How to protect your domain from typosquatting

Guest blog: James Norman from Fasthosts shares his best advice for protecting your online brand
29th December 2017

So you’ve registered your ideal domain name and it perfectly sums up what you’re all about. But when you’re establishing your online brand, there are other things to consider.

Did you ever think about what happens when someone accidentally misspells your domain in their browser address bar? Often enough it’s a simple ‘this site can’t be reached’ message, but occasionally it can be something more sinister.

What is typosquatting?

Typosquatting is also known as URL hijacking or ‘brandjacking’. It’s a form of domain squatting, or cybersquatting more generally, where one party registers a domain with the sole intention of denying it from another organisation or individual, who will naturally want it for themselves. The domain squatter snaps up a trademark or name that they know will be in demand, putting them in a position to sell it to the other party at a later date, at a grossly inflated price of course.

“More malicious squatters have been known to use brandjacking to… phish for personal login data”

 

The ‘typo’ in typosquatting refers to those tiny mistakes we all make when hammering away at a keyboard. The squatter will intentionally register domains with slight variations on an existing web address in a bid to pick up the traffic of all those sloppy typists.

For example, maybe you’re so excited to visit favouritewebsite.com you typed favouritewebiste.com instead. If this URL is in the hands of a domain squatter, you’ll be redirected to a completely different site. But for what purpose? The motivation behind typosquatting comes in all shapes and sizes.

Examples of typosquatting

The goals of the squatter can vary from the simple objective of selling the domain at a jacked-up price, to monetising the traffic received using ads or affiliate links, or even redirecting to a competitor. More malicious squatters have been known to use brandjacking to replicate the target site and phish for personal login data. At its most serious, typosquatting can be used to infect the unluckiest bad spellers with malware-riddled webpages.

“Typosquatting has been used to spread so-called ‘fake news'”

 

High-profile victims of typosquatting have included celebrities like Paris Hilton and Jennifer Lopez and big brands have been forced to take it seriously. For example, Google has secured gogle.com and googel.com to ensure slips of the keyboard don’t send users off course.

More recently, typosquatting has been used to spread so-called ‘fake news’, by presenting false news stories in links that appear to be from legitimate news outlets, at first glance at least. On social media, this is often enough to go viral.

How does typosquatting work?

Cybersquatters will go after likely typos, common misspellings and other slight variations on an existing domain name. That might mean adding a hyphen here or repeating a character there, but the end result is a web address that’s close enough to pick up a high volume of web traffic.

Another common tactic is to use alternative domain endings that are dangerously close to the legit URL. For instance, registering the equivalent .co of an existing .com domain. Certain country code domains like .cm (Cameroon) or .om (Oman) are also very popular with scammers, for obvious reasons.

But on a lighter note, the power of sloppy typing can be used for good. The charity site c.uk makes use of wildcard subdomains to pick up a large volume of mistyped .co.uk domains and showcases a wide range of worthwhile causes.

Is typosquatting legal?

Yes and no. Obviously, phishing and malware scams are crimes, but simply registering an available domain isn’t illegal. However, there may be some legal comeback if consumers could potentially be duped or confused by a domain very similar or almost identical to an existing name or trademark. In other words, the law is on your side if the cybersquatting constitutes trademark infringement.

“An SSL certificate is an excellent way to reassure users that you’re definitely who you say you are”

 

Of course, the law depends on your physical location. While the US has specific legislation in the form of the Anticybersquatting Consumer Protection Act (ACPA) of 1999, in the UK domain squatting can be countered via existing trademark and intellectual property law.

Short of the courtroom, there are also services offered by the Internet Corporation for Assigned Names and Numbers (ICANN) and domain registries like Nominet to settle arguments over who has the legitimate claim to a particular domain.

While legal mechanisms and dispute resolution processes are certainly valued, they can also consume a significant chunk of money, time and effort. This may not be an issue for large multinational brands and celebrities, but in general, prevention is better than a cure.

Swatting the squatters: how to prevent typosquatting

From a web user’s point of view, avoiding the squatters is an obvious case of increased awareness. Be careful when typing domains, and rely on search engines and bookmarks where possible (which are often quicker and easier anyway). Watch out for dodgy links in emails and social media posts, install anti-malware software and always make sure your browsers, apps and operating systems are as up to date as possible.

To prevent typosquatting of your own website, you simply need to get there first and secure them as quickly as possible. It might be as simple as typing out your domain as fast as you can, seeing what the most likely mistakes are, and registering them. If someone is told your domain verbally, are there any obvious ways they could mishear it?

To prevent hijacking of the Fasthosts brand, we have fastgosts.co.uk, fasthost.co.uk, fathosts.co.uk and many more domains registered and redirected to fasthosts.co.uk.

An SSL certificate is also an excellent way to reassure users that you’re definitely who you say you are when they arrive on your website – especially in light of recent changes to how HTTPS sites are displayed in web browsers.

So there you have it. Typos in your URL aren’t always a bad thing, providing you’re the one who owns them…