Typosquatting & Defensive Domain Registration

A plain-English guide to typosquatting and defensive domain registration: how the ACPA and UDRP fight misspelled-domain abuse, which variants to grab, and how to monitor your brand.

By Lidiia Levitska  ·  June 17, 2026
Hands typing on a laptop with a brand protection security overlay
A single mistyped letter can send your customers to a copycat site — defensive registration and monitoring close that gap. Shutterstock
Educational guide, not legal advice. This article explains general legal concepts and is not a substitute for advice from an attorney licensed in your jurisdiction. Reading it does not create an attorney–client relationship.

Quick answer: Typosquatting is when someone registers misspelled or look-alike versions of your domain (like "amaozn.com") to catch mistyped traffic and monetize it through ads, phishing, or resale. You fight it on two fronts. First, a defensive domain registration strategy: proactively buy your most likely typos, spelling variants, and the key TLDs (.com, .net, .org, .co) so squatters can't. Second, the legal tools — the U.S. ACPA lawsuit and the international UDRP arbitration — to claw back the domains you didn't get. Add a trademark to the Trademark Clearinghouse for new gTLD protection, and set up monitoring so you find copycats early. For your own situation, talk to an attorney licensed in your jurisdiction.

You register the perfect domain, build a brand, and start sending traffic to it. Then a customer types one wrong letter — and lands on a page that looks like yours but isn’t. That is typosquatting, and for a recognizable brand it is not a hypothetical. This guide explains what typosquatting is, why it is harmful, the two legal tools that exist to fight it, and a practical, budget-aware way to defend your brand before a problem starts.

This is part of our Domain & cybersquatting pillar. For the broader category of domain abuse, see what is cybersquatting.

What typosquatting is — and why it’s harmful

Typosquatting (sometimes called URL hijacking) is a subset of cybersquatting that specifically targets the mistakes people make when typing a web address. Instead of grabbing your exact brand name, a typosquatter registers the predictable near-misses:

  • Fat-finger typosgogle.com, amaozn.com, missing or doubled letters, adjacent-key slips.
  • Spelling variantsflikr vs. flickr, lite vs. light, British vs. American spellings.
  • Punctuation and structure — adding or dropping hyphens, swapping singular and plural, or appending a word like “shop” or “login.”
  • TLD swaps — your .com re-registered as .net, .org, .co, or a country-code domain.

Why does any of this matter? Because that mistyped traffic has real value, and squatters monetize it in ways that hurt you:

  • Ad and affiliate revenue — the page is stuffed with pay-per-click ads, often for your competitors.
  • Phishing and malware — a convincing look-alike of your login page harvests customer passwords, payment details, or installs malware. This is the most dangerous form because it directly attacks your customers.
  • Brand dilution and lost sales — visitors who meant to reach you bounce, or buy something else, and may blame you for a sketchy experience.
  • Ransom resale — the squatter sits on the domain and offers to sell it to you at an inflated price.

The damage is both financial and reputational, which is why proactive defense almost always costs less than cleanup.

When defensive registration doesn’t catch a domain, two mechanisms let a brand owner take it back.

The ACPA (a U.S. lawsuit). The Anticybersquatting Consumer Protection Act, codified at 15 U.S.C. § 1125(d), lets a trademark owner sue someone who registers, traffics in, or uses a domain that is identical or confusingly similar to a distinctive mark (or dilutive of a famous mark) with a bad-faith intent to profit from it. Courts have consistently held that deliberately registering misspellings of a well-known mark — classic typosquatting — falls within the statute. To weigh “bad faith,” courts look at factors such as whether the registrant has any legitimate rights in the name, whether they intended to divert consumers for commercial gain, and whether they have hoarded multiple domains that copy others’ marks. A successful ACPA case can win transfer of the domain plus, in some situations, statutory damages — but it is federal litigation, with the cost and timeline that implies.

The UDRP (faster international arbitration). The Uniform Domain-Name Dispute-Resolution Policy is built into nearly every domain registration agreement and is administered by providers such as the World Intellectual Property Organization (WIPO). It is an administrative proceeding — no courtroom — and the complainant must prove all three elements of paragraph 4(a): (1) the domain is identical or confusingly similar to a mark they have rights in; (2) the registrant has no rights or legitimate interests in the domain; and (3) the domain was registered and is being used in bad faith. The remedy is limited to transfer or cancellation of the domain — no money damages — but it is far faster and cheaper than a lawsuit, usually resolving in a couple of months. For many garden-variety typosquatting situations, the UDRP is the first tool brand owners reach for.

A quick way to keep them straight: the UDRP is the fast, cheap, transfer-only arbitration; the ACPA is the slower, costlier U.S. lawsuit that can also award damages. Which fits depends on your goals and where the squatter is — a question for an attorney licensed in your jurisdiction.

A sensible defensive-registration strategy

You cannot register every conceivable misspelling, and trying to would waste money. The goal is to cover the highest-probability, highest-harm variations and let monitoring plus the legal tools handle the long tail.

A practical shortlist for most brands:

  • Own your exact name in the core TLDs. Start with .com, then add .net, .org, and .co — the variants most likely to be confused with .com. Add .io, .app, or an industry-specific gTLD if it fits your space.
  • Grab the obvious typos. Map the keyboard: doubled letters, dropped letters, transposed letters (“borwn” for “brown”), and adjacent-key slips. Tools that auto-generate typo permutations help you build the list.
  • Cover spelling and number/word swaps. “to/two/2,” “for/4,” American vs. British spellings, and common phonetic alternatives.
  • Singular, plural, and hyphenated forms. If your brand is “BlueWidget,” consider bluewidgets, blue-widget, and blue-widgets.
  • Your country-code TLD if you operate in a specific market (.us, .ca, .co.uk, etc.).

