Lookalike Domain
A domain crafted to closely resemble a trusted brand's real domain, used to deceive recipients into trusting fraudulent emails or websites.
Also known as: look-alike domain, impersonation domain, brand-abuse domain
Last reviewed: 1 June 2026
Lookalike domains go beyond simple typos: they may add hyphens ('pay-pal.com'), insert words ('paypal-secure.com'), change the TLD ('paypal.net'), or combine subtle character substitutions. The goal is that a recipient who glances at the sender address or URL will perceive it as legitimate.
They are routinely weaponised in business email compromise (BEC) attacks, where an attacker registers a domain resembling a supplier or partner to send fraudulent invoices. They are also used in spear-phishing campaigns where personalised messages direct targets to convincing clone websites.
Organisations defend against lookalike domains by registering common variants of their own domain, using DMARC/DKIM/SPF to authenticate outbound email, subscribing to brand-monitoring services that alert on new registrations, and training staff to verify sender domains carefully before acting on financial or credential requests.
Examples
- A fraudster registers 'acme-invoices.com' to mimic a company's 'acmecorp.com' domain and sends fake payment-redirect instructions to clients.