Lookalike domains and typosquatting — how scammers hijack your checkout with one character off the URL.

Three reasons scammers love them, in order of impact:

• They're cheap Registering twenty variants of a brand costs less than $40/year. Even a 1% success rate pays back many times over.
• They survive ad review Google, Meta and X run automated checks on landing-page domains. A lookalike that's "close enough" can pass review long enough to catch its targets.
• They're forgivable to the eye Your brain auto-corrects URLs the way it auto-corrects sentences with letters in wrong order. Scammers exploit this without you noticing.

Once you can name them, you can spot them:

• 1. Letter swap Replace a character with a visually similar one — flipkart → fiipkart (lowercase L instead of i), paypal → paypa1 (digit one instead of L). Catches anyone reading at speed.
• 2. Letter omission Drop a single letter, betting on typos — amazn.com, gogle.com, microsft.com. The original typosquats; still work because these are what users actually mistype.
• 3. Letter addition or doubling googlle.com, youutube.com, netfllix.com. Fat-finger typos scammers monetize in reverse.
• 4. Dash insertion amazon-india.shop, flipkart-deals.store, icici-bank.online. Shows up in paid ads constantly. Real brands almost never use a dash in their main domain.
• 5. TLD switch Keep the brand, change the extension. amazon.shop, nike.online, sbi.top. Cheap, loose TLDs are scammer-favorite real estate.
• 6. Subdomain spoofing Brand appears as a subdomain of a scam domain — paypal.secure-login.com. People see "paypal" on the left and stop reading. The actual domain is secure-login.com. Read URLs right-to-left until the first .com/.in/.org.

Internationalized Domain Names (IDNs) allow non-Latin characters. The catch: some non-Latin characters look identical to Latin ones.

• The visual collision Cyrillic а (U+0430) is visually indistinguishable from Latin a (U+0061). A scammer registers аpple.com (Cyrillic а) and your browser renders it identically to apple.com.
• Punycode defense Browsers display the encoded form (punycode) when scripts are mixed: аpple.com → xn--pple-43d.com, pаypal.com → xn--pypal-4ve.com.
• Defense is patchy Modern browsers handle this by switching to punycode display on script mixing. The defense is uneven across browsers and platforms — a determined scammer finds character combinations that slip through.
• Reliable defense Look up the domain rather than trust the visual. WHOIS, registration date and registrar are not faked by character substitution.

Sanitized so they don't function as a hosts list — patterns, not actionable targets:

• Banking impersonation hdfc-netbanking.online, sbiyono.in, icicibank-secure.top — landing pages match the real portal pixel-for-pixel.
• E-commerce clones flipkart-bigsale.shop, amaz0n-deals.xyz, myntra-clearance.online — paid Instagram ads pushing branded products at 80% off.
• Logistics scams indi4post.com, dhI-tracking.top (capital I instead of lowercase l), fedex-redelivery.shop — SMS-driven phishing for the ₹25 redelivery fee.
• Crypto exchanges binаnce.com (Cyrillic а), wazirx-pro.online, coinswitch-india.shop — homograph attacks on global exchanges, lookalike subdomains on Indian ones.

• Look up the WHOIS record A real bank domain has been registered for 10+ years via a corporate registrar (CSC, MarkMonitor, GoDaddy Corporate). A lookalike is days or weeks old, registered through a discount registrar, with redacted contact details.
• Compare against the brand's known domain Open the brand's verified social media or a trusted search result. The legitimate URL should match exactly — character for character, TLD included.

If you run a brand with any meaningful customer base, lookalike domains are coming for you. Three-step defensive posture:

• Defensive registration Buy obvious variants — common typos, dashed versions, cheap TLDs (.xyz, .shop, .top). Total cost ~$60/year. Worth it.
• Monitoring Subscribe to newly-registered-domain feeds filtered for your brand and common typos. When a lookalike appears, you usually have 24–72 hours to act before it goes live.
• Fast takedown Pre-align legal and security on the takedown playbook — registrar abuse contact, Google Safe Browsing report, the major social platforms' ad-policy teams. Speed kills these scams.

• What is typosquatting? Registering domain names that are common misspellings of popular sites to catch users who mistype the real URL. A tactic since the 1990s, still one of the most reliable ways to acquire phishing traffic.
• What is a homograph attack? Phishing using non-Latin characters (Cyrillic, Greek, etc.) that look identical to English letters, creating a domain that visually matches a real one but is technically different. Modern browsers warn via punycode display, but defense isn't perfect.
• Is buying typo domains of my brand worth it? For any consumer-facing brand with payment flows, yes. Annual cost is trivial vs the cost of a successful phishing campaign against your customers and reputational damage of being the brand impersonated.
• How do I tell if a URL has hidden Cyrillic characters? Copy the URL into a plain text editor or punycode converter. If the rendered form doesn't match what's in the address bar, it's a homograph. Most browsers auto-display punycode (xn--) when mixed scripts are detected.