How to detect typosquatting of your brand domain

// published 2026-04-17

Typosquatting is when somebody registers a domain that looks like yours — g00gle.com, microsft.com, paypa1.com — and uses it to phish your users or your staff. The cost of finding out the hard way is a credential leak. The cost of checking proactively is one browser tab.

The three families of cousin domains

• Typo-squats: one-character keyboard swaps (goolge.com), dropped letters (gogle.com), doubled letters (googgle.com), adjacent-key replacements (foofle.com).
• Homoglyphs: Latin characters that look like other characters — 0/o, 1/l/i, rn/m, vv/w. Users will skim right past them.
• TLD swaps: same SLD, different TLD. yourbrand.co, yourbrand.cc, yourbrand.xyz. Cheap to register, trivial to stand up.

The signal that actually matters

Someone registering a typosquat costs them $10 and usually means nothing. Someone serving DNS for it — pointing it at a real IP or accepting mail at it — is where intent shows up. Look for:

1. A record present — the cousin resolves to a real IP. Something is hosted there.
2. MX records present — this is the strongest signal. Whoever set this up is prepared to receive email. That's a phishing front waiting to launch (or already active).
3. Valid TLS cert in CT logs — they've gone to the trouble of issuing HTTPS. Takes active setup, not just a DNS panel.

How to find them in bulk

You could check each variant by hand (dig, nslookup, one at a time), or you can paste your domain into the Impersonation / Typosquat Watcher. It generates 120+ cousin variants, fires parallel DNS + MX probes, and shows you only the ones that are live.

The tool runs in ~5 seconds for the basic check. The deep scan (which also queries crt.sh for TLS certs on every variant) takes ~30 seconds and catches more.

What to do when you find live cousins

1. Document. Screenshot the audit page. Note the registered_on date (WHOIS) and who's hosting them.
2. Defensive registration for the most dangerous 2-3 variants. Yes, it's annoying. Yes, it's cheaper than a breach. Focus on keyboard-adjacent typos of your brand and the top 3 cousin TLDs.
3. UDRP / URS filing if somebody's actively squatting with bad faith. ICANN has the procedure — slow, but works.
4. Brand-monitoring subscription (MarkMonitor, BrandShield) for ongoing coverage if you're a named target. The Typosquat Watcher is a great free tool; if the risk is existential, you want paid continuous monitoring too.

Run the check now: /tools/impersonation-watcher. Paste your brand, see what's out there.