I once typed "gmial" into the address bar three mornings in a row. My fingers knew the way; my brain wasn't invited. Scammers know this about all of us. They register misspelled versions of brand domains and simply wait. Read paypall.com quickly and your brain says "PayPal." Read it slowly and you'll count three l's. Typosquatting lives in that gap.

What is typosquatting?

Typosquatting means registering a misspelled version of a brand's domain (the address part of a website, like paypal.com) and waiting for people not to notice. Sometimes the misspelled address reaches you inside a phishing email or a text message. Sometimes it catches you when you type an address by hand and a finger slips.

The difference can be a single character:

Realpaypal.comthe brand's registered domain
Fakepaypall.comone extra "l"; that's the entire trick

The five basic moves

Almost every typo domain is built from one of five small edits. The examples below are all permutations of the same brand name, so you can see each move clearly.

MoveExampleWhat changed
Doubled letterpaypall.coman extra "l" at the end
Dropped letterpaypl.comthe second "a" is gone
Swapped neighborspaypla.com"la" instead of "al"
Fat-finger neighborpaupal.com"u" sits next to "y" on your keyboard
Added hyphen or letterpay-pal.coma hyphen splits the name in two

The same moves work on any brand: amzon.com drops a letter, netfilx.com swaps two. Longer names give a typosquatter more room to work; there are simply more letters to quietly change.

Every letter is visible. So why don't you see it?

Typosquatting is a different trick from the homoglyph swap, where a character is replaced with one that looks identical in many fonts (a capital "I" standing in for a lowercase "l" in paypaI.com, for example). A homoglyph is invisible even when you stare straight at it; the font is what fools you.

A typo domain hides differently. Every letter in paypall.com is honestly itself. Nothing is disguised. What shields it is skim-reading: fluent readers recognize the overall shape of a word rather than checking each letter, so a word with the right shape sails through. Your brain autocorrects the address for free, the same way it autocorrects a typo in a friend's text message. 🤓

Edit distance, in one plain sentence

Edit distance is the number of single-character changes (add one letter, remove one, or replace one) needed to turn one word into another. paypall is one edit from paypal (remove an "l"), and paupal is one edit away too (change the "u" back to "y"). It gives software a simple way to measure "how close is this name to a brand name?"

How does IP Tracker check for typos?

When you paste a domain or an email address into IP Tracker, it compares the core name (the part before the ending, so paypall in paypall.com) against a bundled list of roughly 100 widely impersonated brands: banks, payment services, shipping companies, big tech, and the like.

The comparison is length-aware, and that detail matters:

Why the sliding scale? Short names collide by accident. The world is full of four- and five-letter company names that sit one edit from each other, so a loose rule on short names would cry wolf all day. A strict rule keeps false alarms down, and a longer match gets more allowance, because a random eight-letter name landing within two edits of "facebook" is far less likely to be a coincidence.

Even then, a match is flagged as a MEDIUM "possible lookalike": an amber caution, not a red alert. Sometimes a similar name really is a coincidence. The flag is a reason to slow down and look, not a verdict.

Real siblings are not flagged

Brands legitimately own regional and sibling domains, and a checker that flagged those would teach you to ignore it. Each brand entry in IP Tracker's list includes the brand's official siblings, so the real ones pass cleanly. An exact match to an official domain gets a "verified" note instead of a warning.

Realpaypal.dePayPal's official German domain, listed as a sibling, so it gets a verified note
Fakepaypal-de.coma hyphen and a fake "regional" tag bolted onto the name

Alongside the name check, IP Tracker consults Google Safe Browsing (Google's list of known dangerous sites), VirusTotal (a tally of how many security vendors flag a domain), and the domain's registration record. If the domain was registered fewer than 90 days ago, the banner adds a "Registered N days ago" line, as a supporting clue only, never a verdict on its own, because plenty of honest sites are new too.

The slow-read check

You can spot most typo domains yourself in about ten seconds. The goal is to knock your brain out of skim mode.

  1. Find the actual domain. In an email, it's the part after the @ in the sender's address. For a link, hover over it (press and hold on a phone) to see where it really points, and read the part just before the first single slash.
  2. Read it out loud, letter by letter. "P-a-y-p-a-l-l dot com." Naming each letter forces you past word-shape recognition. Reading it backwards works even better.
  3. Type the brand's real domain yourself in a new tab, from memory or a saved bookmark. Never copy it from the email you're checking; that email is exactly the thing you don't trust yet.
  4. Compare the two, character by character. Look for doubled letters, missing letters, swapped pairs, and keys that sit next to each other on the keyboard.
  5. Still unsure? Get a second opinion. Paste the domain or the sender's address into IP Tracker. If the name sits within typo range of a known brand, it flags a possible lookalike and names the brand it resembles.
If a message asks you to log in somewhere, you never need its link at all. Type the address yourself or use your bookmark, then log in there. That way you land at the address you typed, not the one the email chose.

What does the flag mean? And what doesn't it?

Three honest limits are worth knowing. IP Tracker's brand list covers roughly 100 widely impersonated names, not every company on earth, so a typo of your local credit union may not be on it. Google Safe Browsing lags on brand-new phishing sites, because a site has to be spotted and reported before it can be listed. And a MEDIUM caution is a signal for your judgment, not a ruling from a machine.

"Not flagged" is not the same as "safe." A typo domain can be hours old, too new for any blocklist, and a genuine coincidence can look like a typo. Treat every result as a second opinion, and let your own slow read have the final word.

To summarize:

Happy slow reading! 😉