Hard2bit
← Back to blog

We scanned 24 well-known brands for typosquatting: 591 live lookalike domains (with half the radar)

By Adrián González · CEO · Published: 18 June 2026 · Updated: 18 June 2026
Cyber Threats Cybersecurity
typosquatting fake domains

We took 24 well-known brands —12 Spanish and 12 international, spread across banking, insurance, energy, telco, retail, logistics, transport, fintech, SaaS and e-commerce— and ran a 100% passive OSINT scan to measure how many live typosquatting domains sit in their shadow right now. We found 591. And that is a floor, not a ceiling.

Typosquatting —registering a domain almost identical to a brand to impersonate it— is the technical foundation of phishing, CEO fraud and digital brand impersonation. This is not academic theory. According to ENISA Threat Landscape 2025, phishing and social engineering account for around 60% of the entry vectors observed in Europe. And according to INCIBE Cybersecurity Balance 2025, Spain handled 122,223 incidents in 2025 (+26% year on year), of which 25,133 were phishing and 45,445 were online fraud (+19% on the prior year). Lookalike domains are the silent infrastructure underneath all that.

What we did: passive scan, public data, zero traffic to brand servers

Before the findings, a word on method. Everything in the report comes from public sources: DNS-over-HTTPS resolution against Cloudflare resolvers, and RDAP queries against each domain registry. No traffic was sent to any brand server and no site was visited. The 24 brands analysed are not named in this report or in any public communication tied to it: data is presented in aggregate and anonymised, as a responsible OSINT exercise should.

For each brand we generated roughly 80 plausible variants —typing errors, double letters, common homoglyphs (zero for O, one for L), TLD swaps (.com to .net, .es), common phishing suffixes (-login, -verify, -secure, -access)— and checked which ones were registered and live. The live ones were classified by their RDAP record into eight buckets: parking, opaque ownership, active infrastructure, defensive registration by the brand itself, pre-existing and unrelated, and so on.

Technical detail for anyone who wants to reproduce the method: DNS-over-HTTPS bypasses operator filtering, RDAP is the modern replacement for WHOIS with structured JSON responses. The whole chain is passive by design.

What we found

Four numbers tell the story.

  • 591 suspicious domains registered and live. Average of roughly 25 per brand, with large brands well above.
  • 282 domains (48%) have MX records configured. Almost half of the live lookalikes can send email that appears to come from the legitimate brand.
  • 20 domains registered in the last 90 days. The landscape keeps moving: what is not there today is there tomorrow.
  • 12 of the 24 brands have at least one domain with active infrastructure of risk. Half the sample is already under pressure.

Breakdown by classification

Raw split of the 591 live domains across RDAP categories. The labels are our internal exposure taxonomy.

  • Registered / inactive: 131 — registered but no live service yet. Can be activated at any time.
  • Opaque ownership (mostly .es): 108 — the Spanish registry barely exposes useful RDAP; you cannot tell who is behind the lookalike.
  • Pre-existing / probably unrelated: 68 — domains that happen to coincide with the variant, not by intent.
  • Parking / cybersquatting: 66 — registered to resell or monetise mistyped traffic.
  • Defensive (corporate brand registrar): 64 — the brand itself registers the lookalike to keep it out of attackers’ hands. MarkMonitor, CSC and similar.
  • Active infrastructure (risk): 59 — resolves to IP, has MX or published service. The operational risk core.
  • Probable legitimate (same brand, different TLD): 32 — the brand also owns that extension.
  • Unclassified: 63 — long-tail variants that need additional manual review.

The three patterns that struck us

1. Large brands defend themselves; mid-market and SMBs do not

64 of the 591 live domains are registered defensively by the brand itself through a specialist corporate registrar. The brand pays to register the typosquatting variant of its own domain before an attacker does. This is standard practice in large banking and multinationals: the scan surfaces the usual corporate-sector registrars. But this is an insurance policy that costs money and a dedicated team, and the vast majority of mid-sized organisations and SMBs do not even know the practice exists. When they emerge from the scan with zero defensive registrations, it is not because they have no exposure: it is because nobody is in charge.

2. The .es registry is a black box

108 of the 591 live domains sit in .es and, due to the Spanish registry policy, their RDAP does not expose useful ownership data. In practice, a Spanish organisation that wants to know who is behind a lookalike of its brand has to fall back on much slower routes (notary records, legal request, site-content monitoring). International organisations have better visibility over their .com lookalikes than Spanish organisations have over their .es lookalikes. That is an operational asymmetry that weighs more than it looks.

3. Email is the real vector

48% of live domains have email-sending capability. This does not mean they are already sending phishing —we did not check, that is outside the scope of a passive analysis— but it does mean the infrastructure is already in place. The distance between "registered with MX" and "running a CEO fraud campaign against the legitimate brand" is measured in minutes. That is the ammunition an attacker needs.

Limitations of the report

Three things we wanted to publish openly because they change how to read this.

  • 591 is a floor, not a ceiling. During the scan window, Certificate Transparency logs (crt.sh) were down. That means we did not include lookalikes detectable through their TLS certificate, which tend to be the most elaborate and costly for the attacker. The real number is higher.
  • "Active infrastructure of risk" means the domain resolves and has email capability. It does NOT confirm phishing content, because no site was visited. It is documented potential exposure, not a confirmed incident.
  • For the 108 .es domains with opaque ownership, classification of titularity is not possible. They sit in the "opaque" bucket; their real behaviour can only be inferred through additional monitoring.

What you can do if this has set off a light

You cannot stop someone from registering a domain similar to yours. What you can —and should— do is find out the same day it happens. That is the difference between a silent impersonation that runs for weeks (eroding customer trust, eating customer-success bandwidth, forcing communication to banking partners) and an incident that is cut in hours.

