Most explanations of domain phishing describe it from the outside: here are the attack types, here is how they look, here is how to avoid them. This guide takes a different approach. To defend against domain phishing effectively, you need to understand how an attacker thinks through the operation: what decisions they make, what tools they use, how cheap and fast it is, and what constraints they are working within. That understanding changes how you defend.
The economics are the starting point. In 2025, WIPO handled 6,200 domain name disputes, the highest number on record and a 68 percent increase since 2020. A single study of top websites found more than 28,000 fake lookalike domains actively registered. Automated tools generate thousands of domain permutations for any target in seconds. Registration costs under fifteen dollars each. An attacker can secure hundreds of convincing lookalike domains for the cost of a laptop accessory, obtain HTTPS certificates for all of them in minutes using free automated CAs, and have an operational phishing infrastructure running before a victim’s security team has been notified.
This guide walks through the attacker’s operational playbook in four phases, identifies the defender’s intervention point at each phase, covers the attack techniques that have evolved beyond simple typosquatting, and provides actionable protection measures for both organizations and individuals.
Phase 1: Target Selection and Domain Intelligence
An attacker running a domain phishing campaign does not randomly pick targets. The selection is driven by return on investment: which targets yield the highest value credentials or redirect victims toward the most profitable actions?
Research from Zscaler covering February to July 2024 found that Google was targeted in 28.8 percent of typosquatting attempts, Microsoft in 23.6 percent, and Amazon in 22.3 percent. These three alone account for nearly 75 percent of all typosquatting activity. The concentration makes sense: Google, Microsoft, and Amazon credentials provide access to cloud infrastructure, corporate email, and payment systems. A single set of credentials from any of these services has higher downstream value than credentials from a smaller target.
Attackers also focus on industry-specific targets based on campaign objectives. A campaign targeting financial fraud focuses on bank and payment processor domains. A campaign targeting corporate network access focuses on VPN portals and identity provider login pages. A supply chain attack targets software vendors and developer tools where a convincing domain can deliver malicious packages.
What attackers research before registering
- The target domain’s WHOIS information to understand registration patterns and identify the registrar
- Certificate Transparency logs showing what domains and subdomains the target has issued certificates for, revealing the full scope of their legitimate infrastructure
- DNS records showing mail servers, CDN configurations, and subdomains that can be mimicked
- The target’s login page design, password reset flows, and email communication style for building convincing clones
- Whether the target monitors their brand through CT log alerts or WHOIS monitoring, which affects how long the attack can operate before detection
Certificate Transparency logs are a dual-use tool. Attackers use them to map a target’s legitimate certificate infrastructure, identifying every subdomain the target uses for services, portals, and systems. Defenders use the same logs to monitor for certificates being issued for look-alike domains, which reveals attacker infrastructure before it is operationally active. Both sides have access to the same public data; the advantage goes to whoever responds faster.
Phase 2: Domain Generation, Technique Selection, and Registration
Once a target is selected, the attacker chooses which domain impersonation techniques to deploy. Several distinct techniques exist, each with different evasion properties and detection difficulty.
Typosquatting: exploiting input errors
Typosquatting registers domains that are common misspellings of the target. Adjacent keyboard keys produce the most common variants: gooogle.com (doubled letter), googel.com (transposition), gogle.com (missing letter), googlee.com (added letter). These domains capture traffic from users who mistype the URL directly into the browser address bar. They are the lowest-sophistication technique and the easiest to detect because the variations follow predictable patterns.
Tools like dnstwist automate this completely: given any input domain, they generate hundreds of typo permutations, check which are registered, and return the results. Attackers use the same tools to enumerate profitable unregistered variations. Defenders use them to proactively monitor or pre-register high-risk variants before attackers reach them.
Combosquatting: keyword injection
Combosquatting appends or prepends keywords to a legitimate brand name. amazon-deals.com, secure-paypal.com, microsoft-support.net, netflix-login.com. These domains do not depend on the victim mistyping; they are served as links in phishing emails, text messages, or social media posts where the full URL is displayed and the brand name appears prominently. Victims see a URL containing a trusted brand name and click without examining the full domain.
