Best Typosquatting Checkers: Tools to Detect Lookalike Domains

Learn how to detect lookalike domains targeting your brand before attackers use them against your employees.

Your employees are one typo away from handing their credentials to attackers. It happens every day. Someone types ‘ofice.com’ instead of ‘office.com’ and lands on a perfect replica of the Microsoft login page.

Zscaler ThreatLabz found over 30,000 lookalike domains targeting just 500 major websites in six months. More than 10,000 were confirmed malicious. These aren’t sophisticated attacks. They’re simple typos exploited by attackers who registered domains before you knew they existed.

Typosquatting checkers let you find these fake domains before your employees do. Enter your domain, get a list of variations, and see which ones are already registered and potentially dangerous.

Here’s how these tools work, which ones security teams actually use, and what they can and can’t do for your brand protection strategy.

What Is a Typosquatting Checker?

You can’t defend against domains you don’t know exist. Typosquatting checkers solve that visibility problem.

These tools automate what would take hours manually. Instead of guessing which typos of your domain might exist, you get a complete list with registration status, IP addresses, and often similarity scores showing how convincing each fake domain might be.

Security teams use typosquatting checkers for proactive brand protection. Running periodic scans reveals new threats as attackers register them. When you find a suspicious domain, you can investigate further, request takedowns, or add it to your blocklists before employees encounter it.

The problem? Attackers register new domains constantly. Point-in-time scans catch existing threats but miss new registrations the next day. That’s why typosquatting checkers work best as part of a broader monitoring strategy.

How Do Typosquatting Checkers Work?

Every typosquatting checker follows the same basic process. Understanding the algorithms helps you evaluate which tool catches the most threats.

Domain Permutation Algorithms

The core of any typosquatting checker is its permutation engine. Different algorithms generate different types of fake domains:

Character Omission: Removes one letter at a time. ‘google.com’ becomes ‘gogle.com’, ‘goole.com’, ‘googl.com’. Users who type too fast often skip letters.

Character Repetition: Doubles letters. ‘google.com’ becomes ‘googgle.com’, ‘gooogle.com’. Common when users accidentally hold keys too long.

Character Replacement: Swaps letters with adjacent keyboard keys. ‘google.com’ becomes ‘foogle.com’, ‘hoogle.com’. Targets muscle memory errors.

Homoglyph Substitution: Uses visually similar characters from different alphabets. The Cyrillic ‘а’ looks identical to the Latin ‘a’ but creates a different domain. These attacks are nearly impossible to spot visually.

TLD Variations: Changes the domain extension. ‘amazon.com’ becomes ‘amazon.co’, ‘amazon.net’, ‘amazon.org’. Users often default to ‘.com’ even when the real site uses a different TLD.

DNS Lookups and Enrichment

After generating variations, the checker performs DNS lookups to see which domains resolve to IP addresses. Registered domains that resolve might already host malicious content.

Better tools add enrichment data:

• IP address information: Where does the domain point?
• Mail server records: Can the domain receive email for phishing campaigns?
• Web content analysis: Does the site look similar to the legitimate one?
• SSL certificate status: Did attackers get a certificate to display the padlock icon?

Similarity Scoring

Advanced checkers calculate how convincing each fake domain might be. A domain that differs by one visually similar character scores higher than one with obvious differences. This helps security teams prioritize their investigation efforts.

What Are the Best Free Typosquatting Checkers?

Several free tools serve security teams well. Each has different strengths depending on your use case.

CIRCL Typosquatting Finder

The CIRCL Typosquatting Finder from the Computer Incident Response Center Luxembourg offers the most comprehensive free scanning available.

What makes it stand out: 21 different permutation algorithms including omission, repetition, replacement, homoglyph, vowel swap, wrong TLD, and more. Most other free tools use far fewer algorithms.

Features:

• IP address identification for registered domains
• Name server and mail server data
• Web title analysis showing what content the fake site displays
• Web similarity metrics comparing fake sites to legitimate ones
• Similarity probability scoring to prioritize threats

Best for: One-time comprehensive scans when you need maximum coverage. The algorithm diversity catches variations other tools miss.

Limitations: Web-based only with no API access. No ongoing monitoring. You’ll need to manually run scans periodically.

DNSTwister

DNSTwister focuses on simplicity and ongoing monitoring capabilities.

What makes it stand out: Offers email alerts for new domain registrations matching your variations. This adds basic continuous monitoring without the cost of enterprise solutions.

Features:

• Multiple permutation algorithms
• Email monitoring service for $35/year
• API access for automation
• Export results for analysis

Best for: Teams that want basic monitoring without building their own infrastructure. The email alerts catch new threats as they’re registered.

Limitations: Fewer algorithms than CIRCL. Monitoring covers limited variations compared to comprehensive enterprise solutions.

dnstwist CLI Tool

For technical teams, the open-source dnstwist command-line tool provides maximum flexibility.

What makes it stand out: Industry standard tool that powers many commercial solutions. Full control over scanning parameters and output formats.

Features:

• Run locally without sending data to third parties
• Integrate into scripts and automation workflows
• Extensive permutation options
• WHOIS lookups, banner grabbing, and MX record checks
• GeoIP location data

Best for: Security teams comfortable with command-line tools who want to build custom scanning workflows. Penetration testers and red teams use dnstwist for reconnaissance.

