What is typosquatting vs cybersquatting?

Typosquatting targets typing mistakes and visual similarity, such as misspelled labels, homoglyphs, or wrong TLDs. Cybersquatting often means registering a brand related name in bad faith without relying on a typo. Splorix focuses on registered lookalikes around domains you are authorized to monitor.

How many TLD extensions can I monitor?

Each authorized root domain supports up to 30 extensions. If you do not customize the list, Splorix starts with com, org, net.

When does Splorix run typosquatting scans?

Typosquatting scans are queued as part of the external monitoring workflow, typically after subdomain discovery for the root domain and discovered targets in your workspace scope.

What data does each typosquatting result include?

For registered lookalikes, Splorix shows the domain, permutation (fuzzer) type, an optional similarity score, and resolved A/AAAA IP addresses. Results are limited to registered domains, not theoretical typos with no DNS presence.

Is typosquatting included in the paid workspace plan?

Yes. Typosquatting monitoring is part of the Splorix paid workspace alongside vulnerability scanning, subdomain discovery, and related intelligence. See /pricing for $1 for a 3 day trial and $99 per month per slot billing details.

How is this different from Splorix public free tools?

Public free tools on splorix.com are standalone checks with their own limits. Typosquatting in the workspace is tied to authorized root domains, recurring scans, historical results, and the rest of your attack surface context.

Typosquatting monitoring

Typosquatting monitoring for authorized domains.

Splorix detects registered lookalike domains around root domains you own or are authorized to assess, so your team can triage brand impersonation before it reaches customers.

Configurable TLD extensions. Choose up to 30 extensions per authorized root domain. Defaults: com, org, net.
Permutation based detection. Splorix generates lookalike candidates with dnstwist and surfaces how each registered domain was fuzzed.
Similarity and IP context. Review similarity scores when available plus resolved A/AAAA addresses to prioritize suspicious registrations.
Built into your scan pipeline. Typosquatting runs alongside external attack surface monitoring after subdomain discovery.

Start 3 day trial Sign up

What is typosquatting?

Lookalike domains that abuse trust in your brand.

Typosquatting is when attackers register domains that look like a trusted brand through misspellings, separator tricks, homoglyphs, wrong TLDs, or subtle character swaps. Victims may land on phishing pages, malware downloads, or fake login flows without noticing the difference.

Read the full typosquatting guide

Why it matters

Adjacent risk that shows up outside your owned perimeter.

Typosquatting is not a vulnerability inside your app stack, but it can become customer facing fraud, phishing, and incident work just as fast.

Phishing and credential theft

Lookalike domains are a common path to fake sign in pages, payment flows, and support portals that harvest customer data.

Brand and customer trust

Impersonation erodes confidence fast. Teams often learn about abuse from customers, partners, or fraud teams, not from proactive monitoring.

Fraud and business impact

Typosquatting can support invoice fraud, fake promotions, and malicious redirects that target employees and end users alike.

Costly incident response

Takedowns, legal escalation, and communication work are far more expensive than catching risky registrations early.

How Splorix works

From extension config to registered lookalike review.

Typosquatting monitoring is part of the same workspace workflow as subdomain discovery, vulnerability scanning, and security issue tracking.

Configure extensions for each root domain

Pick the TLD extensions that matter to your brand, up to 30 per authorized root domain. Changes apply on the next scan.

Run inside the attack surface pipeline

After subdomain discovery, Splorix queues typosquatting scans for the root domain and discovered targets in your authorized scope.

Generate and check permutations

A dedicated scanner uses dnstwist fuzzers to propose lookalike candidates, then keeps only domains that are actually registered.

Review registered lookalikes

Inspect domain, permutation type, similarity score when available, and A/AAAA IP addresses. Filter by permutation and switch between root or subdomain scope.

Iterate on the next scan

Update your extension list as your brand footprint changes. The workspace keeps results tied to the latest completed scan for each target.

Permutation types

Understand how a lookalike was generated.

Splorix labels each registered result with the fuzzer that produced it so analysts can prioritize the patterns that match your brand risk.

Omission
A letter is dropped from the brand name, creating a domain that still looks plausible at a glance.
Insertion
Extra characters are added inside the hostname to mimic common typing mistakes.
Homoglyph
Visually similar Unicode characters stand in for Latin letters, making the domain harder to spot.
Hyphenation
Separators or support style words split the brand into a domain that reads like an official portal.
TLD swap
The same label is registered on an unexpected extension such as .net, .co, or a regional TLD.
Bitsquatting
Single bit flips in the hostname can produce valid looking domains that differ by one character.
Transposition
Adjacent letters are swapped, matching how users mistype familiar brand names.
Replacement
Characters are substituted with visually similar alternatives such as zero for the letter o.

Improve domain security

Actions and playbooks beyond the scan results.

Monitoring is the starting point. These steps help security, IT, and brand teams reduce typosquatting impact on domains you protect.

Monitor registered lookalikes continuously
Use recurring Splorix scans to catch new registrations around authorized root domains and subdomains before they reach customers.
Prioritize the TLDs your brand actually uses
Configure the extensions where impersonation would hurt most, up to 30 per domain, and revisit the list when you launch in new markets.
Triage and escalate high risk domains
Combine permutation type, similarity, and IP context to decide which lookalikes need registrar abuse reports, takedown, or legal review.
Train users to spot lookalike links
Reinforce checks for subtle typos, support domains with separators, and unexpected TLDs, especially in email and mobile browsers.
Harden official domain controls
Strengthen SPF, DKIM, and DMARC on domains you own, monitor certificate transparency, and register defensive variants where practical.
Document an impersonation response playbook
Define who owns triage, customer communication, evidence collection, and takedown steps when a lookalike goes live.

FAQ

Typosquatting questions, answered.

Get started

Add typosquatting monitoring to your authorized domains.

$1 for a 3 day trial on your first eligible root domain, then $99/month per root domain slot. Cancel anytime during the trial.

Start 3 day trial Sign up Read the guide