How to take down lookalike domains targeting your business

You’ve built a trusted brand, invested years in customer relationships, and worked hard to establish credibility in your market. Then one day, you discover that criminals are using lookalike domains that copy yours to steal customer credentials, sell counterfeit products, or run elaborate phishing schemes.

This is the sad (but real) world of malicious lookalike domain targeting—where your brand’s success makes you a prime target for cybercriminals looking to exploit the trust you’ve worked so hard to build.

For every legitimate brand domain, there are an average of 200 malicious lookalike domains floating around the internet. These aren’t just parked domains sitting harmlessly in cyberspace. Many are actively being used to trick your customers, steal sensitive information, and damage your reputation in the process.

Unfortunately, most businesses don’t even know these fake domains exist until customers start complaining about suspicious emails or fraudulent websites that “look just like yours.” By then, the damage is often already done: lost customers, compromised data, and a brand reputation that takes months or years to rebuild.

You can do something about fake domains and websites, though. You don’t have to sit back and let criminals hijack your brand identity. There are steps you can take to identify, report, and remove malicious domains targeting your business.

What is a lookalike domain?

A lookalike domain is a fraudulent website address that’s designed to closely resemble your legitimate domain name. These domains use subtle tricks to fool people into thinking they’re visiting your real website or receiving emails from your company.

Common lookalike tactics include replacing letters with similar-looking characters (like “0” instead of “o”), adding hyphens or extra letters, using different top-level domains (.net instead of .com), or creating subdomains that appear legitimate at first glance.

For example, if your domain is “trustbank.com,” a lookalike might be “trust-bank.com,” “trustbank.net,” or “trustb4nk.com.” These domains are designed to bypass quick visual inspection. They look legitimate enough that distracted users won’t notice the difference until it’s too late.

Sure, if your customers took the time to scrutinize every site they visited, they’d probably notice the telltale signs…but who has time for that?

Criminals use these domains for phishing attacks, fake e-commerce sites, credential harvesting, and email impersonation campaigns that can seriously damage your brand reputation and put your customers at risk.

Everything you need to know about domain-based brand attacks

Domain-based brand attacks have moved beyond simple typosquatting. Today’s cybercriminals use advanced techniques to create convincing replicas of legitimate brands, exploiting everything from visual similarities to customer trust patterns.

• Typosquatting and misspellings remain popular: domains like “amaz0n.com” or “g00gle.com” that capitalize on common typing mistakes. But attackers have gotten more creative with homograph attacks that use international characters that look identical to Latin letters (making fake domains virtually indistinguishable from real ones).
• Subdomain attacks are when criminals register domains like “security-update.yourcompany.net” or “billing.yourcompany-portal.com” that appear legitimate in email headers or quick glances, especially on mobile devices.
• Credential harvesting through fake login pages, financial fraud via counterfeit e-commerce sites, malware distribution disguised as legitimate software downloads, and email impersonation to fool customers and business partners.

These attacks exploit the trust your brand has built. Customers who’ve learned to trust “yourcompany.com” may not think twice about clicking “yourcompany-secure.com” in an urgent-looking email. The visual similarity, combined with familiar branding, creates a false sense of security that even security-conscious users can fall for.

These aren’t random attacks, either. Criminals are actively targeting your business. Because you’re successful, and they know existing customer trust almost always leads to a higher payoff.

How to take down fake websites and domains

Taking down fake websites is a strategic process that requires the right approach for each specific threat. Here’s how to tackle it systematically.

1. Identify malicious domains targeting your brand

Want to skip all the hassle and nitty-gritty work? Just use Valimail’s free Domain Lookalike Finder—it scans the internet to find any domain that closely resembles your own. It uses the following detection methods to cover your bases:

• Typosquatting detection
• Homograph attacks
• TLD variations
• Character substitutions
• Subdomain variants
• DNS & MX analysis

You could do this with a manual search by using common typosquatting patterns. Replace letters with numbers, add hyphens, try different TLDs, and search for common misspellings of your brand name. Check domain registration databases and search engines for variations of your company name.

Next, monitor customer complaints and support tickets for mentions of suspicious emails or websites that claim to be from your company. Customers often spot fake domains before you do, especially when they’re actively used in phishing campaigns.

Document everything you find. Screenshot fake websites, save email headers from phishing attempts, and record domain registration details. This evidence matters when filing takedown requests.