Limitations: Requires technical expertise. No web interface. You’re responsible for scheduling and managing scans.

Have I Been Squatted

Have I Been Squatted provides a simple web interface with community-driven data.

What makes it stand out: Based on the open source twistrs project with a focus on accessibility. Good option for quick checks without learning complex tools.

Features:

• Multiple permutation algorithms
• Community contributions to detection patterns
• Simple results display
• Paid monitoring tiers starting at $59/year

Best for: Teams wanting an accessible entry point to typosquatting monitoring without complex setup.

Limitations: Less comprehensive than CIRCL or dnstwist. Limited enrichment data.

How Do These Tools Compare?

Here’s how the main options stack up for security team use cases:

For most security teams, start with CIRCL for deep one-time scans, then consider DNSTwister if you need basic monitoring alerts. Technical teams should evaluate dnstwist for integration into existing tooling.

How Should Security Teams Use Typosquatting Checkers?

Running a scan is easy. Getting value from the results takes process.

Building a Scanning Workflow

Initial baseline scan: Run your primary domains through CIRCL to get the most comprehensive view. Document all registered variations you find.

Prioritize by risk: Focus first on domains that resolve to active IP addresses, have mail servers configured, or display web content similar to yours. These indicate active or imminent threats.

Regular rescans: Attackers register new domains constantly. Monthly scans at minimum, weekly for high-risk organizations. DNSTwister’s email alerts can supplement scheduled scans.

Integration with blocklists: Add confirmed malicious domains to your DNS filtering, email gateway, and web proxy blocklists. This prevents employees from reaching the fake sites.

What to Do When You Find Threats

Finding a suspicious domain is step one. Here’s the response workflow:

1. Document everything: Screenshot the fake site, record WHOIS data, note the IP address. Evidence supports takedown requests.
2. Assess the threat level: Is the site actively hosting a phishing page? Does it have email capability for BEC attacks? Or is it parked and not yet weaponized?
3. Block immediately: Add to all security tool blocklists while you pursue takedowns. Don’t wait for removal to protect your users.
4. Request takedowns: Contact the domain registrar’s abuse team with evidence. Report to hosting providers. Submit to Google Safe Browsing and Microsoft SmartScreen.
5. Consider legal action: For trademark infringement, ICANN’s UDRP process or Anticybersquatting Consumer Protection Act provide remedies.

What Happens When Attacks Succeed

Typosquatting checkers find the fake domains. But what happens when those domains successfully harvest credentials before you catch them?

The combination matters. Typosquatting checkers help you stop attacks before they happen. Credential monitoring catches the ones that slip through. Together they cover both sides of the problem.

What Are the Limitations of Typosquatting Checkers?

Free tools have real constraints. Understanding them helps set realistic expectations.

Point-in-Time vs. Continuous Monitoring

Most free typosquatting checkers provide snapshots. You run a scan today and see what exists now. Tomorrow, an attacker registers a new variation you won’t know about until your next scan.

Enterprise solutions monitor continuously, alerting on new registrations within hours. Breachsense’s attack surface management API includes typosquatting domain detection as part of broader external threat monitoring. Free tools require you to build that monitoring yourself through scheduled scans and comparison of results over time.

False Positives and Noise

A comprehensive scan generates hundreds of variations. Many registered domains are:

• Defensive registrations by the legitimate brand
• Parked domains not actively malicious
• Legitimate businesses with similar names
• Domains registered years ago and never used

Filtering signal from noise takes analyst time. Similarity scoring helps, but human review remains necessary for accurate prioritization.

Coverage Gaps

No tool catches everything. Attack techniques evolve:

• New homoglyph characters appear in IDN registrations
• Combosquatting with keywords (‘amazon-security.com’) requires different detection
• Attackers also use subdomains like login.amaz0n.com that root domain scanners miss
• Some country-code TLDs don’t publish registration data, so checkers can’t verify if domains exist

Multiple tools with different algorithms provide better coverage than any single solution.

Detection vs. Protection

Finding a malicious domain doesn’t stop employees from visiting it. You still need:

• DNS filtering to block known bad domains
• Email security to catch phishing links
• User training on URL verification
• Browser protections like Google Safe Browsing

Typosquatting checkers show you what’s out there. They don’t block threats on their own.

Conclusion

Typosquatting checkers give security teams visibility into an attack surface they often miss. Free tools like CIRCL Typosquatting Finder and dnstwist provide solid detection capabilities without budget approval.

The key takeaways:

• Run comprehensive scans with CIRCL’s 21 algorithms to establish your baseline
• Set up regular rescans because attackers register new domains constantly
• Block confirmed threats immediately while pursuing takedowns
• Combine typosquatting detection with credential monitoring to catch stolen credentials when attacks succeed

Point-in-time scans have limits. Attackers don’t wait for your next scheduled scan to register malicious domains. For continuous protection, you need ongoing monitoring of both lookalike domains and the credentials they might harvest.

Want to know if your employees’ credentials have already been stolen? Check your organization’s exposure to see what’s already circulating on criminal marketplaces.