What Is Cybersquatting? Domain Squatting Explained

A user gets an email that looks like it came from their bank. The link reads paypaI.com, with a capital I where the lowercase L should be. They click, the page is a pixel-perfect copy of the real login, and they type their password into an attacker's form. No exploit ran. No malware was needed at the door. The whole attack hung on one registered domain that looked close enough to the real thing to pass a glance.

That domain is the artifact of cybersquatting. Cybersquatting, also called domain squatting, is the bad-faith registration and use of an internet domain that is identical or confusingly similar to someone else's trademark, brand, or name. The motive ranges from extortion (register the name, then sell it back to the rightful owner at a markup) to traffic theft, ad revenue, and outright attack infrastructure for phishing and malware delivery. For a defender, the squatted domain is rarely the end goal. It is the staging ground. This guide covers what cybersquatting is, the variants you will actually triage (typosquatting, combosquatting, homograph attacks), how a lookalike domain becomes an attack, and the legal and technical levers that take it down.

What is cybersquatting?

Cybersquatting is registering and using a domain name in bad faith because it resembles a brand, trademark, company, or person that someone else owns. The defining element is intent. Owning example-deals.com is not cybersquatting; registering it to impersonate Example Inc., capture its customers, or sell the name back to the company is.

The practice predates most modern attack tooling. It began in the 1990s when the web was new and trademark holders were slow to register their own domains. Squatters registered the obvious names first, then demanded payment to release them. That extortion model still exists, but the threat has shifted. The squatted domain is now a building block in a larger operation: a believable sender domain for business email compromise, a landing page for a credential-harvesting kit, or a distribution point for a malicious download.

Three things have to be true for a domain to count as cybersquatting rather than legitimate registration:

• The name is identical or confusingly similar to a mark, brand, or name someone else has rights to.
• The registrant has no legitimate rights or interest in that name.
• The name was registered and is being used in bad faith.

Those three are not arbitrary. They are the exact test that domain-dispute panels apply, which is why they matter to anyone trying to get a malicious domain taken down. More on that below.

The types of cybersquatting

"Cybersquatting" is the umbrella. Underneath it are several techniques that differ in how the lookalike name is constructed and what the registrant is after. The ones a SOC analyst sees most are the ones built to be misread.

Typosquatting. Register a domain that is a common misspelling or fat-finger error of a real one, and harvest the traffic from people who mistype the address. wikiepdia.org for wikipedia.org, yuube.com for youtube.com, rnarriott.com (r-n reads as m) for marriott.com. The visitor believes they reached the real site. Typosquatting is the variant most directly weaponized for phishing, because the same trick that catches a typo also survives a quick glance at a link in an email.

Combosquatting. Append or insert a plausible word to the real brand: paypal-security.com, microsoft-update.net, apple-support-billing.com. There is no misspelling to spot. The brand name is spelled correctly, which is exactly why it reads as legitimate, and the added word ("security", "support", "login") supplies a believable pretext for the email that carries it.

Homograph and homoglyph attacks. Substitute a character that looks identical or near-identical to the original, often using Unicode or internationalized domain names. A Cyrillic "а" for a Latin "a", a capital "I" for a lowercase "l", a zero for an "O". paypaI.com and аpple.com (Cyrillic first letter) render as the genuine name in many fonts. These are the hardest for a human to catch and the reason browsers now warn on mixed-script domains.

Domain squatting for resale. The original model. Register a brand name, a product launch name, or a notable person's name before they do, then hold it for ransom or run ads on the parked page. This is the variant the law was written to address.

Gripe sites. A domain like brandnamesucks.com set up to criticize a company or person. These sit at the edge of cybersquatting. Genuine criticism is protected speech in many jurisdictions, so a gripe site is only actionable when the name is used in bad faith for commercial gain rather than commentary.

Cybersquatting vs typosquatting

The two terms get used interchangeably, and that blurs a useful distinction. Cybersquatting is the broad category: any bad-faith registration of a name someone else has rights to. Typosquatting is one specific method inside it, defined by how the lookalike is built (a deliberate misspelling) and by its target (people who mistype or misread the address).

The practical point for a defender: typosquatting and combosquatting are the variants that show up in phishing campaigns, because both are built to be misread in a hurry. Resale squatting and gripe sites are mostly a legal and brand problem, not an incident.

How a squatted domain becomes an attack

A lookalike domain on its own does nothing. It becomes dangerous when it is wired into a delivery chain. The same registered name supports several attack types depending on what the operator stands up behind it.

The most common path runs through email. The attacker registers acme-payroll.com, points it at a server, and clones the real Acme login page. They send a phishing email from or linking to that domain. The recipient checks the link, sees the brand name spelled correctly, and submits credentials to the attacker. The squatted domain is what makes the email survive scrutiny. The same domain also lends itself to business email compromise, where the lookalike sender address ("[email protected]") gives a fraudulent payment request the appearance of coming from a trusted partner.

Other paths reuse the same domain differently. Point it at a drive-by download and it becomes malware distribution. Park it with pay-per-click ads and it monetizes stolen traffic passively. Register dozens of variants around one brand and it becomes durable infrastructure that outlives any single takedown. The registration is cheap, often a few dollars, and one domain can be repurposed across all of these.

This is why squatted domains belong in a cyber threat intelligence program rather than a legal inbox. Newly registered lookalikes are a high-value early indicator: a domain that appeared yesterday and mimics your brand is very often the first observable of a campaign that has not launched yet. Catching it at registration buys time before the phishing email goes out.

How to detect and take down a cybersquatted domain

Detection and response split into two tracks: find the domains, then remove them.

