Skip to main content
Home › Learn › Lookalike Domains

What is TLD Squatting?

TLD squatting (or TLD swap) is when an attacker registers your exact domain name under a different top-level domain extension, like .net, .org, or .co instead of .com.

On this page

  1. What is TLD squatting?
  2. Why it matters
  3. Common TLD swaps
  4. How it's exploited
  5. How to protect yourself

What is TLD squatting?

TLD squatting occurs when someone registers a domain name identical to an existing one but under a different top-level domain (TLD). For example, if your business runs example.com, an attacker might register example.net, example.org, or example.co.

With over 1,500 TLD extensions available today (including country codes like .uk, new gTLDs like .app and .shop, and legacy TLDs like .org), it's impossible for most organizations to register their name across every extension.

💡
Why it's effective: Users often assume a domain they know under .com exists under .org or .net too, and may type the wrong extension from memory. Email autocomplete can also suggest the wrong TLD variation.

Why it matters

📧

Email interception

If someone sends an email to [email protected] instead of [email protected], the attacker receives it, including sensitive business communications and documents.

🎣

Convincing phishing

A domain with the right name but wrong TLD looks extremely credible. Many users don't scrutinize the TLD, especially on mobile devices where the address bar is small.

🏷️

Brand confusion

Competitors or bad actors can use your domain name with a different TLD to create confusion, divert traffic, or tarnish your reputation with unrelated content.

💼

Business email compromise

Attackers send invoices or wire transfer requests from a TLD-swapped domain. The domain looks right at a glance, especially in email threads.

Common TLD swaps

These are the most commonly exploited TLD variations:

If you own Watch for Why it's risky
.com .co Easy typo, just one letter difference. Colombia's ccTLD is widely available.
.com .net, .org Classic alternatives that users commonly try from memory.
.com .com.co, .com.br Country-code variants that look like localized versions of the real site.
.com .cam, .cm Visual similarity to .com. Cameroon's .cm is a known typosquatting TLD.
.io .i0 (with zero) Visual confusion between letter 'o' and digit '0'.
Any TLD .app, .dev, .shop New gTLDs are cheap and plentiful, making mass registration easy for attackers.
⚠️
The .cm trap: Cameroon's .cm TLD is infamous for capturing mistyped .com traffic. At one point, the .cm registry itself operated as a wildcard domain, capturing all unregistered .cm domains and redirecting them to ad-filled pages.

How it's exploited

1

Passive email collection

The attacker sets up mail servers on the TLD-swapped domain and passively collects misdirected emails. Sensitive business communications, password resets, and financial documents often arrive without any active effort.

2

Active phishing campaigns

Attackers send phishing emails from the TLD-swapped domain. Since the domain name itself is correct, only the extension differs, making it harder for recipients and spam filters to detect.

3

Ad revenue and affiliate fraud

Less malicious actors park TLD-swapped domains with advertising or redirect them to affiliate links, earning money from misdirected traffic.

4

Domain holding and resale

Some squatters register TLD variations of popular brands with the intent to sell them back to the brand owner at an inflated price.

How to protect yourself

Register key TLD variations

At minimum, register your domain under .com, .net, .org, and your country-code TLD. Redirect them all to your primary domain.

Monitor for new TLD registrations

Use Domain Guarddog to detect when someone registers your domain name under a new TLD extension. Early detection enables swift action.

Implement DMARC, SPF, and DKIM

While these don't prevent TLD squatting, they help receiving mail servers identify emails from TLD-swapped domains as not authorized by your real domain.

Use UDRP for trademark violations

If a TLD-swapped domain infringes your trademark, file a UDRP complaint to have the domain transferred or cancelled through ICANN's dispute resolution process.

Educate your team

Train employees to verify the full domain (including TLD) before clicking links or replying to emails, especially for financial transactions.

Monitor your domain across all TLDs

Domain Guarddog checks for your domain name registered under alternative TLDs and alerts you when new threats appear.

Get Started Free