You typed "paypa1.com" instead of "paypal.com". Congratulations - you just walked straight into a trap that cost someone $2 to set up.
Typosquatting is the practice of registering domains that look almost identical to real ones, betting that your fingers slip, your eyes skim, or your brain autocompletes. One wrong character. One very convincing fake page. The attacker is already waiting.
Some common techniques include:
π€ Adjacent-key & transposition errors - "gogle.com", "micorsoft.com", "emiartes.com". One misplaced finger. One fake login page. Classic, cheap, and still devastatingly effective.
𧩠Combosquatting - Appending trust words like "support", "secure", or "login" to real brand names. "paypal-support.com" or "emiratesnbd-alert.com" look disturbingly legitimate - and this variant is now 100 times more prevalent than simple misspellings.
π Wrong-TLD squatting - "amazon.co" instead of "amazon.com". New gTLDs like ".shop" or ".support" cost under $2 to register and account for nearly half of all criminal phishing domains.
π§ BEC via lookalike domains - Registering "blarckrock.com" or "companyname-invoice.com" to issue fraudulent payment instructions that appear to come from a trusted partner or supplier.
π Fake SSL padlocks - Nearly half of malicious lookalike domains carry valid HTTPS certificates (free ones). The padlock no longer means "safe". It only means "encrypted".
π§βπ» Subdomain deception - Placing the real brand name as a subdomain of the attacker's domain: "safety.microsoft.com.evil-domain.com". On mobile, you only see the first part.
π¦ Package manager attacks - Developers mistype "reqeusts" instead of "requests" in Python, or grab "typescriptjs" thinking it's TypeScript.
In July 2025, Socket researchers uncovered 10 typosquatted npm packages impersonating popular libraries that auto-executed on install, displayed a fake CAPTCHA, and deployed a cross-platform credential stealer - harvesting browser passwords, SSH keys, and cloud API tokens from nearly 10,000 developer machines[ref]. Not your bank - your developer's laptop.
Numbers that should ruin your day: Nearly 2 million phishing attacks were recorded globally in the 12 months to April 2025 - a 180% increase since 2021 - with the majority using intentionally registered lookalike domains[ref]. In the UAE, only 1.11% of .ae domains have implemented DMARC, leaving 99% vulnerable to email spoofing from lookalike domains - well below India's 46% and Germany's 4.55%. In 2024, BlackRock filed federal lawsuits against 76 typosquatted domains used to impersonate employees and redirect wire payments. One of those domains: "blarckrock.com". Two transposed letters. Millions at risk[ref].
What you can do:
- A password manager checks the exact domain and will refuse to auto-fill credentials on a lookalike site - this is your single best defense.
- Bookmark your bank and government portals and always navigate from bookmarks, never by typing.
- Never click links in unsolicited emails or messages, even if they look exactly like your bank.
- Report suspicious UAE domains at [ecrime.ae](https://www.ecrime.ae) or call CBUAE on 800 22823.
What can organizations do:
- Register your own common misspellings and TLD variants before attackers do - then redirect them.
- Implement DMARC, DKIM, and SPF on all sending domains. This is non-negotiable, especially in the GCC.
- Monitor certificate transparency logs and lookalike domain registrations continuously.
- For dev and security teams, use dedicated tools to scan package dependencies before they execute.