Typosquatting Detection: a beginner's guide
Detect typosquat domains that could impersonate your brand
Typosquatting: the lookalike domains that quietly steal your traffic
Typosquatting is the practice of registering domain names that look almost identical to a legitimate brand's domain — `goggle.com`, `paypa1.com`, `arnaz0n.com`, `microsft.com` — in order to catch users who make a typo or who don't look closely. Some typosquatters use the lookalike domains for outright fraud (phishing pages, fake login screens, malware distribution). Some use them for affiliate-link redirection. Some just park them and serve ads. A few use them for legitimate purposes like satire or commentary. The thing they all have in common is that they exploit the small visual differences that make `rn` look like `m`, `0` look like `O`, or a Cyrillic `а` look like a Latin `a`.
You should care because typosquatting against your brand is happening whether you check for it or not. The lookalike domains are cheap to register (under $10 a year), they take seconds to set up, and any well-known brand has dozens to hundreds of them already in active use somewhere on the internet. The damage they cause is hard to measure precisely but is real: stolen traffic, brand confusion, phishing victims who blame you, and (in the worst cases) successful credential theft from your customers. The defense is monitoring: knowing what lookalikes exist is the first step toward shutting them down.
The five categories every typosquatting check looks at:
Character substitution. Replacing a letter with a visually similar one (`o`→`0`, `l`→`1`, `i`→`l`).
Character omission. Dropping a letter (`gogle.com`).
Character insertion. Adding a letter (`googgle.com`).
Adjacent-key swaps. Swapping two letters that are next to each other on the keyboard (`googel.com`).
Homoglyph attacks. Using non-Latin characters that look identical to Latin ones — Cyrillic `а`, Greek `ο`, Latin small caps. These are the hardest to spot with the naked eye.
Three questions a typosquatting check answers:
How many lookalike domains for my brand exist right now, and which ones are actually live?
Which of them are running phishing pages or impersonating my brand directly?
Are there new typosquats showing up faster than my brand-protection process can take them down?
The cost of ignoring typosquatting is the slow accumulation of fraud and brand damage you never see directly because it happens to your customers, not to you. The fix is automated monitoring of the typosquat space and a takedown process for the most dangerous ones. For high-value brands, this is one of the most cost-effective pieces of brand protection available.
The Typosquatting Detection endpoint, in plain language
In one sentence: Detect typosquat domains that could impersonate your brand
Generates domain name variations using 12 permutation algorithms and checks which ones resolve to active servers. Identifies potential typosquatting threats including homoglyph attacks, character swaps, TLD (top-level domain) variations, and more.
Don't worry if some of the words above are still unfamiliar — there's a plain-language glossary at the bottom of this page, and most of the terms link to their own beginner guides if you want to learn more.
What is actually happening when you call it
Here's what's actually happening behind the scenes when you call this endpoint:
Applies 12 typosquatting algorithms (character omission, swap, doubling, insertion, adjacent key substitution, homoglyph substitution, TLD (top-level domain) swap, hyphenation, bitsquatting, vowel swap, subdomain insertion, plural/singular) to generate domain variations, then batch-resolves them via DNS (Domain Name System) to find active threats.
If you're using an AI assistant through MCP, you don't need to understand any of the technical details — the assistant calls the tool and translates the result for you.
Why this specific tool matters
Let's skip the marketing fluff and answer the only question that actually matters: why should you, a real human with a real to-do list, care about the Typosquatting Detection tool? Here's the plain-English version, written the way you'd hear it from a friend who happens to do this for a living.
Typosquatting is a leading vector for phishing, credential theft, and brand abuse. Proactively identifying registered lookalike domains enables takedown requests and employee awareness training.
Picture this in real life. Imagine a brand protection manager. Here's the situation they're walking into: Run weekly scans against company domains to identify newly registered typosquat domains that could be used for phishing. Without the right tool, that person would be stuck copy-pasting between five browser tabs, reading documentation written for engineers, and crossing their fingers that the answer they cobble together is correct. With the Typosquatting Detection tool, the same person gets a clear answer in seconds — no spreadsheets, no guessing, no waiting for someone on the infrastructure team to free up.
Three questions this tool answers in plain English. If any of these have ever crossed your mind, the Typosquatting Detection tool is built for you:
Is this domain or IP address known for fraud, phishing, or abuse?
Should my signup form, payment flow, or comment system trust this visitor?
Is someone out there registering lookalike domains targeting my brand?
You can either click the tool and get the answer yourself, or ask your AI assistant — connected through MCP (Model Context Protocol) — to ask the question for you and translate the answer into something you can paste into Slack.
Who gets the most out of this. Trust and safety teams, fraud analysts, brand-protection managers, security operations engineers, and product teams running open signup flows. If you see yourself in that list, this is one of the EdgeDNS tools you should bookmark today.
