How to detect domain lookalike attacks and mitigate impersonation risks

Cybercriminals are aware that one of the most effective ways to deceive people is by mimicking trusted brands.

A single convincing lookalike domain can be enough to trick customers into handing over passwords, financial details, or other sensitive information.

For Valimail customers, these threats directly undermine the protections you’ve already put in place with DMARC enforcement and proper email authentication via SPF and DKIM. While these measures work together to prevent direct spoofing of your exact domain, attackers often attempt to bypass these protections by using similar but distinct domains.

For IT and security teams, spotting these variants early means you can:

• Block them before phishing campaigns launch
• Register them proactively to prevent abuse
• Feed them into security controls like security platforms, gateways, and threat intel feeds
• Support takedowns and legal action with concrete evidence
• Educate staff and customers on real-world impersonation risks

Valimail’s Domain Lookalike Finder automates the hard part: finding these dangerous variants, often hundreds or thousands at a time, so you can take action before they’re used against you.

This tool is free and easy to use. Here’s how to wield it to find bad actors attempting to register and hold domains that look similar to your own.

1. Enter your domain

Start by entering your legitimate domain name into the tool. This is your baseline. Valimail’s detection engine will generate a list of possible lookalike variants using multiple detection methods, including:

• Typosquatting detection:  misspellings and keyboard-adjacent substitutions.
• Homograph attack detection: lookalikes using visually similar characters.
• TLD variations: different top-level domains like .net or .co.
• Character substitutions and deletions: removing or replacing letters with numbers or symbols.
• Subdomain variants: rogue subdomains mimicking internal or customer portals.
• DNS & MX analysis:  checking if these domains are set up to send or receive email.

2. Review the results

Once the scan is complete, you’ll receive an exportable report containing:

• Total number of variant domains found
• Domains most likely to be active threats
• Identifiably parked domains
• Domains currently available for registration
• Errors encountered (such as DNS resolution issues)
  

You can easily export the results as a CSV to integrate with your security workflow or share with other teams.

3. Take action

Here’s how to operationalize your findings:

1. Register Available Variants: Purchase high-risk typo or homoglyph variants to prevent abuse. Configure DNS with restrictive DMARC, SPF, and DKIM records to stop spoofing.
2. Investigate Active Threats: Check hosting, DNS, and WHOIS data to confirm malicious intent. Feed these domains into your security or threat intel platforms.
3. Block or Filter at the Gateway: Add malicious lookalikes to email gateway and web proxy blocklists to prevent end-user exposure.
4. Submit Takedowns: Work with registrars, hosting providers, or a takedown service to remove fraudulent sites or challenge domain ownership.
5. Document for Legal Action: Use the exported results to support UDRP complaints, trademark protection, or court cases.

If the Domain Lookalike Finder identifies a suspicious or infringing domain that is already owned by someone else, your IT/security team may want to work with a takedown service. These providers specialize in removing malicious or trademark-infringing websites and domains, recovering domains via dispute processes, and coordinating with registrars and hosting companies.

If the domain in question infringes on your trademark and was registered in bad faith, the WIPO Uniform Domain Name Dispute Resolution Policy (UDRP) offers a specific, streamlined process to strip domain ownership away from a bad actor.

Complainants must prove that a domain is infringing on a trademark, that the current owner has no legitimate rights to the domain, and that it was registered and/or used in bad faith. Successful cases result in the domain being transferred to the complainant or canceled. 

For security teams, the UDRP is especially valuable when a domain is clearly infringing but not being used for active phishing, situations where a registrar or hosting provider might not take direct takedown action without a legal ruling.

4. Monitor regularly

Domain impersonation is not a one-time risk; it is a persistent threat that requires ongoing attention. Threat actors register new domains daily. Re-run Valimail’s Domain Lookalike Finder periodically to track changes over time.

5. Educate your team

Use examples from your security awareness training results. Show employees how small visual differences in a domain can be a red flag for phishing.

Learn more about typosquatting and homoglyph attacks, and how capturing and locking down these domains with Valimail Enforce can help reduce the risks of phishing and spoofing for your coworkers and customers.

Start protecting your brand today, and run your first scan now.