Typosquatting takes advantage of an inclination among internet users known as “fat fingers” — a tendency to hit the wrong keys and enter misspelled trademarks or brands. Like phishing, typosquatting is a type of social engineering that tricks people into visiting websites they didn’t intend to visit. These schemes can harm both consumers and the businesses whose names are abused.

Connection to cybersquatting

Typosquatting is connected to cybersquatting, where someone registers a site’s domain name that includes a trademark and then tries to profit by selling that name to the trademark owner. With typosquatting, fraudsters register URLs that are common misspellings of company and brand names. For example, a bad actor might register landswnd.com and lnadsend.com. Then, when users try to visit the site of retailer Lands’ End but mistype the name, they may end up on a fake site that looks like the real one. Other human errors, such as typing the wrong URL extension (.com instead of .org) or omitting punctuation marks such as hyphens, can also work to typosquatters’ advantage.

According to Palo Alto Networks’ Unit 42 research, the most commonly targeted sites include Netflix, Microsoft, Facebook and PayPal. But any business can be vulnerable to this type of fraud.

Valuable information 

The goal often is to divert users away from competitors or draw traffic to their own sites (often pornography or dating sites). The greatest risk for users is that they’ll be diverted to a site where they’re induced to enter login information or download malware. Resulting identity theft can make big money for fraud perpetrators.

Typosquatting can also be used for corporate espionage. In one case, a law firm sued a programmer who had obtained a domain name similar to its own, except for a minor typo. The law firm alleged that the defendant had used his doppelgänger domain name to create fake email accounts and intercept email sent to the firm.

Protect online assets

To protect your business from typosquatting schemes, routinely check mistyped versions of your URL. If you find a questionable site, try to contact the domain name owner. The owner may have an innocent explanation. But if you believe the owner has malicious intent, you may want to file a complaint using the Uniform Domain-Name Dispute-Resolution Policy (UDRP) or pursue litigation.

(This is Blog Post #1121)