What happens if you skip this entirely. Skip it and you find out a domain or IP was malicious only after it has already cost you money or trust. That's why running this check — even once a month — is one of the cheapest forms of insurance you can give your domain.
Available on the pro plan. The technical details: `GET /v1/domain/typosquats`.
When would I actually use this?
If you're still on the fence about whether the Typosquatting Detection tool belongs in your toolbox, this section is for you. Below you'll meet three real people — a brand protection manager, a SOC analyst, and an IT manager — facing three real situations where this tool turns a stressful afternoon into a five-minute task. Read whichever story sounds closest to your week.
Story 1: Brand Protection Sweep
Imagine you're a brand protection manager. Run weekly scans against company domains to identify newly registered typosquat domains that could be used for phishing.
Why it matters: Enable proactive takedown via ICANN UDRP dispute resolution or registrar abuse reports before lookalike domains impact customers.
Story 2: Phishing Campaign Analysis
Imagine you're an SOC analyst. When a phishing email is reported, quickly check all common variations of the spoofed domain to find the full scope of the campaign.
Why it matters: Identify all domains in a phishing campaign, not just the one reported, for comprehensive blocking.
Story 3: Domain Registration Defense
Imagine you're an IT manager. Before launching a new brand, check which typosquat variations are already registered and defensively register critical ones.
Why it matters: Prevent brand abuse by registering high-risk typosquat domains before attackers do.
Common situations across teams. Beyond the three stories above, here are the everyday workplace moments when people across the company reach for the Typosquatting Detection tool — or one of the tools right next to it in this category. If any of these are on your calendar this month, that's your sign:
Inside a signup form, payment flow, or comment system, to score risk in real time.
When investigating a customer complaint about a suspicious link or message.
On a recurring schedule, to monitor lookalike domains targeting your brand.
During incident response, to enrich an alert with reputation context.
If you can see yourself in even one of those bullets, the Typosquatting Detection tool will pay for itself the first time you use it.
Still not sure? Here's the easiest test in the world. Open Claude, ChatGPT, Gemini, or any other AI assistant connected to the EdgeDNS MCP server and ask, in your own words: "Is the Typosquatting Detection tool useful for my job?" The assistant will look at the tool, ask you a couple of follow-up questions about what you're trying to accomplish, and give you a straight answer in plain English. No commitment, no signup forms, no jargon.
The easiest way: just ask your AI assistant
If you've connected the EdgeDNS MCP server to Claude, ChatGPT, Gemini, Cursor, or any other AI assistant, you don't need to write any code. Just ask in plain English:
"Use the Typosquatting Detection tool to check example.com and explain anything that looks wrong in plain language."
The AI will figure out which tool to call, fill in the right parameters, run it, and then explain the result back to you. No copy-pasting between tabs. No reading raw JSON. No memorizing endpoint names.
MCP (Model Context Protocol) access is free on every plan, including the free tier. One API key works for both REST and AI — you do not have to choose.
The technical way: call it from code
If you're a developer and want to call the endpoint from a script or your own application, here's the simplest possible example. Replace the placeholder API key with the real one from your dashboard.
# Replace edns_live_YOUR_KEY with your real API key from the dashboard
curl -H "Authorization: Bearer edns_live_YOUR_KEY" \
"https://api.edgedns.dev/v1/domain/typosquats?domain=example.com"What you need to provide
You need to provide 2 pieces of information when you call this tool. The table below lays them out side by side, with a real example for each one so you can see exactly what to send.
| Field | Type | Required? | What it means | Example |
|---|---|---|---|---|
domain | string | Yes | The domain to check for typosquatting variations | example.com |
check_dns | string | Optional | Whether to resolve variations via DNS (Domain Name System) to check registration and activity (default: true). Set to false for fast variation-only results. | true |
What you get back
When you call this tool, you'll get back a JSON object with the fields below. If you're talking to it through an AI assistant, the assistant reads these for you and explains them in plain language — you don't need to memorize them.
| Field | Type | What you'll see in it |
|---|---|---|
domain | string | The original domain checked |
total_variations | number | Total variations generated across all algorithms |
registered_count | number | Variations that are registered in DNS (Domain Name System) (may not resolve to an IP (Internet Protocol address)) |
resolving_count | number | Variations resolving to active servers with A records |
variations | array | Each variation with domain, type, registered, resolves, IP, has_mx, and risk level (high/medium/low/none) |
Words you might be wondering about
If any words on this page felt like jargon, here's a plain-language version. Click any linked term to read a full beginner-friendly guide.
DNS (Domain Name System) — The internet's address book. When you type a website name, DNS turns it into the actual numeric address computers use to find each other.
TLD (top-level domain) — The ending of a website name like .com, .org, or .dev.
Need Programmatic Access?
Automate domain intelligence with 100+ API endpoints and a free MCP server for AI integration.