Category: Deception & Impersonation
Typosquatting in the browser
Typosquatting is when attackers register domains that look like a real brand but rely on typos or subtle differences to fool users.
Quick answer
A single wrong character can route employees to credential theft, malware downloads, or fake payment flows—especially when users are moving fast.
For risky links and login flows, isolation keeps the page off the endpoint by running it in a disposable container and streaming only the rendered output to the user.
When you need this
- You’ve seen indicators of this threat in your environment.
- Users frequently click unknown links as part of daily work.
- You need a control that reduces risk without relying on perfect user judgment.
Last updated
2026-01-29
How it usually happens in the browser
- An employee mistypes a URL, clicks a lookalike link, or follows a search/ad result to a near-identical domain.
- The attacker hosts a clone of a login page, software download page, or support portal.
- Victims enter credentials, download “updates,” or submit payment details.
- The attacker uses stolen access for account takeover or financial fraud.
What traditional defenses miss
- New typosquat domains often have no reputation history; blocklists are reactive.
- Ads and SEO spam can push lookalike domains into prominent search positions.
- Users rarely notice subtle domain differences like swapped letters, extra hyphens, or different TLDs.
How isolation changes the game
- Isolation limits the blast radius of landing on an untrusted domain by keeping active content away from the endpoint.
- Policy can route newly registered or unknown domains into isolation automatically.
- Disposable sessions reduce follow-on persistence from malicious downloads and embedded scripts.
Operational checklist
- Maintain an allowlist for key business apps and identity portals; promote bookmark usage.
- Force unknown domains into isolation; add tighter restrictions for new domains and ad-clicks.
- Block downloads from untrusted domains by default.
- Monitor for lookalike domains of your brand and critical vendors; set up takedown workflows.
- Use password managers that verify domain matches before filling credentials.
FAQs
How is typosquatting different from phishing?
Typosquatting is a specific tactic (lookalike domains). It’s often used to deliver phishing, malware, or fraud.
Do browser warnings stop typosquats?
Sometimes, but many typosquats are “clean enough” to avoid immediate warnings—especially early in a campaign.
What’s the simplest mitigation?
Use allowlists/bookmarks for critical apps and isolate unknown domains by default.
Can isolation stop credential entry on a typosquat?
Isolation reduces endpoint exposure and makes risky browsing disposable. Preventing entry also benefits from allowlists and password managers.