← Back to detection methods

TLD Squatting

Detection of domains using incorrect Top-Level Domains (TLDs) to confuse and mislead users.

What is TLD Squatting?

TLD squatting occurs when attackers register domain names that are identical to legitimate brands but use different Top-Level Domains (TLDs). This technique exploits user confusion about domain extensions, making malicious sites appear legitimate at first glance.

With hundreds of TLDs now available (.com, .net, .org, .biz, .info, country codes, and new gTLDs), attackers have numerous opportunities to create deceptive domains that closely mirror legitimate brand websites.

How We Detect It

Our TLD squatting detection systematically monitors for your brand names across all available TLDs by:

  • Extracting the domain name portion (excluding the TLD) from new registrations
  • Comparing against your monitored keywords for exact matches
  • Flagging domains where only the TLD differs from your legitimate domain
  • Prioritizing high-risk TLDs commonly used in phishing attacks

Real-World Examples

Common TLD Confusion

High Risk
paypal.compaypal.net

Uses .net instead of .com, exploiting the fact that many users try different TLDs when a site doesn't load.

Country Code Exploitation

High Risk
microsoft.commicrosoft.co

Uses .co (Colombia) instead of .com, a particularly deceptive substitution due to visual similarity.

New gTLD Abuse

Medium Risk
amazon.comamazon.shop

Uses .shop TLD to appear like a legitimate shopping site, potentially confusing customers.

Organization TLD Misuse

High Risk
redcross.orgredcross.com

Switches from .org to .com, potentially confusing donors and volunteers about the official website.

High-Risk TLD Categories

Certain TLDs are more commonly abused for phishing and squatting attacks:

High Abuse TLDs

TLDs with low registration costs and minimal verification requirements.

.tk, .ml, .cf, .ga, .top, .work, .click, .download

Confusing Country Codes

Country codes that look similar to common TLDs or have dual meanings.

.co (Colombia), .cm (Cameroon), .om (Oman), .ly (Libya)

Business-Oriented gTLDs

New generic TLDs that appear professional and legitimate.

.shop, .store, .business, .company, .finance, .bank

Why TLD Squatting is Effective

  • User confusion: Many users don't understand TLD significance
  • Trial and error: Users often try different TLDs when sites don't load
  • Search results: Fake domains can appear in search results
  • Email links: Alternative TLDs work effectively in phishing emails

Detection Strategy

Our comprehensive approach to TLD squatting detection includes:

  • Monitoring across 1000+ available TLDs and country codes
  • Prioritizing high-risk TLDs with history of abuse
  • Real-time alerts when exact brand matches are registered
  • Historical analysis to identify patterns and emerging threats

Protection Recommendations

When TLD squatting is detected against your brand, consider these actions:

  • Defensive registration: Register your brand on critical TLDs (.net, .org, country codes)
  • Content analysis: Check if squatting domains host malicious content
  • Legal action: File UDRP complaints for clear trademark violations
  • User education: Inform customers about your official domain and TLD

Emerging Threats

The TLD landscape continues to evolve with new challenges:

  • New gTLD releases: Hundreds of new TLDs create new squatting opportunities
  • IDN TLDs: Internationalized domain names add complexity
  • Industry-specific TLDs: .bank, .finance, .insurance create trust illusions

Learn More

Explore our other detection methods to understand how we provide comprehensive brand protection:

Subdomain Squatting →Combosquatting →Homograph Attacks →