← All guides
Link safety John, SniffTest · · 5 min read

How to spot a lookalike (typosquat) domain

Scammers register web addresses that look almost identical to real brands - paypa1.com, amaz0n-support.net, microsoft.com. Here's how lookalike domains work and how to catch them before you trust a site.

Most scam websites don't trick you with clever code. They trick you with the address bar. A lookalike domain is a web address registered to resemble a real brand closely enough that you read it as genuine at a glance - and that single misread is often all a scam needs.

If you want the broader checklist for vetting a site, see how to check if a website is legit. This guide is about one specific trick: the near-identical domain name, and how to catch it.

What is a lookalike domain?

A lookalike domain - also called a typosquat or a cousin domain - is a web address deliberately registered to imitate a trusted one. The goal is to make not-the-real-site.com look like the-real-site.com for the half-second it takes you to decide whether to type your password.

They turn up in phishing emails, fake delivery texts, social media ads, and search results. The message or page around them usually looks right too - real logos, familiar fonts, the correct tone. The domain is the weak point, and it's the one thing scammers can't fake perfectly, because the genuine brand already owns the real address.

The common tricks, with examples

Once you know the patterns, lookalike domains get much easier to spot.

Character swaps

Replacing a letter with a number or a similar-shaped character:

  • paypa1.com - the "l" is a number 1
  • amaz0n.com - the "o" is a zero
  • g00gle.com - two zeros for the o's

Added words

Bolting a reassuring word onto a real brand name. The brand is real; the domain is not:

  • apple-support.com
  • netflix-billing.net
  • hmrc-tax-refund.co.uk

Real companies serve their support and billing from their main domain (apple.com/support, not apple-support.com). Extra words before or after the brand are a warning sign, not a convenience.

Wrong endings

Taking the exact brand name but changing the bit after the dot:

  • amazon.co instead of amazon.co.uk
  • royalmail.org instead of royalmail.com
  • paypal.secure-login.com - here the real-looking part ("paypal") is just a subdomain, and the actual domain is secure-login.com

That last one is the most important to understand: the real domain is the bit immediately before the first single slash. In paypal.secure-login.com/account, the domain is secure-login.com, not PayPal.

Misspellings and transpositions

A letter dropped, doubled, or swapped - easy to miss when you're skimming:

  • microsoft.com
  • whatsapp-verify.com
  • linkedln.com (an "l" where the "i" should be)

Homoglyphs (the hardest to catch)

Some characters from other alphabets look identical to Latin letters. A domain can use a Cyrillic "а" that's visually indistinguishable from the English "a", producing an address that looks perfect to the human eye but points somewhere entirely different. You cannot reliably catch these by reading - which is exactly why an automated check matters here.

How to check a domain yourself

A few seconds of deliberate reading catches most lookalikes:

  • Read the domain right-to-left from the first slash. Find the first single "/" after the address, then read backwards. The real domain is the last two parts before that slash (something.com). Everything to the left can be faked.
  • Compare it letter by letter to the address you know. Don't trust the overall shape - scammers rely on you pattern-matching. Check each character.
  • Be suspicious of any extra words. -support, -secure, -login, -verify, -refund bolted to a brand name are classic.
  • Type the address yourself, or use a saved bookmark. Don't click the link in the message. Go to the site the way you normally would.
  • When in doubt, don't guess. Homoglyphs and subtle swaps are designed to defeat a careful reader. If something feels off, check it properly.

How SniffTest catches lookalike domains

Reading a domain carefully works for the obvious cases, but it fails exactly where scammers put the most effort - homoglyphs, single-character swaps, and convincing subdomains. This is what an automated check is for.

Paste the address into SniffTest and it compares the domain against a list of well-known brands, flagging when an address is a near-match for a real one - an extra word, a swapped character, a number standing in for a letter, or a non-Latin character impersonating an English one. It normalises the address first so homoglyph tricks can't hide, then runs it alongside its other checks: domain age, known scam blocklists, Google Safe Browsing, and more - 17 in total - before returning a plain-English verdict.

A brand-new domain that's also a one-character match for a major brand is one of the strongest scam signals there is, and it's one a person skimming an email will almost always miss.

Check an address on SniffTest →

Warning signs

  • The address contains a real brand name plus an extra word (-support, -secure, -verify)
  • A letter looks like it's been replaced by a number or a similar character
  • The ending after the brand is unusual (.co, .org, .net where you'd expect .com or .co.uk)
  • The brand name appears as a subdomain, with a different domain after it
  • The link arrived unexpectedly, by email or text, with some urgency attached

Signs you're probably fine

  • The domain matches the brand exactly, character for character
  • The ending is the one the brand normally uses
  • You reached the site by typing the address or using your own bookmark
  • The domain has been registered for years (SniffTest shows this)

Frequently asked questions

Q: What is a typosquat domain?

A: A typosquat is a web address registered to look like a real brand's, relying on a small misspelling or character swap - like microsoft.com or paypa1.com - so that people skimming an email or text read it as genuine. It's one of the most common tricks in phishing and fake-shop scams.

Q: How can a domain look identical to a real one but not be?

A: Through homoglyphs - characters from other alphabets that look the same as English letters. A Cyrillic "а", for example, is visually identical to the Latin "a" but is a different character, so the domain points somewhere else entirely. These can't be caught by reading, which is why an automated check that normalises the address is the only reliable defence.

Q: Where's the real domain in a long web address?

A: It's the two parts immediately before the first single slash. In paypal.secure-login.com/account, the real domain is secure-login.com - "paypal" is just a subdomain anyone can create. Always read backwards from the first slash.

Q: How do I check if a domain is a lookalike?

A: Read it character by character against the address you know, watch for extra words and unusual endings, and never click a link from an unexpected message - type the address yourself. For the subtle cases, paste it into SniffTest, which flags near-matches to known brands as part of its 17 checks.

Lookalike domains usually arrive inside a phishing message or a fake delivery text. Once you've spotted one, see what to do after clicking a phishing link if you went further than you meant to.

Not sure about a link?

Paste it below and we will run our checks for you. It only takes a few seconds, and you do not need an account.

📬 Scam Watch, our free monthly digest on active scams. Subscribe →

← All guides