What is a lookalike domain?

A lookalike domain is a registered domain designed to look similar to a legitimate one. Common patterns include character substitution (paypal.com vs paypa1.com), TLD swapping (example.com vs example.co), homoglyph attacks (microsoft.com vs micrоsoft.com using a Cyrillic 'o'), and prefix or suffix changes (acme.com vs acme-inc.com).

Why do lookalike domains succeed?

Three structural reasons. First, mobile email clients truncate the sender display, hiding the suspicious portion of the domain. Second, the human eye is bad at character-level domain inspection under deadline pressure. Third, sender authentication (DKIM, SPF, DMARC) does not flag lookalike domains because they are technically separate domains that pass their own authentication.

What types of lookalike domains exist?

Four main categories. Typosquats (one-character substitutions). Homoglyphs (visually identical characters from different alphabets). TLD swaps (.co for .com, .net for .com). Compound domains (acme-secure.com, acme-payments.com). Each defeats different aspects of human pattern recognition.

Can spam filters catch lookalike domains?

Sometimes. Mature spam filters maintain databases of known lookalike domains and flag mail from them. The detection is reactive: a lookalike domain has to be reported and indexed before filters catch it. Newly registered lookalike domains often pass for the first hours or days they are active.

The Lookalike Domain Problem: Why .co Is Not .com

Q: Does an email paywall help with lookalike domains?

Yes, against mass-volume lookalike attacks. A 1,000-recipient blast from a newly registered lookalike domain costs $40 to send when each recipient has a four-cent cover charge. The mass version of the attack becomes uneconomical. Targeted single-target attacks where the attacker is willing to pay can still arrive but the volume drops dramatically.

Lookalike domains are the structural reason most wire fraud and BEC attacks succeed. Here is how the trick works and what defenses actually catch it.

Lookalike domains are the structural mechanism behind most wire fraud and BEC attacks. The trick is simple: register a domain that looks like a legitimate one, send the email from the lookalike, and rely on the recipient’s eye not catching the difference under deadline pressure. The trick works often enough to fund a substantial attack ecosystem.

This post is about how lookalike domains work, why they succeed, and what defenses actually catch them.

Four Types of Lookalike Domains

The lookalike-domain trick has four main forms.

Type one: typosquats. One-character substitutions or transpositions of legitimate domains. Examples:

paypa1.com (the digit “1” instead of the letter “l”)
amaz0n.com (zero instead of “o”)
gooogle.com (extra “o”)
microsoftt.com (extra “t”)
chasse.com (extra “s” before chase.com)

Typosquats are the simplest form and are caught by mature filtering more reliably than the others. They still succeed often enough at the human level to be worth registering.

Type two: homoglyphs. Visually identical characters from different alphabets or character sets. Examples:

micrоsoft.com using Cyrillic “о” (U+043E) instead of Latin “o” (U+006F)
арplе.com using Cyrillic “а” and “р” and “е”
nеtflix.com with a Cyrillic “е”

Homoglyph attacks are particularly effective on mobile devices where character-level inspection is impossible. Modern browsers and email clients are getting better at detecting and warning about these (Chrome shows the punycode form for some IDN domains), but coverage is uneven.

Type three: TLD swaps. Same domain name, different top-level domain. Examples:

example.co (instead of example.com)
example.net (instead of example.com)
example.support (instead of example.com)
example.email (instead of example.com)

TLD swaps are extremely common in lookalike-domain attacks because they require no character-level cleverness. The brand name is correct; the TLD is different. Mobile email clients often truncate the sender display before showing the TLD, making this the highest-yield form of lookalike for mobile-targeted attacks.

Type four: compound domains. New domain that includes the brand name plus extra context. Examples:

acme-payments.com
acme-secure.com
acme-inc.com
amazon-billing.com
microsoft-support.com

Compound domains are the highest-quality form of lookalike because they look plausible. “Of course Amazon has a billing department; of course they would email from amazon-billing.com.” The user’s pattern recognition does not flag the compound name as suspicious because it looks like a reasonable subdomain or related domain.

Why Lookalike Domains Succeed

Three structural reasons combine.

Mobile truncation. Mobile email clients display sender names with limited horizontal space. The sender display often shows only the domain prefix or the display name, with the full sender address hidden behind a tap. A lookalike domain that would be obvious on a desktop monitor is invisible on a phone. The majority of business email is now read on mobile, and the majority of phishing attacks now arrive on mobile. The truncation is a structural weakness.

