(BBB) – The manager for a large commercial builder recently called her IT support with serious concerns. One of their clients received an email that at first looked like it came from her work email account, asking for payment on completed work, but it didn’t originate from her office.
The email address included her name, and the business domain was only one letter off. The sender asked for a wire transfer of payment for labor and materials on a large project costing almost a million dollars, and the recipient almost paid. This manager’s company has fallen victim to typosquatting, and they’re not alone.
What is Typosquatting?
Cybersquatting is when someone buys a domain name so they can pretend to be another entity or business. Typosquatting is a form of cybersquatting and occurs when someone buys the misspelling of a domain name to get online traffic from those mistakes. It’s also sometimes called URL hijacking.
A domain name is an entity’s web address, what people type in the navigation bar to visit their website. It might look like businessname.com, localcharity.org or localcollege.edu. Email addresses typically follow a formula similar to email@example.com, firstname.lastname@example.org or email@example.com.
Why Bad Actors Bother
When users mistype or “fat finger” in the wrong address, they may be taken to a fraudulent website that looks similar to the one they intended to visit. The website owners can use this deception to steal identity information, sell products, or misinform.
They can also send email from the misspelled domain name to try and trick the recipient into thinking it came from someone inside the company being mimicked. Recipients might think they’re dealing with a trusted source when they’re really interacting with someone whose whole intent is to deceive.
Bad actors use typosquatting for purposes like these:
- Making a quick buck – Sometimes the person who registers the misspelled domain hopes they’ll be able to sell the variation to the original company for more than they paid.
- Selling goods or services – People might check out, thinking they’ll receive merchandise from their favorite brand, and either never receive it or get an inferior knockoff.
- Installing malware – Sometimes when users visit a fake website, they end up downloading malware to their computer.
- Getting clicks or views – Users may type in the wrong URL and find themselves looking at a page full of ads or articles. If they’re lured into clicking on the ads, the domain owner might earn revenue.
- Stealing sensitive information – Users might think they’re logging in to their bank account, social media account or online shopping account when they’re really supplying their username and password to cybercriminals.
- Protecting legitimate website traffic – Some companies buy variations of their domain name to make sure typosquatting can’t hurt them. They redirect traffic from those domain names to the legitimate business website.
- Attempt at making jokes or sullying a reputation – Users end up navigating to a website that makes fun of or contains an attempt at humor related to the intended organization.
Forms of Typosquatting
Cybercriminals try to stick as close as possible to the original domain name with only slight variations so users will overlook the mistake. URL hijackers often register domain names with the most common typos or misspellings. They might also change the domain suffix, hoping the user will choose to visit yourtown.com instead of yourtown.gov when trying to pay a utility bill or traffic ticket.
Another trick is to add an “s” to the domain name. For example, when yourtownplumber.com becomes yourtownplumbers.com, the user might not even notice the difference.
How to Protect Yourself
- Typosquatting takes advantage of people who get in a hurry and don’t pay attention.
- The best way to avoid mistakes is to do the opposite. After typing in a web address and before hitting “Enter,” double-check the spelling. Once the online destination shows upon the screen, look for the padlock symbol and be sure the website address includes https://.
- Business owners – register common alternate spellings for your domain, including variations with plurals and hyphens. If you own all the similar domains, cybercriminals can’t use them against you. It’s also a good idea to monitor website traffic. A sudden drop off might indicate visitors are being diverted to a fake site through typosquatting.
- Report suspicious websites to the Internet Crime Complaint Center. In Canada, see the Canadian Centre for Cyber Security.
Typosquatting and the Law
The Anticybersquatting Consumer Protection Act (ACPA) was enacted in 1999 to make it illegal to register Internet domains that are similar to an existing business or personal name with the intent to misuse them. Cybersquatting and typosquatting are illegal, and ACPA requires URL owners to prove they’re acting in good faith.
If you find someone has registered a variation that could be used to impersonate you, notify partners, customers, employees and anyone else who might be deceived so they can be on the lookout. Consider submitting a petition to the World Intellectual Property Organization to gain ownership of a domain that is “identical or confusingly similar” to yours if you can show the domain registrar is acting in bad faith.