To protect your customers from lookalike domain phishing, you must proactively register high-risk variant domains. Secure common misspellings, different top-level domains (.net, .co), and homoglyph variations of your brand. Furthermore, enforce strict DMARC email policies so global mail servers automatically reject spoofed emails attempting to impersonate your business.
What Is a Homoglyph Attack?
A homoglyph is a character from a different alphabet that renders visually identical, or nearly identical, to a standard English letter.
- Lowercase "l" replaced with uppercase "I": paypaI.com vs paypal.com
- Latin "a" replaced with Cyrillic "а" (U+0430): looks identical, but is a different Unicode character
- Zero "0" swapped for letter "O"
Because international domain names (IDNs) support non-Latin scripts, an attacker can register a domain using Cyrillic, Greek, or other lookalike characters that browsers render as your exact brand name. This is far more dangerous than an obvious typo, since neither the eye nor casual inspection catches the substitution.
Why It Matters: Financial Devastation
Business Email Compromise (BEC) is not a theoretical risk. The FBI's IC3 2025 Internet Crime Report recorded $3.05 billion in BEC losses from 24,768 complaints, the second most financially damaging cybercrime category in the United States. 86% of those losses moved via wire transfer or ACH, meaning once the money leaves, recovery odds drop sharply within hours.
A single successful lookalike domain email, one that convinces a client to wire payment to a fraudulent account, can cost more than years of domain defense spending combined.
The Defense Strategy: Acquisition vs Takedown
| | |
| | |
| Reactive, after attack discovered | $1,500-$5,000+, weeks to resolve |
Defensive registration is dramatically cheaper than reaction. Registering the obvious variants of your brand costs a fraction of a single UDRP filing, and it prevents the domain from ever falling into a bad actor's hands in the first place.
UDRP takedown becomes necessary when a malicious domain is already registered and active. It works, but it is slower and more expensive than prevention, and the damage from active phishing may already be done by the time a takedown completes.
The Email Armor: Why DMARC p=reject Matters
DMARC at an enforcement policy (p=reject), backed by properly configured SPF and DKIM, mathematically proves whether an email genuinely originated from your domain's authorized servers. Receiving mail providers reject anything that fails the check.
Important limitation: DMARC only protects your exact domain from being spoofed. It cannot stop a homoglyph or lookalike domain from sending mail, since that domain is technically a different, independently valid domain with its own DNS records. Both defenses must be deployed together.
Common Mistakes
Only buying the .com and ignoring .co, .net, or .ai: Attackers specifically target the extensions you skipped. A brand that owns only .com leaves every other extension open for exact-match registration by a bad actor.
Never testing your DMARC enforcement level: Many companies set DMARC to p=none (monitoring only) and never advance to enforcement, leaving spoofing of their exact domain fully possible despite believing they're protected.
Assuming employees will catch the homoglyph visually: They won't, reliably. The entire point of a homoglyph attack is that it's visually indistinguishable at a glance.
What This Means for You
Use NameSilo's bulk domain search to sweep for lookalike variants of your brand across multiple extensions in one pass and secure them at wholesale pricing before an attacker does. Pair defensive registration with properly configured NameSilo Email authentication to close both halves of the vulnerability. Frequently Asked Questions
What is a lookalike domain?
A domain designed to visually resemble a legitimate brand's domain.
How do homograph attacks work?
Attackers use visually identical characters from other alphabets to fake a domain.
Can I report a phishing domain?
Yes, to the registrar's abuse team, and to the FBI's IC3 if fraud occurred.
How do I take down a fake website pretending to be me?
File a UDRP complaint or contact the hosting provider's abuse department.
Should I buy every domain extension for my brand?
The highest-risk ones: your primary competitors' TLDs and common misspellings.
What is Business Email Compromise (BEC)?
Fraud where attackers impersonate trusted contacts to redirect wire payments.
How does DMARC stop phishing?
It rejects unauthenticated mail claiming to be from your exact domain.
How do I monitor domains at NameSilo?
Use bulk domain search regularly to check for newly available brand variants.