Skip to main content
Use case Brand owners · IT · marketing security

Typosquatting protection

If you're a brand owner, you have lookalike domains pointed at your customers right now. PhishFence finds them, scores them, and tells you which ones matter before the phishing page goes live.

The attacker pattern

An attacker registers a variant of your real domain: a missing letter, a doubled character, a different TLD, a homoglyph from another script. They point it at a server that hosts a fake login page or a re-skinned support flow, then drive traffic via phishing email, paid ads, or SMS. Misdirected traffic lands on the attacker's page believing it's yours.

Generic email security tools miss this because the message claiming to be from your brand is sent from a domain the attacker actually owns. SPF, DKIM, and DMARC all pass for the lookalike. The visible difference between example.com and example1.com is one character; the technical difference is zero. Defense has to start at registration discovery, not at message filtering.

Anatomy of a typosquat
example.com Your real domain example1.com Attacker registers variant visually identical User mistypes URL or clicks phishing link Lands on attacker's fake login page · credentials harvested

How PhishFence detects it

  1. 1

    Variant generation across 9 attack patterns

    Levenshtein 1 to 2 distance, character substitution, TLD swap, homoglyph (Cyrillic, Greek), addition, omission, doubling, keyboard adjacency, prefix/suffix (login-, secure-, -app). A scan typically generates 500 to 1,500 candidates per monitored domain.

  2. 2

    Live DNS resolution for every candidate

    A resolves, MX present, NS pattern, TLS certificate validity. The goal: separate the >90% of variants that are unregistered/parked from the small subset with real infrastructure behind them.

  3. 3

    Risk scoring across multiple signals

    Registration recency (newer = higher risk), MX present (email phishing capability), A record + valid TLS (active site capability), registrar reputation (some registrars host substantially more abuse than others), DMARC posture, visual similarity score against your brand, and content classifier output. Risk levels are critical, high, medium, or low.

  4. 4

    Alerts on threshold, digests for the long tail

    High & critical fire immediately via email, Slack, or webhook. Medium & low roll up into a weekly digest so you don't drown in registered-but-parked noise.

  5. 5

    Evidence capture for takedown

    Each alert detail page collects WHOIS, hosting IP, registrar abuse contact, screenshot, and DNS records, everything you need to file a registrar abuse report without a second tab.

What it looks like in PhishFence

All signal levels All statuses
Signals Variant Domain Indicators Detected Review Actions
4 signals examp1e.com
DNS SSL MX HTTP Topic 53%
May 17, 09:42 New
3 signals example-login.com
DNS SSL HTTP CF
May 16, 22:17 Watching
1 signal examp1e.co
MX
May 16, 22:17 Watching
DNS: IP address (registered and active) SSL: has a valid certificate, appears legitimate to browsers MX: configured to receive email, can be used for phishing HTTP: serving content to visitors CF: behind Cloudflare, requires separate abuse report
The alerts table ranks every detected variant by signal count. Indicator pills (DNS, SSL, MX, HTTP, Topic match, CF) show at a glance what makes each variant dangerous. The Review dropdown lets you mark New / Watching / Resolved / Whitelisted; the Actions column generates abuse reports and submits to browser blocklists.

Signal Breakdown

DNS Resolution ACTIVE

This domain resolves to an IP address. It has been registered and pointed to a server.

SSL Certificate ACTIVE

A valid SSL certificate was detected during a TLS handshake. The site is live and visitors see the padlock icon, making it appear trustworthy.

MX Records ACTIVE

Mail server configured. This domain can receive email, which enables phishing and spoofing campaigns targeting your customers.

Live HTTP ACTIVE

Actively serving web content. This could be a phishing page, a parked page, or a redirect.

Domain Intelligence

IP Address
198.51.100.42
Registrar
Namecheap
Registered
May 17, 2026 (2 days ago)
SSL Certificate Issuer
Let's Encrypt
Certificate Issued
May 17, 2026

Threat Intelligence

1 match
URLhaus Listed
Google Safe Browsing Clean
PhishTank Clean
VirusTotal Clean
Every alert in PhishFence stacks the same cards in the same order: Signal Breakdown (which infrastructure signals are active), Domain Intelligence (registrar, IP, certificate facts), and Threat Intelligence (cross-reference against four blocklists). One scroll, all the evidence a registrar abuse team will ask for.
PhishFence weekly digest · example.com
to security@example.com · Monday 9:00 AM
Inbox

Here is what happened across your monitored domains in the last 7 days.

12
New alerts
3
Critical / high
5
Awaiting triage
Top threats this week
examp1e.com Critical
example-billing.com Critical
examp1e-login.com High
exampie.com Medium
+ 8 more in the dashboard
Once a week PhishFence rolls up the past 7 days into a single summary email: counts, the top 5 worst threats, and a link into the dashboard. Critical and high-risk alerts still fire their own immediate alert via email / Slack / webhook the moment they are detected. The digest is the weekly recap.

Common pitfalls to avoid

  • Treating every registered variant as a threat. Most typosquats are registered for resale, not active phishing. Risk scoring exists to separate the dangerous ~5% from the noisy 95%. Disable alerts that fire on registration-only signals.

  • Forgetting IDN homoglyphs. Cyrillic, Greek, and Armenian scripts contain characters visually identical to common Latin letters. A scanner that only generates ASCII variants misses an entire attack family.

  • Only monitoring the apex. Each high-value subdomain (login.example.com, support.example.com) needs its own typosquat scan, which means adding it as a separately monitored domain (one slot from your tier’s quota). PhishFence’s subdomain-takeover detection (Pro+) is a different feature for a different threat: it enumerates each apex’s existing subdomains for dangling CNAMEs, not lookalike variants.

  • Scanning weekly instead of hourly. Phishing campaigns frequently register, send, and decommission within 24 to 48 hours. A weekly scan misses the entire kill chain.

Which PhishFence tier?

For a single-brand domain, Starter at $49/month (5 monitored domains) covers typosquatting protection comfortably. If you also monitor product subdomains, sub-brands, or international TLD variants separately, step up to Pro at $99/month (20 domains). Both tiers include hourly scans, risk scoring, alert routing, and the alert detail page with evidence capture.