain that is identical or confusingly similar to a trademark with the intent to sell it at a profit. Typosquatting is a subtype of cybersquatting that specifically targets misspellings of those domains.
Summary
Typosquatting is a deceptive attack that preys on the simple human habit of typing web addresses from memory. Attackers register misspelled versions of popular domains, creating fake websites that look identical to the real ones. When a user makes a typing mistake, they land on the fake site and may unknowingly reveal sensitive information. This attack is low-cost for attackers, easy to execute, and can cause significant harm to individuals and organizations.
Defending against typosquatting requires a combination of user education, technical controls, and proactive domain management. Users should be trained to double-check URLs and use bookmarks. Organizations should implement web content filters, DNS filtering, and defensive domain registration. Monitoring for new typosquatting domains and taking down those used for malicious purposes is also important.
For IT certification exams, typosquatting appears in security sections of CompTIA A+, Network+, Security+, and higher-level certifications like CISSP. Exam questions typically test your ability to identify the attack in a scenario, differentiate it from DNS poisoning or phishing, and recommend appropriate mitigations. Understanding the distinction between typosquatting and other DNS-based attacks is critical for exam success. Remember: if there is a typo in the URL, it is typosquatting; if the URL is correct but the resolver is tampered with, it is DNS poisoning. Keep this simple rule in mind, and you will be able to answer typosquatting questions with confidence.