Skip to content
Intro
6 min

Lookalike Domains and Brand Impersonation

Your customers are getting emails from yourcompany-support.com. It's not you.

Last updated: March 20, 2026

A Houston auto repair chain started getting calls from customers asking why they needed to "verify their account" via a link in an email. The email looked official—it had the chain's logo, used their business name, and the sender showed "support@houstonautorepair.com" (the actual domain was just "autorepair.com").

Except it wasn't from houstonautorepair.com. It was from h0ustonautorepair.com (with a zero). The attackers registered the lookalike domain, set up convincing webmail, and sent phishing emails to the chain's customer list (probably purchased or harvested from a prior breach).

Forty-three customers clicked the link. Twelve entered their credentials. The attackers used those credentials to access the customers' accounts on the real website, where they had stored credit card information.

This is lookalike domain attacks and brand impersonation. It works because human brains are pattern-matching machines, and most people don't examine URLs character by character.

How lookalike domains actually work

Typosquatting: Registering a common misspelling of a brand name. Paypa1.com (P-A-Y-P-A-1), G00gle.com (G-zero-zero), Micros0ft.com.

Homograph attacks: Using characters that look identical in different scripts. This is harder to pull off with Latin characters but works with Cyrillic letters that look like Latin ones.

Subdomain abuse: Setting up a subdomain that looks like a brand. yourbank.com-secure.com. To someone skimming, it looks like yourbank.com is the domain.

Expired domain acquisition: Waiting for a business to let a domain expire, then registering it. Former customers still have old emails and might visit the site expecting the real company.

Brand impersonation without domain spoofing: Just using a brand's name, logo, and messaging in emails or websites without any domain similarity at all. The email might come from gmail.com, but it's clearly impersonating Microsoft.

What can go wrong

Customer phishing: Your customers get emails from attackers using your brand, click links to fake sites, and enter credentials or payment info. They blame you.

Vendor impersonation: Attackers register yourdomain-support.com and start reaching out to your customers pretending to be your support team.

BEC using lookalike domains: An attacker registers yourvendor-helpdesk.com and starts sending "support" emails to your accounts payable department.

Your own domain reputation damage: If someone impersonates your brand from a lookalike domain, recipients might mark those emails as spam—hurting your deliverability when you send real emails.

SEO and brand search manipulation: Fake sites using your brand can appear in search results, competing with you or tricking customers.

What it costs

  • Incident response: $2,000 to $15,000 to investigate impersonation, notify customers, and remediate
  • Customer notification: If customers were phished through impersonation, notification costs and credit monitoring offers
  • Brand reputation damage: Harder to quantify but real—customers who got phished tell others
  • Domain registration costs to defend: Registering common misspellings and variations of your domain ($10-20 per domain per year)
  • Domain monitoring services: $50-500 per month to monitor for lookalike domains and get alerts

Vendor questions (copy/paste)

"How do I find out if someone is impersonating our brand or using our company name in lookalike domains?"

"What domains should we register to protect our brand? Our main domain is [domain]."

"Our customers got phished through a fake site. What do we tell them and what are our legal obligations?"

"How do we report lookalike domains to registrars and get them taken down?"

"What's the difference between domain protection, brand monitoring, and trademark registration for cybersecurity?"

"Can you set up DMARC for our domain to prevent people from sending email 'from' our domain?"

Minimum viable implementation

  1. Set up DMARC (Domain-based Message Authentication, Reporting, and Conformance) for your email domain. This tells receiving mail servers whether emails "from" your domain should be accepted and what to do with emails that fail authentication. It won't stop lookalike domains from sending emails, but it protects your domain from being used to send email that appears to come from you. Your email provider or IT person can set this up.

  2. Register common variations of your domain. At minimum, register:

    • The .net and .org versions if you're .com
    • Common misspellings (single vs double letters, swapped letters)
    • If you use hyphens, the non-hyphenated version

    Cost: $10-15 per domain per year. Do this before someone else does.

  3. Monitor for lookalike domains. Services like Brand饭后 or custom Google Alerts can notify you when new domains using your brand appear. The sooner you know, the sooner you can report and takedown.

  4. Report impersonation immediately when you find it. Use the registrar's abuse contact to report trademark infringement. Report phishing sites to Google Safe Browsing and Microsoft. Report phishing emails to the receiving provider. Most take action quickly.

  5. Educate your team and customers about checking URLs before entering credentials. This is increasingly important as lookalike domains become more sophisticated.

  6. Set up your own domains correctly so attackers can't impersonate you as easily. This means SPF, DKIM, and DMARC properly configured, and using your actual domain in all official communications.

  7. Consider trademark registration if you're relying on brand reputation. A trademark gives you stronger legal grounds to report impersonation and get domains taken down.

When to hire help

Call someone today if:

  • You found a lookalike domain impersonating your business
  • Customers contacted you saying they received phishing emails from someone using your brand
  • You got an abuse report about your domain being used for phishing

Call someone this week if:

  • You want help setting up DMARC properly
  • You need to register brand protection domains and don't know which ones
  • You want a domain monitoring service set up to alert you to impersonation

You can probably handle it yourself if:

  • Your email domain already has SPF/DKIM/DMARC configured
  • You've registered the obvious domain variations
  • You know how to report phishing to registrars and take-down services

Lookalike domains are cheap to register and effective at fooling people. Defending against them requires some effort upfront, but it's mostly set-it-and-forget-it work that pays off when the impersonation attempt shows up.

Related Reading

8 min · Intro

Business Email Compromise: How $50K-$250K Walks Out Your Door

BEC scams bypass firewalls and antivirus—your employee just thinks they're helping the CEO.

7 min · Intro

How Email Impersonation Actually Works

Email impersonation is cheap, easy, and almost impossible to stop without authentication.

8 min · Intermediate

How to Move from Free Gmail to Your Domain Email

Free email makes you look small and makes phishing easy. Here's how to fix both.

7 min · Intro

How to Secure Your Domain Registrar

Domain hijacking is real. Most hijacks happen because the registrar account wasn't protected.

6 min · Intro

Why a Branded Email Address Matters

Free email makes you look small and makes impersonation easy. Here's why to fix it.

Need Help Implementing This?

If you'd like guidance tailored to your specific infrastructure, we offer focused consultations. No sales pressure, just practical next steps.

Get in Touch