Combosquatting is more scalable than typosquatting because the keyword space is large (security, account, login, verify, update, billing, support) and the combinations are not bounded by keyboard adjacency. Research finds it is the more common technique in phishing campaigns delivered via email because the deception works when the victim sees the link, not just when they mistype.
TLD squatting: alternative extensions
Registering the target brand across different top-level domains exploits the assumption that the only legitimate domain for a brand is the .com variant. paypal.net, amazon.io, microsoft.ai, google.co each looks plausible to users who see only the brand name and a recognizable extension. The explosion of new TLDs (.ai, .io, .app, .dev, .shop, .online) has expanded the attack surface: there are now hundreds of TLD variants for any target domain.
Homograph attacks: the invisible threat
Homograph attacks (also called IDN homoglyph attacks) replace Latin characters in a domain with visually identical characters from other Unicode scripts, particularly Cyrillic, Greek, and Armenian. The lowercase Cyrillic ‘a’ (U+0430) is visually indistinguishable from the Latin ‘a’ (U+0061). The domain pаypal.com with a Cyrillic ‘a’ looks identical to paypal.com with a Latin ‘a’. Browsers display the Punycode equivalent (xn--pypal-bтс.com) in some cases, but not consistently across all contexts.
In July 2025, Unit42 documented a campaign where attackers substituted Cyrillic and Greek characters across multiple fields: display names, subject lines, and body content all contained character substitutions. The email subject ‘Finаnꮯiаl Տtаtеmеnt’ (with multiple substitutions) appeared visually identical to ‘Financial Statement’ to every recipient who examined it. No amount of visual inspection reveals the substitution because the characters look identical.
This is where typosquatting and homograph attacks differ fundamentally. Typosquatting depends on victim error: the victim types the wrong URL. Homograph attacks work even when victims click carefully on a correctly displayed link, because the substitution is invisible. User training cannot address homograph attacks: there is nothing visible to train against.
Homograph attacks exploiting Punycode are the most dangerous domain impersonation technique because they defeat visual inspection entirely. The only reliable defenses are browser-level homograph detection (which modern Chrome and Firefox implement for common substitutions but not all), organizational controls that block navigation to known punycode domains, and email filtering that normalizes Unicode and checks for homoglyph substitutions before delivering messages. Neither user awareness nor URL inspection provides protection against a well-constructed homograph attack.
| Technique | How victim encounters it | Detectable by visual inspection? | Scale of automation | Primary defense layer |
| Typosquatting | Mistypes URL directly into browser | Yes, if URL is visible | Fully automated; hundreds of variants per target | Pre-register variants; browser warnings; URL training |
| Combosquatting | Clicks link in phishing email/message | Partially: brand name visible, attacker suffix may be missed | Fully automated; keyword space is large | Email filtering; link hover checking; user awareness |
| TLD squatting | Clicks link; sees brand name with unfamiliar TLD | Partially: known brands with .net/.io may mislead | Fully automated | Brand monitoring; register key TLD variants |
| Homograph attack | Clicks link that appears correct visually | No: characters are visually identical to legitimate domain | Partially automated; character tables encoded in tools | Browser homoglyph detection; Unicode normalization in email filtering; punycode display in security tools |
Phase 3: Infrastructure Setup and Legitimacy Signals
Once domains are registered, attackers configure the infrastructure. The goal is maximum visual and technical legitimacy, which means replicating every trust signal the real site presents.
HTTPS certificates: the padlock is not a trust signal
Over 90 percent of phishing sites in 2025 have valid HTTPS certificates and display the padlock. Free automated CAs issue DV certificates to any domain that passes an automated domain control check. The check confirms control of the domain, not legitimacy of the site. A phisher registers pаypal-security.com (with or without homograph substitution), runs the ACME challenge, and has a certificate with a padlock in under five minutes.
The padlock has not indicated a safe site for years. It indicates the connection is encrypted. An encrypted connection to a phishing site is still a phishing site. This is one of the most consequential user misconceptions in web security, and it is actively exploited at scale in domain phishing infrastructure.
Visual cloning of the legitimate site
Attackers clone the legitimate site’s visual design: same layout, same logo, same color scheme, same login form structure. Tools that automate website cloning can replicate the visual appearance of any public-facing site in minutes. The clone looks identical to the legitimate site to users who are not checking the URL carefully.
