Skip to main content
Brand Protection

Lookalike Domain Monitoring
and Typosquat Detection

Catch lookalike domains before your customers do.

Continuous monitoring across hundreds of typosquat, homoglyph, hyphen, and TLD-swap variants per domain. Multi-signal risk scoring on DNS, SSL, MX, and live HTTP content. Takedown workflows with RDAP-harvested abuse contacts.

From $0 free on 1 domain · paid from $49/mo

Tiers up to 100 domains. See the four-tier breakdown below.

Sold separately from Email Security

Free on 1 domain. Paid tiers up to 100 domains. No base plan required. Sold separately from Email Security.

Choose your tier

Four tiers, sized to your domain footprint

Free for 1 domain, paid tiers for 5 / 20 / 100. Cancel anytime.

Free

Try it on one domain. No credit card.

$0 /mo

1 domain

  • Monitoring & detection
  • Monitor 1 domain
  • Lookalike, typosquat & homoglyph detection
  • Risk scoring across registrar, DNS, content & visual signals
  • Daily scans (every 24 hours)
  • Alerts
  • 5 visible alerts per domain
  • Email alerts
  • Response & takedown
  • Basic abuse-report tools
  • Access
  • Access to guides
  • Google sign-in

Starter

Hourly scans, more domains, REST API.

$49 /mo

5 domains

  • Monitoring & detection
  • Monitor up to 5 domains
  • Lookalike, typosquat & homoglyph detection
  • Hourly scans
  • Certificate Transparency (CT) log monitoring
  • Threat-intelligence feeds
  • Risk scoring across registrar, DNS, content & visual signals
  • Alerts
  • Unlimited alerts
  • Email, Slack & webhook alerts
  • Response & takedown
  • Full abuse-report & phishing takedown tools
  • Access
  • REST API access

Pro

Recommended

Site screenshots, visual change detection.

$99 /mo

20 domains

  • Monitoring & detection
  • Monitor up to 20 domains
  • Lookalike, typosquat & homoglyph detection
  • Hourly scans
  • CT log monitoring
  • Threat-intelligence feeds
  • CDN detection
  • Domain availability & pricing checks
  • Visual evidence
  • Site screenshots (headless Chromium)
  • Screenshot history (up to 30 per alert)
  • Daily visual change detection
  • Tracked pages: 5 per domain (login/checkout/account)
  • Alerts
  • Unlimited alerts
  • Email, Slack & webhook alerts
  • Response & takedown
  • Full abuse-report & phishing takedown tools
  • Access & support
  • REST API access
  • Priority support

Business

Team access, audit log, compliance-ready.

$499 /mo

100 domains

  • Monitoring & detection
  • Monitor up to 100 domains
  • Lookalike, typosquat & homoglyph detection
  • Hourly scans
  • CT log monitoring
  • Threat-intelligence feeds
  • CDN detection
  • Domain availability & pricing checks
  • Visual evidence
  • Site screenshots (headless Chromium)
  • Screenshot history (up to 30 per alert)
  • Daily visual change detection
  • Tracked pages: 20 per domain
  • Alerts
  • Unlimited alerts
  • Email, Slack & webhook alerts
  • Response & takedown
  • Full abuse-report & phishing takedown tools
  • Access, team & compliance
  • REST API access
  • Team access (up to 10 members)
  • Audit log export
  • Compliance-ready: NIS 2, DORA, HIPAA, PCI DSS 4.0
  • Priority support

Sold separatelyBrand Protection is sold separately from Email Security. Both products ship a Free tier on 1 domain so you can try either before paying.

Everything you need

From detection to takedown, in one workflow

Find lookalike domains the moment they appear, see what makes each one dangerous, and submit takedowns without leaving the app.

Every variation, automatically

PhishFence checks every way an attacker could twist your domain name: typos, homoglyphs, hyphen insertions, TLD swaps. Hundreds of variants per domain on every scan. The squat that other tools miss is usually the one that hits your customers.

