Imagine clicking a genuine-looking Microsoft email with a familiar logo, layout, and URL, only to end up losing your account credentials. Phishing emails are getting smarter as threat actors are now exploiting a typographical illusion to deceive you into surrendering your login details.
This form of attack is called typosquatting, and it's deceptively subtle. At first glance, the sender address looks legitimate. The email design matches what you'd expect from Microsoft. Even the link in the email seems right. But look closer, and you'll notice something is off: a single character that's enough to get your account hacked.
What's typosquatting and how it works
A visual trick that exploits how we read
In this instance, threat actors registered a domain like rnicrosoft.com and sent emails from it as if they were official Microsoft support. At first glance, and especially on a phone, your brain might see it as microsoft.com instead of "r-nicrosoft." This is classic typosquatting (aka URL hijacking) in action.Typosquatting involves creating fake domains that look nearly identical to popular websites. Attackers use misspellings, swapped characters, different top-level domains (.co instead of .com), or altered subdomains to catch people off guard.
The goal is to trick you into clicking a link or typing a URL that leads to a lookalike domain. Once there, victims often encounter a cloned website with matching branding and design. You log in, enter payment details, or download files and give attackers what they need.
Typosquatting works because our brains process familiar words as patterns rather than reading each letter individually. When you see "microsoft" hundreds of times, your brain starts recognizing the shape rather than verifying each character. Scammers exploit this by using similar-looking letters like "rn" for "m," "vv" for "w," or "1" for "l."
The problem is worse on mobile devices. Smaller screens, default fonts, and quick scrolling make these subtle differences nearly invisible. You're checking email on your phone during lunch, you see a message from what looks like Microsoft, and you tap through without a second thought.
What makes typosquatting so effective is its use in phishing emails. A scammer can register a typo domain, set up proper email authentication (SPF, DKIM, DMARC), and send messages that look entirely legitimate. The email passes spam filters, lands in your inbox, and waits for you to click.
Why browser and email filters don't always catch these
Legitimate-looking domains slip through automated checks
You might think your email provider or browser would catch obvious fake or misspelled URLs, and often they do. Edge and Chrome can even detect typos in URLs. Unfortunately, typosquatting exploits the gaps these automated systems miss.Typosquatted domains are often properly registered with valid SSL certificates and benign-looking content. Email gateways focus on spam patterns and known bad senders, but an email from a correctly configured typo domain with proper authentication can look statistically similar to legitimate traffic. Unless the filter specifically checks for brand similarity or uses machine learning tuned for lookalike domains, it won't flag the message as suspicious.
Browser protections have similar limitations. New typo domains appear constantly and may be used only briefly before rotating to new infrastructure. Blocklists and typo protection features can lag behind or miss low-volume, targeted attacks entirely. By the time a domain gets flagged, the damage is often already done.
It's easy to protect against typosquatting, but only if you know how
Simple habits and tools that keep you safe
Major tech companies like Google, Microsoft, Amazon, and others actively fight against typosquatting and routinely buy common misspelled versions of their domains and redirect them to their official sites. For example, if you type gooogle.com (with an extra "o"), you'll be redirected to the correct URL, Google.com. This prevents scammers from registering common typos. But they can't buy every possible variation, which means you still need to stay vigilant.The simplest defense is pausing before you click. Hover over links in emails to see the actual URL before clicking. Check the address bar carefully, especially on mobile, where small screens make subtle differences harder to spot. If something feels off about a login page, including wrong fonts, missing elements, or anything that doesn't look quite right, close the tab and navigate to the site directly by typing the URL yourself or using a bookmark.
Password managers offer built-in protection here. If your password manager doesn't auto-fill on a login page, that's a strong signal that the domain isn't the one you usually use. Password managers check the exact domain, and not the visual appearance, so typosquatted sites won't trigger auto-fill.
For even stronger protection, consider switching to passkeys instead of passwords. Passkeys are phishing-resistant by design as they're tied to specific domains and won't work on lookalike sites. You can also use a hardware security key for accounts that support passkeys. These physical devices verify the website's authenticity before authenticating, making typosquatting attacks essentially useless.
Always be skeptical of email links
Typosquatting works because it exploits how our brains process familiar information. We see what we expect to see, not what's actually there. Scammers count on this, creating domains and emails that pass the quick glance test.However, once you know how this trick works, you'll start noticing those subtle character swaps more easily. Take an extra second to verify sender addresses and URLs, especially for login pages and financial transactions. Use bookmarks for sites you visit frequently and let your password manager do the domain verification for you. That brief pause could save you from handing over your credentials to someone who registered a domain that looks almost—but not quite—right.