2. Evaluate the threat level and prioritize

Not all malicious domains pose the same level of risk. The internet is a big ocean of phishers, and you don’t have the time, energy, or resources to take down everything.

Active phishing sites that are currently stealing customer credentials should be your top priority, followed by fake e-commerce sites selling counterfeit products under your brand name.

Parked domains with no active content are of lower priority but still worth monitoring. They could be activated for malicious purposes at any time. Consider factors like how closely the domain resembles yours, whether it’s actively being used, how much traffic it’s getting, and the potential for customer confusion.

Score threats based on business impact: A domain that’s actively phishing your customers’ banking credentials is more urgent than one that’s just parking ads. But a convincing fake e-commerce site during your busy shopping season could cause major revenue loss and brand damage.

3. Choose your takedown strategy

Domain registrar complaints work well for clear trademark violations or obvious abuse. Most registrars have abuse reporting processes and will investigate domains that violate their terms of service. This approach can be slower but often results in permanent domain suspension.

Hosting provider reports are faster for actively malicious content. If the fake website is hosted on a major provider, they’ll usually act quickly to remove phishing sites or malware distribution. This is your best bet for urgent threats that are actively harming customers.

Legal action through cease and desist letters or trademark disputes works when you have clear intellectual property rights and the resources to pursue it. This approach takes longer but can be more comprehensive (especially for repeat offenders).

Platform-specific reporting will help when fake domains are promoted through social media, email campaigns, or app stores. Each platform has its own reporting mechanisms for malicious content.

The domain takedown process (step-by-step)

Once you’ve identified a malicious domain and chosen your strategy, it’s time to make the takedown. The process will vary depending on your approach, but these steps will systematically give you the best chance of success:

1. Gather comprehensive evidence: Screenshot the malicious website, document domain registration details, save phishing email headers, and collect any customer complaints. Include trademark registration numbers and proof of brand ownership to strengthen your case.
2. Identify the right contacts: Find the domain registrar and hosting provider through WHOIS lookups, then locate their official abuse reporting channels. Research any additional services like CDNs or security providers that might also need to be contacted.
3. File formal complaints: Submit detailed abuse reports to both the registrar and hosting provider, including all evidence with clear explanations of trademark violations or customer harm. Reference specific terms of service violations and request immediate action.
4. Follow up persistently: Track complaint reference numbers and send follow-up emails if you don’t hear back within 48-72 hours. Escalate to supervisors or legal departments when initial requests stall or get ignored.
5. Document the outcome: Record successful takedowns, response times, and which providers were most cooperative for future reference. Monitor the domain to guarantee it stays down and doesn’t reappear elsewhere.

Ways to prevent future domain attacks

Yep, you’ve heard it before, but the best offense is a good defense. And that’s stopping attacks before they start. While you can’t prevent criminals from registering lookalike domains, you can make their attacks less effective and catch new threats faster:

• Proactive domain registration means buying up common variations of your domain before attackers do. Register obvious typos, different TLDs (.net, .org, .biz), and hyphenated versions of your brand name. It’s cheaper than dealing with takedowns later.
• Continuous domain monitoring catches new threats as they appear. Tools like Valimail’s Domain Lookalike Finder can automatically scan for new domains that resemble yours, alerting you to potential threats before they’re used in attacks against your customers.
• Email authentication protocols like DMARC, SPF, and DKIM prevent criminals from spoofing your actual domain in phishing emails. Even if they register a lookalike domain, they can’t send emails that appear to come from your real domain. Valimail Monitor gives you complete visibility into who’s sending emails on your behalf and whether they’re properly authenticated.
• Brand monitoring and alerts help you spot misuse across the internet. Set up Google Alerts for your brand name combined with terms like “login,” “security,” or “urgent” to catch phishing campaigns early.
• Customer education makes your audience less susceptible to lookalike domain attacks. Teach customers to verify URLs carefully, bookmark your real login pages, and report suspicious emails claiming to be from your company.

Find your lookalike domains for free

Lookalike domains aren’t just going to go away. They’re getting more sophisticated and harder to spot. But you don’t have to wait until customers start complaining about fake websites or phishing emails to take action.

Start with Valimail’s Domain Lookalike Finder to see what malicious domains are already targeting your brand. Then use Monitor to get complete visibility into your email authentication and sending patterns. The combination gives you both offensive and defensive capabilities: find the fakes, take them down, and prevent spoofing of your real domain.

Your brand reputation is too valuable to leave unprotected. See what threats are already out there—it’s free, and you might be surprised by what you find.