by Ryan Ozawa
Article filed in

What is a lookalike domain?

by Ryan Ozawa

Email phishing attacks, in which scammers attempt to trick recipients into giving up their account login credentials, continue to flood inboxes everywhere.

An email message can be designed to look like it comes from your credit card company, or your local utility, or your favorite store. The more convincing it is, and the more frightening the message, the more likely you’ll be tricked into acting before thinking.

A fake warning from Netflix that your account has been cancelled will probably include a button to update your payment information. But that button isn’t going to take you to the real Netflix.

The email itself is the bait, or the trigger. But the hook, which collects your username and password to access your accounts, is usually a lookalike domain.

What is a lookalike domain?

In order to complete the illusion that a phishing email is real, scammers will often direct victims to lookalike domains. Also known as cousin domains, lookalike domains are website domain names that are similar to real, legitimate domain names.

Lookalike domains are often used in a different type of scam called typosquatting. In typosquatting, malicious actors register a domain name that is a common misspelling or frequently mistyped version of a real domain. For example, instead of, or instead of People looking for a legitimate site end up at a fake one, which may serve up malware or ask for personal information.

Scammers also frequently switch out certain letters and numbers that are difficult to differentiate, like the lowercase letter “L” versus the numeral “1” (one). This makes it hard to see the difference between and And when you add in international characters and diacritical markings, there’s no limit to the number domains that can be faked.

How are lookalike domains evolving?

While we were once taught to look for the “lock” or “secure” SSL or certificate icon in our web browsers, now nearly every domain is secure . . . even the fake ones.

Similarly, most savvy email and web users know to look for suspicious domain names, but that may not be enough.

Many large companies—especially retail companies and others that make their money online—combat typosquatting through copyright or trademark lawsuits, or simply by registering or owning every possible variant of their real domain name.

But in email phishing attacks, a lookalike domain doesn’t need to be especially convincing. It just needs to look like the real domain in an email message.

For example, whether it’s in the “from” (or sender) address field, or shown as the link destination in the message body, email clients frequently shorten or abbreviate long domain names. As a result, a message from might still look like it comes from Microsoft.

How can we avoid lookalike domains?

It can be hard to spot a lookalike domain at first glance, or even after a second look. Fortunately, there are technical tools and strategies we can use to spot likely fakes.

For example, fake domains are usually short-lived. Most lookalike domains are used only once, and last only a day. A brand new domain name is more likely to be used in a phishing email attack, and legitimate domain names are likely to have been around for years.

Paubox developed a tool called DomainAge, which is included in Paubox Email Suite Plus and Premium. Email messages sent from brand-new domain names are automatically quarantined.

Paubox also offers a feature called ExecProtect with that checks the sender information of incoming messages against known executives within a company or organization. If an executive’s name is used, but the sending email address doesn’t match, the message is quarantined.

These measures, powerful enhancements to our HIPAA compliant email solution, can stop phishing attacks in their tracks.

Try Paubox Email Suite Plus for FREE today.