Detection. The signal is new domain registrations that resemble your brand. Practical sources and methods:

• Monitor newly registered domains against your brand and its common misspellings, combinations, and homoglyph variants. Digital risk protection and brand-protection services automate this by scoring new registrations for similarity to your trademarks.
• Watch certificate transparency logs. A lookalike domain provisioning a TLS certificate is preparing to serve a convincing HTTPS page, often the last step before a phishing launch.
• Generate the permutation set yourself. Tools that expand a domain into its typo, combo, and homoglyph variants (and then resolve which ones are registered and live) turn "what could an attacker register?" into a concrete watchlist.
• Feed confirmed lookalikes into your detection stack as indicators: block the domains, alert on traffic to them, and hunt for any inbound mail referencing them.

Takedown. Once a malicious domain is confirmed, two legal mechanisms exist alongside the operational ones.

• The Uniform Domain-Name Dispute-Resolution Policy (UDRP), adopted by ICANN in 1999, is an administrative process built specifically for this. The complainant must prove the three elements named earlier: the domain is identical or confusingly similar to a mark they hold, the registrant has no legitimate interest in it, and it was registered and is being used in bad faith. A successful complaint results in the domain being transferred to the complainant or cancelled, without going to court.
• The Anticybersquatting Consumer Protection Act (ACPA), enacted in the United States in 1999 as an amendment to the Lanham Act, lets a trademark owner sue a bad-faith registrant in federal court and recover statutory damages per domain. It is slower and costlier than the UDRP but can win money and reach registrants the UDRP cannot.
• Operationally, you do not always need either. Reporting the domain to its registrar and hosting provider for abuse, and to the relevant blocklists and browser safe-browsing programs, often gets a phishing site pulled in hours, far faster than any legal route.

The fastest results usually come from running these in parallel: report for abuse to kill the live attack now, and file the UDRP or ACPA action to take ownership of the name so it cannot be reused.

How to prevent cybersquatting against your brand

Prevention is mostly about shrinking the attacker's options before they register anything.

• Register defensively. Own the obvious variants yourself: common misspellings, the major top-level domains (.com, .net, .org, and relevant country codes), and brand-plus-keyword combinations. A name you hold is a name an attacker cannot squat.
• Trademark the brand. A registered trademark is what gives you standing under both the UDRP and the ACPA. Without it, takedown is far harder. The mark is the legal foundation for everything downstream.
• Monitor continuously. Defensive registration cannot cover every permutation, so pair it with ongoing monitoring of new registrations and certificate transparency logs for names that slipped through.
• Pre-stage the response. Keep registrar abuse contacts, your UDRP provider, and your evidence-collection process ready before you need them. The difference between a domain live for two hours and two weeks is usually how fast the first report goes out.

No program prevents every lookalike. The goal is to make the cheap, obvious squats unavailable and to see the rest early enough that the squatted domain is burned before it ever fronts a campaign.

Frequently Asked Questions

What is cybersquatting?

Cybersquatting, also called domain squatting, is registering and using an internet domain name in bad faith because it is identical or confusingly similar to a trademark, brand, company, or person owned by someone else. The intent is what defines it: profiting from the resemblance through resale, traffic theft, ad revenue, or as staging infrastructure for phishing and malware.

What is the difference between cybersquatting and typosquatting?

Cybersquatting is the broad category of bad-faith domain registration that resembles a brand or person. Typosquatting is one specific technique inside it: registering a deliberate misspelling or visual misread of a real domain (like rnarriott.com for marriott.com) to capture traffic from people who mistype or skim the address. All typosquatting is cybersquatting, but not all cybersquatting is typosquatting.

Is cybersquatting illegal?

Yes, when done in bad faith. In the United States the Anticybersquatting Consumer Protection Act of 1999 lets trademark owners sue bad-faith registrants for statutory damages. Internationally, ICANN's Uniform Domain-Name Dispute-Resolution Policy provides an administrative process to transfer or cancel an infringing domain. Legitimate registration of a name you have a real interest in is not illegal.

How do attackers use cybersquatted domains in phishing?

The lookalike domain makes a fraudulent message survive scrutiny. An attacker registers a domain that resembles a trusted brand, clones the real login or payment page, and sends a phishing or business email compromise message linking to it. Because the brand name reads correctly at a glance, recipients submit credentials or approve payments to the attacker.

How do you detect cybersquatting against your organization?

Monitor newly registered domains for names that resemble your brand, including misspellings, added keywords, and lookalike characters. Watch certificate transparency logs for lookalike domains provisioning TLS certificates, and use brand-protection or digital risk protection tools that score new registrations for similarity to your trademarks. Confirmed lookalikes should be fed into your detection stack as indicators.

What is the UDRP and how does it help against cybersquatting?

The Uniform Domain-Name Dispute-Resolution Policy, adopted by ICANN in 1999, is an administrative process for resolving domain disputes without going to court. A complainant must prove the domain is identical or confusingly similar to a mark they hold, that the registrant has no legitimate interest in it, and that it was registered and used in bad faith. A successful complaint transfers or cancels the domain.

The bottom line

Cybersquatting is bad-faith domain registration that trades on a name someone else owns, and its variants (typosquatting, combosquatting, and homograph attacks) are built to be misread. For a defender, the squatted domain is not a legal nuisance to file away; it is attack infrastructure, most often the front for a phishing or business email compromise campaign, and a newly registered lookalike is one of the earliest warnings you get that a campaign is coming.

The response is layered. Register and trademark defensively so the obvious names are off the table. Monitor new registrations and certificate transparency logs so the rest surface early. When a malicious domain appears, report it for abuse to kill the live attack and file a UDRP or ACPA action to take the name out of circulation. The domain is cheap for the attacker to register; the discipline that catches it early is what makes it expensive to use.