The clone does not need to be fully functional. It needs only to capture the specific data the attacker wants: username and password for credential harvesting, payment card details for financial fraud, or the click on a malicious download link. Everything else can be a static replica.
Email infrastructure for delivery
Effective phishing campaigns require delivery infrastructure that can bypass spam filters. Attackers configure SPF, DKIM, and DMARC for the lookalike domain, making the email appear technically legitimate from the sending domain’s perspective. The domain passes all email authentication checks because it is a legitimately registered and configured domain. The authentication confirms the email came from the attacker’s authorized sending infrastructure; it cannot confirm the email is not phishing.
Fast-flux DNS techniques rotate the IP addresses associated with phishing domains rapidly, making blocklist-based defenses ineffective: the IP is already rotated before the blocklist can be updated. CISA issued a formal advisory in April 2025 identifying fast-flux as a national security threat for exactly this reason.
Phase 4: Victim Delivery and Exploitation
Domain phishing infrastructure is operationally worthless without victims. Attackers use several delivery mechanisms, each suited to different targets and campaign types.
Email phishing with lookalike links
The most common delivery mechanism. Emails contain links to the lookalike domain, often with the legitimate brand name visible in the link text or in the display URL, while the actual href points to the phishing domain. Email security filters analyze the href, not the display text, so the real domain is what must be evaluated.
Spear phishing targets specific individuals with personalized content derived from OSINT research. The attacker knows the target’s role, their relationships, their email communication patterns, and the specific system they are being directed to. A spear phishing email to a finance director referencing a real colleague’s name and a plausible business scenario is significantly more effective than a mass phishing email. Domain phishing infrastructure provides the landing page that makes the spear phishing email convincing.
Organic search misnavigation
Attackers optimize lookalike domains for search engine visibility on queries that users make when trying to find the legitimate site. A user who searches for ‘paypal login’ or ‘amazon account sign in’ may click an attacker-controlled result that ranks for these queries. The user has not received a phishing email and is not following a suspicious link; they used a search engine and clicked what appeared to be a relevant result.
Social media and messaging
Shortened URLs and inline links in social media posts and messaging applications obscure the real destination. A link shared in a WhatsApp group, a Discord server, or a Twitter thread that shortens to a recognizable brand name phrase can route to a phishing domain. The trust context of the platform (a message from someone in a trusted group) lowers the recipient’s vigilance toward the link destination.
The Defender’s Playbook: Interrupting Each Phase
Each phase of the attacker’s operation has a corresponding defensive intervention. The most cost-effective defenses address early phases, when the attack infrastructure is being assembled, rather than late phases, when victims are already being targeted.
| Attack Phase | Attacker Action | Defender Interruption | Tools and Methods |
| Target selection | Research brand’s domain footprint via CT logs and DNS | Monitor CT logs for certificates issued for your brand name or lookalike domains | crt.sh, Cert Spotter, commercial CT monitoring; alert on new certificates containing your brand string |
| Domain registration | Register lookalike and typosquatting variants | Monitor domain registrations for brand-containing strings; pre-register high-risk variants | WHOIS monitoring services; dnstwist for variant inventory; proactive registration of .net/.org/.io variants |
| Infrastructure setup | Obtain HTTPS certificate; clone site; configure email | Flag newly registered domains with fresh DV certificates hosting login-page clones | Secure DNS (filtering that blocks newly registered domains); certificate transparency monitoring |
| Victim delivery | Send phishing emails; run malicious ads; post links | Email gateway filtering with URL analysis; user training on URL inspection; browser isolation | Anti-phishing email gateways; DMARC monitoring; browser-level homoglyph detection; DNS filtering |
| Credential capture | Harvest submitted credentials from clone site | Detect when credentials are submitted to non-sanctioned domains; monitor dark web for credential exposure | CASB; credential monitoring services; dark web monitoring for organizational domain credentials |
Personal Protection: What Individuals Can Do
Organizational controls address the infrastructure and delivery layers. Individual behavior determines whether those controls are sufficient when a phishing attempt reaches a person.
Inspect the full URL, not just the display text
The display text in a link can say anything. The href attribute is what the browser follows. Before clicking any link in an email, hover over it and read the full URL displayed in the browser status bar. The actual destination domain is what matters. Check that the domain name is exactly the legitimate domain, not a variant with an extra character, a different TLD, or a keyword appended.