Early Warning via CT logsStarter+

PhishFence taps Certificate Transparency feeds so you see new lookalike registrations within minutes of an attacker requesting a TLS certificate, often before the phishing campaign even goes live.

Signal-based risk scoring

Every lookalike is scored by active signals: DNS resolution, SSL certificates, live web content, MX records (mail capability), and matches against threat-intel feeds (URLhaus, Google Safe Browsing, PhishTank, VirusTotal). You see exactly what each domain is doing and which to triage first.

Visual proof of cloningPro

Screenshots of every lookalike are captured automatically and tracked over time so you can spot when a dormant domain turns into an active phishing site. PhishFence also auto-baselines your high-value pages (login, checkout, account) so a cloned /login scores against the real /login. Pro tracks 5 pages per domain, Business tracks 20.

Takedown reports in minutes

Stop hunting registrar abuse contacts by hand. PhishFence does the RDAP lookup, pre-fills the report, and links directly to the registrar's abuse form. What used to take days takes minutes.

Report to blocklists

One-click submission to Netcraft, plus deep links and pre-filled reports for Google Safe Browsing, Microsoft SmartScreen, PhishTank, and Cloudflare. Track which services you have reported to per alert so nothing gets double-filed or forgotten.

Use cases

Built for these specific threats

Need DMARC, SPF, DKIM, MTA-STS, and TLS-RPT monitoring too? See Email Security →

Frequently asked

What is brand protection in the context of domain monitoring?
Brand protection here means continuously scanning the global DNS and Certificate Transparency log corpus for domains that impersonate your brand: typosquats (acmme.com), TLD swaps (acme.io), homoglyphs (Cyrillic-a in аcme.com), prefix/suffix spoofs (acme-login.com), and combosquats (acme-secure-pay.com). Each detection is risk-scored on DNS resolution, SSL cert issuance, MX records, live HTTP content, and threat-intel feeds so you triage real threats first.
How is PhishFence Brand Protection different from DNSTwist or other free tools?
DNSTwist and dnstwister.it are excellent one-shot scanners but ship no continuous monitoring, no alerting, no risk scoring beyond domain similarity, and no takedown workflow. PhishFence runs hourly scans on paid tiers, scores each variant on DNS + SSL + MX + HTTP signals plus threat-intel feeds, captures screenshots on Pro+, surfaces alerts in email + Slack + Discord + Teams + webhooks, and includes pre-filled abuse reports with the registrar's contact RDAP-harvested. Free on 1 domain so you can compare directly.
How many variants do you check per domain?
Typically 200-500 per scan depending on the brand-name length. The variant generator covers nine attack patterns: TLD swaps, prefix/suffix spoofs, keyboard typos, character omission, transposition, repetition, hyphen insertion, homoglyph substitution, and IDN. The highest-signal variants emit first so the scan's priority slice always covers the most dangerous patterns.
Does Brand Protection include Email Security?
No. Brand Protection (lookalike + typosquat monitoring) and Email Security (DMARC, SPF, DKIM, MTA-STS, TLS-RPT) are separate product lines, sold separately at every tier. Buy either on its own or both together. Email Security has its own free tier on 1 domain plus paid tiers at $20/$69/$399 per month. See /email-security for the full Email Security breakdown.
What can I do when PhishFence finds a real phishing site?
Each alert opens a takedown workflow: PhishFence does the RDAP lookup to find the registrar's abuse contact and pre-fills the abuse-report email body using a template that survives most registrar triage filters. One-click submission to Netcraft, plus pre-filled reports and deep links for Google Safe Browsing, Microsoft SmartScreen, PhishTank, and Cloudflare's abuse forms. The phishing-takedown use-case page walks through the full flow.

Catch the next phishing campaign before it goes live.

Most domain-monitoring tools flag registrations and stop there. PhishFence scores by active infrastructure, captures evidence, and takes you straight to takedown.

Free on 1 domain. Paid tiers from $49/mo (5 domains) up to $499/mo (100 domains). Sold separately from Email Security. Cancel anytime.