Typosquatting is a cyberattack technique based on registering internet domains that closely resemble the addresses of popular sites — differing by one letter, transposition of characters, or substitution of homoglyphs. Although the method has been known for years, in 2026 it remains one of the most effective and cheapest phishing attack vectors, responsible for a significant portion of credential theft in Polish and European organizations.
What Is Typosquatting
The name "typosquatting" combines "typo" (a typographical error) and "squatting" (occupying without right). Attackers register domains that users might accidentally type, counting on part of the traffic intended for a legitimate service reaching their page instead. The technique is as old as the internet — the first documented cases were described in the 1990s — but its effectiveness has not diminished, and in fact increases in the era of remote work and mobile devices.
Examples of typosquatting domains illustrate the scale of the problem: gacebook.com (instead of facebook.com), micros0ft.com (zero instead of the letter "o"), paypa1.com (digit 1 instead of the letter "l"), gooogle.com (extra "o"). Each of these domains can serve as a front for a fake login page or a malware distribution site. In Poland, campaigns impersonating banks, shopping portals, and tax systems are particularly active and consistently reported by CERT Polska as a leading phishing vector.
The effectiveness of typosquatting stems from the limitations of human visual perception. The human brain during reading processes words holistically rather than character by character. Research in cognitive psychology shows that a one-character difference in a URL escapes the attention of the average user in more than 80% of cases, particularly when under time pressure or acting routinely — exactly the conditions of daily workplace activity.
How a Typosquatting Attack Works
A typical attack unfolds in several stages. First, the attacker registers a domain — the cost of registering a .com domain is just a few dollars per year, making this method exceptionally low-cost even for mass registration of dozens of variants. They then create a cloned login page, visually identical to the original: the same layout, logo, colors, and content.
Once the page is live, the attacker waits for organic traffic from typos or actively directs victims to the fake domain through email campaigns, search engine advertisements, or social media links. When a user enters their login credentials, they go directly to the attacker, and the user is often redirected to the real site, unaware that they have just fallen victim to an attack.
Variants of this technique include phishing emails sent from typosquatted domains (e.g., @micros0ft.com instead of @microsoft.com), malware distribution pages (where instead of a login form a fake software update notification appears), and advertising fraud where typosquatted domains generate ad revenue at the expense of legitimate brand owners. Real-time phishing proxies can even intercept MFA codes, making SMS-based two-factor authentication insufficient as a sole protection measure.
Threats to Organizations
Credential theft is the direct and most serious consequence of a successful typosquatting attack. An employee who logs into a fake page impersonating a Microsoft 365 panel, Entra ID, VPN system, or corporate banking platform hands their login credentials directly to the attacker. Even if the organization has implemented MFA, some MFA mechanisms (e.g., SMS OTP) can be vulnerable to real-time phishing proxy attacks that intercept the one-time code.
It is worth emphasizing that DMARC, DKIM, and SPF — mechanisms protecting against impersonation of an organization's domains — do not protect against typosquatting. DMARC verifies whether an email comes from an authorized server for the domain @mycompany.com. If an attacker uses the domain @myc0mpany.com (zero instead of "o"), DMARC cannot prevent it, because that is a separate, legitimately registered domain with its own email infrastructure.
The consequences for organizations can be far-reaching: compromise of AD or M365 accounts leads to further lateral movement and privilege escalation, customer data leaks generate GDPR liability and loss of trust, and ransomware infection from a fake malware distribution page can paralyze an entire company's operations. Reputational damage is difficult to repair, especially when customers fall victim to attacks on fake pages impersonating the organization's brand.
How to Protect Your Organization
Protection against typosquatting operates on several levels simultaneously.
Proactive Domain Registration
The most effective method is registering the most common typosquatting variants of your own domain before attackers do. For "example.com" it is worth considering: exmaple.com, exampl.com, exxample.com, common homoglyph substitutions, and relevant country-code TLD variants. The registration costs are incomparably smaller than incident response costs.
Domain Monitoring and DNS Filtering
Tools such as DomainTools, WhoisFreaks, or dnstwist enable continuous monitoring of domain registrations similar to your brand. DNS filters (Cisco Umbrella, Cloudflare Gateway, NextDNS) block access to known malicious domains at the name resolution level, before the browser establishes a connection to the server. This is an effective protection layer particularly for remote employee devices operating outside the corporate network perimeter.
ExColo Recommendation: NextDNS
For maximum protection against typosquatting at the network level, ExColo recommends using NextDNS. It is a modern DNS Firewall that blocks malicious domains in real-time.
Get a special offerIdentity Security
Implementing strong multi-factor authentication and Conditional Access means that a stolen password alone is not sufficient to take over an account. Phishing-resistant MFA methods (FIDO2/passkeys, certificates) cannot be intercepted by fake pages, because the cryptographic key is bound to a specific domain origin. This is a fundamental change from passwords and SMS OTP, which remain vulnerable to real-time phishing proxies.
Employee Education
Regular training should teach URL verification before entering login credentials, using bookmarks for critical systems, reporting suspicious links to the IT department, and recognizing common typosquatting techniques. Phishing simulations help measure and raise the level of awareness in the organization, providing concrete metrics to track improvement over time.
How ExColo Can Help
ExColo offers comprehensive support in protecting against domain-based attacks. In the area of identity security, we help implement phishing-resistant MFA, configure Conditional Access, and harden Active Directory to limit the impact of credential theft when it does occur.
We conduct domain exposure audits, identifying registered typosquatting domains targeting your organization. We help develop a monitoring and response process for new registrations, including notification workflows and takedown procedures. We train employees and IT departments in recognizing and responding to typosquatting attacks through scenario-based workshops.
Do not wait for an incident — take the first step: contact ExColo.