Use bookmarks for high-value destinations
Banking sites, payment portals, corporate VPN login pages, and any site where you regularly enter sensitive credentials should be bookmarked. Navigate to these sites only through the bookmark. This eliminates both the typo risk from manual URL entry and the risk of clicking a link in an email that routes to a lookalike domain. The padlock and HTTPS are irrelevant; you reached the site through a bookmarked URL and can verify the domain against the bookmark.
Enable multi-factor authentication with phishing-resistant methods
OTP-based MFA (TOTP, SMS codes) does not protect against real-time adversary-in-the-middle phishing. An attacker running a lookalike login page can forward credentials and OTP codes to the real site in real time, capturing a valid session. FIDO2 hardware keys and passkeys are phishing-resistant: the credential is cryptographically bound to the legitimate domain’s origin, and the authentication computation will fail for any domain other than the one the credential was registered for. A FIDO2 credential registered for paypal.com cannot be used to authenticate to pаypal.com, even if the Cyrillic substitution makes the domains visually identical.
Do not trust the padlock as a safety indicator
A padlock means the connection is encrypted. It says nothing about whether the site is legitimate. Over 90 percent of phishing sites have valid HTTPS certificates. An encrypted connection to a credential-harvesting site is not safer than an unencrypted one; it just means the attacker receives your credentials over an encrypted channel. The only meaningful indicator is the domain name itself.
Frequently Asked Questions
What is domain phishing?
Domain phishing is the practice of registering domain names that impersonate legitimate websites or brands to deceive users into submitting credentials, payment information, or other sensitive data. The attacker creates a site that looks identical to the real one, obtained through a lookalike domain, and directs victims to it through phishing emails, social media links, or search engine results. The key deception is at the domain level: the site looks legitimate, the HTTPS padlock is present, and the design is identical, but the domain is under the attacker’s control.
What is the difference between typosquatting and a homograph attack?
Typosquatting registers domains that are common misspellings of a legitimate domain, capitalizing on user input errors when someone manually types a URL. The fake domain is detectably different from the legitimate one if the user reads it carefully. A homograph attack substitutes visually identical characters from other Unicode scripts (Cyrillic, Greek, Armenian) for Latin characters in a domain. The resulting domain is indistinguishable by visual inspection from the legitimate domain, even by careful, security-aware users. A user who clicks a homograph phishing link sees a domain that appears correct; the substitution is invisible without specialized tooling that reveals the Unicode character codes.
Why does a phishing site have a padlock if it is malicious?
HTTPS certificates are available free to any domain owner through automated CAs. The certificate issuance process for DV (domain validated) certificates confirms only that the applicant controls the domain, not that the site is legitimate. A phisher registers a lookalike domain, completes an automated HTTP challenge, and has a valid certificate with a padlock in under five minutes. The padlock means the connection is encrypted. It does not mean the site is safe, legitimate, or operated by who you think. Over 90 percent of phishing sites now have HTTPS. The padlock is not a trust signal for site legitimacy.
How do organizations monitor for lookalike domain registrations?
Several mechanisms exist. Certificate Transparency logs record every certificate issued for any domain by publicly trusted CAs. Organizations can monitor CT logs for certificates containing their brand name or variations using tools like crt.sh or commercial CT monitoring services. An alert fires when a new certificate is issued for a domain like yourcompany-login.com or yourcompаny.com (with homoglyph substitution). WHOIS monitoring services track newly registered domains that match patterns related to a brand. Domain monitoring platforms combine both approaches and can alert within hours of a suspicious registration, providing time to take action before the domain becomes operational.
Can DMARC protect against domain phishing?
DMARC protects against unauthorized use of your domain in email: it prevents attackers from sending email that appears to come from yourdomain.com using unauthorized mail servers. It does not protect against lookalike domain phishing, where the attacker registers a different domain (yourdomаin.com or your-domain-support.com) and configures that domain with its own valid SPF, DKIM, and DMARC records. The attacker’s email passes all authentication checks because it comes from the attacker’s authorized domain; DMARC has no visibility into whether the domain itself is a brand impersonation. DMARC and lookalike domain monitoring address different threat vectors and both are needed.
