Many people think they understand typo-squatting. An attacker registers a domain that looks very similar to a legitimate one, hoping someone will mistype it and accidentally land on the wrong website. While that can happen, it is not the main goal for attackers today. Typo-squatting domains are primarily used to send phishing emails, aiming to fool victims into thinking the email is genuine. It is about trust: if an email arrives from a domain that looks almost identical to the real thing, the target is far more likely to fall for the attack.

Businesses often concentrate only on minor spelling mistakes, but typo-squatting is much more than that. Attackers need a new domain to send phishing emails, so they register one. That means newly registered domains naturally present a greater risk than older, established ones, and they should be treated with more suspicion because of that fact.

Another critical indicator is whether a suspicious domain has MX records. In simple terms, an MX record (short for Mail Exchange) tells the internet which servers are responsible for receiving and sending emails on behalf of a domain. If a domain has an MX record, it means it can send email. Checking if a domain has MX records is easy using public lookup tools. If you find MX records associated with a suspicious domain, it jumps up the priority list for investigation. No MX records usually mean no email activity, at least not yet.

When evaluating suspicious domains, many people make the mistake of focusing only on whether a website returns a 200 OK response, meaning the site is live and serving content. However, other responses can be just as suspicious. A 302 redirect, for example, could indicate the domain is sending users elsewhere, possibly to a malicious site. A 403 Forbidden response could suggest there is content on the server, but it is restricted from public view. Essentially, any domain that gives back something other than a blank or failed response deserves closer attention.

If a website is serving content that matches your brand, it could be a strong indication of brand impersonation, a fake site attempting to exploit your brand for financial gain. The content should be carefully reviewed for any text that mirrors your own, or any images and logos that resemble your legitimate branding.

It is not just about obvious typos either. Adding extra words to a domain can be just as, if not more, convincing than small letter changes. Take, for instance, the difference between "paypall.com" (a simple typo) and "paypal-support.com". In the second example, the full correct brand name "paypal" is present, which can be more convincing. Our brains are wired to scan quickly for known patterns and words, so seeing the real brand name inside a longer domain can make it seem even more legitimate.

This is why it is critical for businesses to widen the scope of their typo-squatting defences. Monitoring registered typo-squatting domains is important, but it is also wise to predict what domains could be registered in the future and proactively add them to block lists. Blocking emails from domains that are not yet registered, but could easily be used for impersonation, is a powerful way to get ahead of attackers.

Of course, doing all this manually is not sustainable at scale. That is where External Attack Surface Management (EASM) platforms come in. These tools can continuously monitor domain registrations, check for MX records, detect active websites, and even identify copied logos, layouts, and branding. They take the heavy lifting off security teams and give businesses an ongoing view of potential threats.

Typo-squatting is no longer just about catching a few spelling mistakes. It is a sophisticated, growing threat to businesses of all sizes, and it demands a smarter, broader response.