Then make the defensive domains actually useful: 301-redirect every one of them to your primary site. That converts mistyped traffic into real visitors instead of dead ends, and it signals you are actively using the names. Set them all to auto-renew — a lapsed defensive domain is a gift to a squatter, and “drop-catching” expired brand domains is a known tactic. Registering the brand name itself across the core TLDs and your handles is covered in locking your brand.

The Trademark Clearinghouse and new gTLDs

The domain world is no longer just .com and a handful of others — hundreds of new generic top-level domains (gTLDs) like .shop, .online, and .store have launched, each one a fresh place a squatter could register your name. Buying defensively across all of them is impossible. This is what the Trademark Clearinghouse (TMCH) is for.

The TMCH, established by ICANN, is a central, authenticated database of verified trademarks. You record your registered mark once (typically on an annual basis), and it unlocks two protections across participating new gTLDs:

  • Sunrise period. Every new gTLD must run a Sunrise period of at least 30 days before opening to the public. Verified TMCH records receive a signed mark data (SMD) file that lets you register your brand in that new extension before anyone else can — a chance to claim the name preemptively.
  • Trademark Claims service. For at least the first 90 days of general registration, if anyone tries to register a domain that matches your TMCH-recorded mark, they get a warning that the name is trademarked — and if they proceed anyway, you get notified, giving you an early heads-up to act.

The TMCH does not block registrations outright, and it covers exact matches rather than every typo, so it is one layer rather than a complete shield. But for a brand worried about the sprawl of new extensions, it is an efficient, centralized way to get early warning and first dibs.

Monitoring your brand

Defense is not a one-time purchase — squatters register new variations constantly, so the brands that stay ahead watch continuously. A workable monitoring routine:

  • Domain watch services. Brand-protection and registrar services scan new registrations for names confusingly similar to yours and flag them. The TMCH Claims notices feed into this for new gTLDs.
  • Trademark watch. Pair domain monitoring with a watch on new trademark applications, since a squatter may also try to register the mark itself.
  • Search and alert tools. Set up alerts for your brand name and common misspellings to catch look-alike sites that show up in search or ads.
  • Check the expiry calendar. Periodically confirm your own defensive domains are renewing and watch for valuable variants dropping that you may want to pick up.

When you find a problem domain, your options scale with severity — a polite request or purchase offer for a dormant name, an escalation through the registrar for abuse, a UDRP complaint for a clear bad-faith case, or an ACPA lawsuit when damages or a stubborn U.S. registrant are in play. An active phishing site impersonating you is urgent: report it to the host and registrar immediately, not just through the slower dispute channels.

The bottom line

Typosquatting exploits a gap you can largely close before it ever costs you a customer. Register your core TLDs and the most likely typos, redirect them to your real site, keep them on auto-renew, record your trademark in the Trademark Clearinghouse for new-gTLD protection, and set up monitoring so you spot copycats early. When prevention falls short, the UDRP and the ACPA give you ways to get abusive domains back. Treat it as a recurring layer of brand maintenance, not a one-time chore, and you keep both your traffic and your reputation pointed where they belong.

This guide is general educational information about intellectual property law, not legal advice, and it does not create an attorney-client relationship. Laws and procedures change and vary by jurisdiction. For guidance on your specific situation, consult an attorney licensed in your jurisdiction.

Frequently asked questions

What is typosquatting?

Typosquatting is registering domain names that are deliberate misspellings or near-variants of a well-known brand — think 'gooogle.com' or 'amazn.com' — to catch people who mistype a web address. The squatter then monetizes that traffic with ads, affiliate links, phishing pages, or by trying to sell the domain to the brand owner. It is a specific flavor of cybersquatting that targets human typing errors rather than the exact brand name.

Is typosquatting illegal in the United States?

It can be. Under the Anticybersquatting Consumer Protection Act (15 U.S.C. § 1125(d)), a trademark owner can sue when someone registers, traffics in, or uses a domain that is identical or confusingly similar to their mark with a bad-faith intent to profit. Courts have repeatedly held that intentionally registering misspellings of a famous mark fits squarely within the ACPA. This is general information, not legal advice; whether a specific domain is unlawful depends on the facts.

How many domain variations should I actually register?

There is no magic number — it is a budget-versus-risk decision. Most brands register the .com plus a short list of high-value variations: the most likely fat-finger typos, common spelling alternatives, the singular/plural, hyphenated forms, and the key alternative TLDs such as .net, .org, and .co. You cannot buy every possible misspelling, so pair a sensible defensive shortlist with active monitoring and the legal tools for the rest.

Lidiia Levitska
About the Author

Lidiia Levitska

International Intellectual Property Attorney

Lidiia Levitska focuses on intellectual property dispute resolution, policy, and advisory work across international institutions and government bodies. From 2021 to 2025 she served at the World Intellectual Property Organization (WIPO), managing arbitration cases and overseeing compliance with the Uniform Domain-Name Dispute-Resolution Policy (UDRP), and earlier led IP policy research as a Senior Policy Officer at the American Chamber of Commerce in Ukraine. She holds an LL.M. in International Intellectual Property Law from Chicago-Kent College of Law and an M.A. in Information Technology Law from the University of Tartu, and was admitted to the Ukrainian Bar in 2019.

More about Lidiia →