Human visual processing under pressure. The human eye does not do character-level domain inspection by default. We process domains as gestalt patterns: “amazon.com” is a single visual object, not a sequence of letters. When a phishing email arrives during a busy period (closing day, end-of-quarter, tax season), the user’s pattern recognition is overloaded. The lookalike domain passes because the user did not stop to inspect.

Authentication does not flag lookalikes. DKIM, SPF, and DMARC authenticate that an email came from the domain it claims to come from. They do not flag domains that are merely similar to legitimate ones. A lookalike domain registered by an attacker with proper DKIM and SPF records passes all three authentication checks because the lookalike is a technically separate domain. Sender authentication is orthogonal to lookalike-domain detection. We covered this in what is DMARC, DKIM, and SPF.

The combination produces a high-success-rate attack vector that has been profitable for over two decades.

What Mature Filtering Does and Does Not Do

A typical small business has Microsoft 365 or Workspace native filtering, possibly Defender or third-party gateway products. What each layer does for lookalike domains:

Native Gmail and Outlook filtering. Maintains lists of known lookalike domains and flags some mail from them. Coverage is best for high-volume well-known brands (PayPal, Amazon, Microsoft, Google, major banks). Coverage is uneven for less-prominent brands and newly-registered domains.

Defender or Workspace Advanced Protection. Adds impersonation detection that includes lookalike-domain heuristics. Catches more than native filtering. Newly-registered domains still pass during the window before they are catalogued.

Third-party gateways. Add deeper threat intelligence on lookalike domains. Some products specifically track typosquats and homoglyphs against the customer’s protected brands. Detection rate improves but is not 100%.

Browser-level warnings. Chrome, Safari, and Firefox display warnings or punycode for some IDN homograph attacks. Coverage is strongest for high-profile brands and weaker for less-prominent ones.

The honest summary: mature filtering catches most known lookalike domains. Newly-registered lookalikes often pass for the first hours or days they are active. Compound-domain lookalikes (acme-payments.com style) are the hardest to catch because they are technically not impersonating any real domain at the character level.

What Procedural Defenses Catch

The procedural defenses that work against lookalike domains:

Verification of any wire-instruction change by phone. If the email purports to update wire instructions and comes from a domain you have not verified, call the legitimate sender at a number you already have. The lookalike domain cannot intercept a phone call to a number the attacker did not provide. We covered this at vendor impersonation: the quiet phishing vector nobody talks about.

Checking the full domain before acting. On any email that involves money or sensitive information, check the full sender domain. On mobile, this means tapping the sender display to see the full address. The minute spent doing this prevents most lookalike-domain attacks.

Hovering over links before clicking. Lookalike domains often appear in the link target as well as the sender address. Hovering on desktop or long-pressing on mobile reveals the actual destination URL.

Awareness of common patterns. Trained users learn to look for the typical lookalike patterns: TLD swaps, compound domains with the brand name, and homoglyphs. The training raises detection rates from baseline 25-30% to 5-10% over time. Not perfect but real.

External-sender warnings. Workspace and Microsoft 365 deployments can prepend visual warnings to mail from external domains. Useful for catching display-name impersonation that uses lookalike domains.

Rythm sits at the inbox layer on top of Gmail or Outlook. What it does for lookalike-domain attacks:

Mass version becomes uneconomical. A 1,000-recipient blast from a newly-registered lookalike domain costs $40 to send when each recipient has a four-cent cover charge. The mass version of the attack does not run. The 5,000 small businesses being hit by the same lookalike-domain wave drops to whatever subset the attacker is willing to spend $200 to reach.

New domains are unknown. A lookalike domain that has not previously corresponded with the user is not on the user’s guest list. The mail goes to the held-for-review folder or pays the cover charge. Either path adds friction that the mass-volume attack economics cannot sustain.

Targeted attack still possible. A precision attack against a specific high-value target where the attacker is willing to pay the cover charge is not stopped. The email arrives with a PAID label attached, which is itself useful: the legitimate brand the attacker is impersonating (an established vendor, the user’s bank, an internal contact) would already be on the user’s guest list and would not pay a cover charge. A paid email claiming to be from a familiar party is a visible red flag at the inbox layer. Out-of-band verification still handles this case.

The pattern: Rythm collapses the mass version of lookalike-domain attacks. Procedural verification handles the targeted survivors.

A Specific Honest Note

Lookalike domains are one of the structurally hardest attack categories to defend against purely with technical tools. The compound-domain version (acme-payments.com style) is particularly resistant because it is not technically impersonating any real domain.

Rythm reduces the volume of mass-volume lookalike-domain attacks by collapsing the cost economics. The targeted version of the attack still requires procedural defenses, particularly out-of-band verification for any wire-instruction or financial change.