Mature practice has three components that live together:

  • Continuous monitoring of the lookalike domain space, with alerts when a new one appears or an existing one changes state (resolves, gets MX, gets a TLS certificate).
  • Documented takedown procedure with registrars, hosting providers and, where applicable, blocking routes in email and browsers.
  • Coordination with the incident response team and with marketing and legal, because half the damage of an impersonation is mitigated through communication channels, not through technical mechanisms.

At Hard2bit we publish Hard2bit Scanner, a freemium tool that tells you in under a minute how many lookalike domains of yours are registered and live. It is self-service and requires no sign-up: try it against your own domain. If you need the managed layer —continuous monitoring, alerting, takedown management and coordination with the response team— that sits inside the threat intelligence service. To audit external exposure beyond domains (subdomains, certificates, exposed IPs), attack surface management is the fit.

And if you already have an impersonation incident in flight, the priority is containment and coordinated communication. It helps to have a response line agreed in advance —internal or external— so that the first 24 hours do not vanish into deciding who does what.

Methodology note

Scan executed in June 2026 over 24 brands selected by market recognition (12 Spanish, 12 international) across banking, insurance, energy, telco, retail, logistics, transport, fintech, SaaS and e-commerce. ~80 variants generated per brand combining typosquatting, homoglyphs and phishing suffixes. Verification through DNS-over-HTTPS against Cloudflare resolvers and RDAP queries to each registry. No traffic was sent to any brand server; no site was visited; no content identification was attempted. Data is aggregated, anonymised and not attributable to any specific brand. Acknowledged limitation: Certificate Transparency (crt.sh) was unavailable during the scan window, which reduces coverage on TLS-detectable lookalikes.

If the technique interests you, we publish open glossary entries on phishing and supply chain attacks, plus a practical guide to check your domain security covering the checks anyone can run in five minutes.

Frequently asked questions

What exactly is typosquatting and how is it different from cybersquatting?

Typosquatting is the registration of domains that resemble a legitimate brand through plausible typing errors (tu-rnarca.com for tu-marca.com, using rn that looks like m), visual homoglyphs (zero for O), different TLDs (.net instead of .com) or suffixes like -login, -verify, -secure. The usual goal is phishing or impersonation. Cybersquatting is broader: it includes registering domains with the exact brand on other TLDs to resell or monetise misdirected traffic. They overlap in practice and many lookalikes combine both behaviours.

Does having MX configured mean the domain is already sending phishing?

Not automatically. MX (Mail Exchange) in DNS only means the domain is set up to send and receive email. There are domains with MX that never end up being used for anything. What it does mean is that the infrastructure is in place and the marginal cost of launching a campaign is very low. That is why we treat it as "active infrastructure of risk" rather than "confirmed phishing": documented potential exposure that deserves monitoring, not an incident that has happened.

Why is the .es registry a black box?

The .es domain registry, managed by Red.es, applies a more restrictive RDAP/WHOIS policy than gTLDs (.com, .net) and than many European ccTLDs. In practice, an RDAP query against a typical .es domain does not return ownership, administrative contact or enough data to identify the registrant. This protects the privacy of the legitimate holder but also protects the typosquatter. Investigating a suspicious .es means slower routes: legal request, site-content monitoring, or registrar coordination.

What do we do if we discover a domain impersonating our brand?

Four steps in this order. First, document evidence with timestamps: screenshots, DNS records, RDAP record, site content if any. Second, open a takedown with the domain registrar (brand registrars like MarkMonitor or CSC have fast procedures; generic registrars require more paperwork). Third, if active phishing exists, request blocking from email providers (Microsoft, Google) and browsers (Google Safe Browsing, Microsoft SmartScreen). Fourth, communicate internally to CS, marketing and legal, and externally to customers if risk justifies it. Without the fourth step, reputational damage outlives the technical takedown.

How much does continuous lookalike monitoring cost?

It depends on scope. A self-service tool for one domain with basic alerting can be free or very low cost (Hard2bit Scanner covers ad-hoc checks at no cost). An enterprise managed layer —continuous monitoring of several primary brands, real-time alerts, human triage, takedown management coordinated with registrars— typically sits between €800 and €3,000 per month for a mid-sized organisation, depending on brand count and service level. It is an order of magnitude below the cost of a single CEO fraud incident.

Why do you say 591 is a floor and not a ceiling?

Because during the scan window, Certificate Transparency (crt.sh) —one of the two main sources to discover elaborate lookalikes— was down. That means we did not include lookalikes detectable only through their TLS certificate, which tend to be the most sophisticated and costly for an attacker (those investing in TLS are closer to operating). When crt.sh comes back, a rerun of the same scan would yield a higher number. That is why we publish 591 as a conservative reference.

Is the scan based on real brands or fictional ones?

The 24 brands are real and recognisable in their sectors (12 Spanish and 12 international), but they are not named in this report or in any public communication tied to it. Data is published exclusively in aggregate (sums, percentages, category counts) and no specific domain is published, neither the detected lookalikes nor the domains of the analysed brands. The point of the report is to show the magnitude of sector exposure, not to single out any organisation.

How does a lookalike monitoring engagement start at Hard2bit?

We usually start with a free initial scan through Hard2bit Scanner to see the order of magnitude of your exposure. If numbers justify a managed layer, we work with you on which brands and primary domains to monitor, which alerting thresholds make sense (new registration, MX active, TLS issued) and which takedown procedure fits your internal legal. The managed layer lives inside the threat intelligence service and integrates with your existing SOC or incident response team.