Typosquatting Detector — Homograph & Brand Impersonation Risk
Score typosquatting and phishing hostname risk from punycode, keywords, TLD abuse, and structural patterns
How to Use This Tool
- Enter a suspected typosquat domain, subdomain, or URL — scheme and path strip automatically.
- Hostname normalizes to lowercase with trailing dot removed.
- Punycode xn-- prefix triggers homograph attack signal.
- Keyword, TLD, hyphen, digit, depth, and length heuristics accumulate riskScore.
- riskLevel maps to low, medium, or high from score thresholds.
- Optional HTTPS HEAD request reports reachable status when domain is valid.
About This Tool
Typosquatting campaigns register domains one keystroke or homograph away from trusted brands — punycode Cyrillic o for Latin o, login-verify keyword combos, and cheap TLDs bulk-registered for phishing. Brand protection and SOC teams need fast hostname triage before users click. VSPIC typosquatting detector calls the phishing-domain action, normalizes your input, and applies weighted heuristics — punycode detection, suspicious keyword matches, risky TLD list, hyphen and digit density, subdomain depth, raw IPv4 hostname patterns, and excessive length — producing riskScore, riskLevel, and signals array.
Results include suspicious boolean, punycode flag, hyphenCount, digitCount, optional reachable HEAD probe status, and summary text. Clean scores do not prove safety — always verify through official channels. High scores flag typosquatting patterns common in phishing but may match legitimate marketing domains — human review remains essential.
Common use cases
- •Inspect HTTP headers and user-agent strings
- •Analyze email headers for phishing investigation
- •Generate strong passwords for staging environments
Why use VSPIC for ?
- Fast typosquatting heuristics without fetching page content.
- Punycode and homograph detection with explicit signal text.
- Risky TLD and suspicious keyword lists tuned for impersonation patterns.
- Transparent signals array explaining each score contribution.
- riskScore and riskLevel for automation thresholds.
- Free instant analysis — no account required.
Typosquatting versus generic phishing
Typosquatting specifically exploits user typing errors and visual similarity to trusted brands — paypa1.com, micr0soft-login.example, or punycode homographs of well-known domains. Our detector encodes hostname patterns seen across typosquat campaigns rather than analyzing page content or logo similarity.
riskScore summarizes pattern density. signals array documents each hit so brand teams override false positives — legitimate secure-login.example.com may trigger keyword signals while being authentic.
Punycode and homograph attacks
Internationalized domain names encode Unicode characters in ASCII using punycode xn-- prefixes. Attackers substitute visually similar Cyrillic or Greek letters for Latin brand characters. punycode true in results triggers a twenty-five-point penalty and explicit signal text.
Flag punycode domains in user awareness training regardless of score — homograph attacks bypass casual visual inspection.
Suspicious keyword matching for impersonation
We scan joined hostname labels for tokens common in typosquat phishing: login, verify, secure, account, banking, wallet, password, signin, confirm, suspend, support, and related terms. One keyword match adds twelve points and records the matched token in signals.
Combine with domain-reputation-checker age signals and threat-intelligence-lookup for composite brand protection judgment.
Risky TLD abuse in typosquat campaigns
Certain TLDs — including .tk, .ml, .ga, .cf, .gq, .xyz, .top, .bond, and .cam — appear disproportionately in bulk typosquat registration due to low cost. TLD match adds twenty points with explanatory signal text.
Legitimate projects use these TLDs too. TLD signal is one factor — not automatic block justification without additional evidence.
Structural signals — hyphens digits and depth
Three or more hyphens suggest auto-generated typosquat labels. Four or more digits suggest tracking-style phishing URLs. Five or more domain labels indicate deep subdomain chains obscuring apex ownership.
hyphenCount and digitCount appear in results for SOAR playbook threshold tuning.
Brand protection workflows
Run detector on domains from user reports, brand monitoring alerts, and newly registered defensive acquisitions. Medium or high riskLevel warrants correlation with WHOIS age, DNSBL status, and hosting IP reputation.
Export signals array into brand protection ticketing with original brand reference for legal escalation.
Relationship to phishing-domain-checker
Both pages call action phishing-domain with identical JSON. phishing-domain-checker uses phishing domain SEO vocabulary; typosquatting-detector targets brand protection teams searching typosquat terminology.
API consumers use phishing-domain with domain or query parameters interchangeably.
reachable HEAD probe behavior
When input validates as a public domain, we attempt a short HTTPS HEAD request to report reachable true or false. Unreachable does not mean benign — typosquats may geo-fence. Reachable does not mean safe — phishing pages respond 200 routinely.
Core riskScore derives from hostname analysis independent of HTTP availability.
API action phishing-domain
GET /ip-tools/api/extended?action=phishing-domain&domain=suspect-brand-login.example. Parse riskScore, riskLevel, signals, punycode, suspicious, reachable, summary.
Batch brand monitoring feeds through automation with rate limit awareness.
Important notes & limitations
- Heuristic patterns only — legitimate brands can trigger keyword hits.
- Clean score does not prove destination safety.
- Does not enumerate all possible typosquat variants of a brand.
- reachable HEAD probe may fail on firewalled sites unrelated to typosquatting.
- Verify suspicious links through official channels before acting.
Frequently Asked Questions
Yes. VSPIC offers this typosquatting detector at no cost with no account required. Results load in real time.
We do not permanently store your queries on our servers. Some tools run entirely in your browser; others fetch public data for the request only.
Yes. Open the page in any modern phone or tablet browser. Results work on Wi‑Fi and mobile data.
No. Clean heuristics do not prove safety. Sophisticated typosquats may score low — verify through official channels.
Keyword or TLD heuristics may match marketing hostnames. Read signals array and apply human judgment.
No. It analyzes one hostname you submit. Use subdomain-discovery and brand monitoring services for variant enumeration.
Same phishing-domain API and JSON. This page targets typosquatting SEO framing; phishing-domain-checker uses phishing domain vocabulary.
Yes. We strip the scheme and path, analyzing the hostname portion only.
phishing-domain with the domain parameter.
Next step for your check
Continue with phishing domain checker on VSPIC.
Related Tools
Explore more free VSPIC tools for IP, DNS, security, and network diagnostics.
Phishing Domain Checker
Heuristic phishing risk — punycode, keywords, TLD abuse, hostname patterns
Use Free →Domain Reputation Checker
Domain trust score from WHOIS age, SPF, DMARC, and DNSBL signals
Use Free →Threat Intelligence Lookup
Aggregate IP or domain threat brief — reputation, Spamhaus, phishing, DNSBL
Use Free →WHOIS Lookup
Retrieve domain and IP registration WHOIS records
Use Free →Header Checker
Inspect HTTP request and response headers
Use Free →Link Checker
Verify if a URL is reachable and check HTTP status
Use Free →
Trusted by Users Who Value Privacy
Always Free
No premium plan ever
100% Private
Files processed in browser
Instant Results
Convert in seconds
Works Everywhere
Any device, any OS