Typosquatting is what we call it when people - often criminals - register a common misspelling of another organization's domain as their own. For example: tailspintoy.com instead of tailspintoys.com (note the missing "s").
If you mistype or misspell the legitimate site you'll get the typosquatter's site instead and it may not always be obvious that you're not where you intended to go.
Note: Typosquatting is sometimes referred to as URL hijacking.
The reasons range from harmless to very harmful. Here are a few of them:
-
Pranks - Such as a parody page of the legitimate one.
-
Ads - To take you to a page that shows ads just to collect money for impressions or clicks.
-
Competition - Though it's highly unethical, and often illegal - companies could try and register the similar domain names to their competitors in hopes of redirecting customers to their own sites.
These first examples would be fairly easy to spot. If you meant to go to tailspintoys.com and ended up at wingtiptoys.com, a joke page, or a page full of ads instead, you would probably realize quickly that you're in the wrong place.
The next reason is far more dangerous, however.
-
Cybercrime - Criminals involved in phishing or malware often use typosquatting to snare unsuspecting people by directing them to a site that may look like the real site, but actually tries to steal personal information or install malware.
Sites using typosquatting to commit cybercrime will often look very much like the real site, in fact the criminals often "copy and paste" the real site to make it more likely innocent people will be fooled into giving up their personal information or downloading a malicious file.
How can you prevent being misled by typosquatting?
Tip: Microsoft Edge includes a typosquatting checker that can warn you if you appear to have mistyped a common web address and may be directed to a malicious site. You'll find that setting in Edge under Settings > Privacy, Search, and Services. Scroll down to the Security section and look for Website typo protection.
-
Whenever possible go to your important sites like banking, social media, or shopping from your own saved favorites, rather than by typing them into the address bar of the browser each time.
-
If you do have to type an address into the address bar, type carefully and double-check that what you typed matches the address you intended to go to before you continue.
-
If you're typing in an address you've gone to before, your browser may offer to complete the address for you. Give it a quick look, but it's usually safer to accept that suggestion.
-
Never click a link you weren't expecting in an email or other message, even if it appears to come from a trusted person or organization.
-
If you have to click on a link, look carefully at the address it's going to take you to. Usually just hovering your mouse pointer over the address will show you what address the link will really take you to.
Watch for subtle spelling differences such as "woodgrowebank.com" instead of "woodgrovebank.com" or letters that have been substituted for numbers such as "c0ntoso.com". Adding, or removing, an "s" at the end of the domain name is another common trick.
There may also be less-subtle differences, like adding a word or some punctuation to a legitimate domain name. "woodgrove-bank.com" or "thewoodgrovebank.com" are two examples of how typosquatters may try to trick you into visiting a fake versions of the woodgrovebank.com website.
What should I do if I think I've arrived at a page I didn't want to go to via typosquatting?
Close that browser tab and start again.
You can also report the site to us as an unsafe site in Microsoft Edge by going to Help and feedback > Report unsafe site, which will take you to: https://feedback.smartscreen.microsoft.com/feedback.aspx.
