Combosquatting
Registering domains that combine a legitimate brand name with an extra word to create convincing but fraudulent web addresses.
Also known as: brand-combo domain, domain combination attack
Last reviewed: 10 June 2026
Combosquatting goes a step further than typosquatting by appending or prepending words to a brand name — such as 'secure-', '-support', '-login', or '-update' — to create a domain that looks official at a glance. Unlike typosquatting, the brand name is spelled correctly, making the fraud harder to spot.
These domains are commonly used in phishing emails where the domain in the 'From' address or embedded link appears entirely plausible. They are also used to host fake customer-support portals, fraud-refund pages, and software-update sites.
Always navigate to services through bookmarks or by typing the exact official domain rather than clicking links in emails. A domain like 'secure-bankname.com' is not the same as 'bankname.com'.
Examples
- A fraudster registers 'paypal-secure-update.com' and sends emails asking users to verify their accounts.
- A fake tech-support page is hosted on 'microsoft-helpdesk-support.com'.