When typing out URLs, beware of ‘typosquatting’

Q: I mistyped a web address while following setup instructions for my printer and ended up at a scam support site. How can these guys get away with this?

A: One of the oldest tricks on the internet is something called “typosquatting,” the registration of misspelled websites.

Because so many users manually type in web addresses every day, all it takes is one character to be off for this scam to be effective. Instead of going to your intended location, you’ll end up at a potentially harmful site that may look close or even identical to the site you were seeking.

Is it legal?

Typosquatters aren’t always using the misspelled sites for malicious activities, and unless a trademarked name is part of the address, no laws are being broken.

Registering commonly misspelled websites and redirecting the errant traffic to a legitimate website is perfectly legal and a common practice, especially by a competitor of a large brand.

The more popular a website is, like Facebook or Google, the more likely there will be many misspelled versions of it registered to try to take advantage of sloppy spelling errors.

Typically, sites that engage in malicious activities can be brought down by the company that’s hosting the site, but it’s so easy for them to switch to another host, create their own webservers or switch to another misspelled address in this ongoing game of “whack-a-mole.”

Dangerous misspellings

Anyone who’s ever been in a hurry when typing in a web address has accidentally missed a letter like the “c” in “.com” or typed “c” before the “.” in their haste. The resulting web address ends with “.om,” which is the country code for Oman. Hundreds of well-known names have been targeted by .om typosquatters.

Another well-documented domain that has popped up in a variety of scams over the years is “goggle.com,” before Google’s long battle to finally acquire the domain.

This highlights one of the problems with regulating website registrations. Clearly “goggle.com” benefited from the misspelling of “google.com.” But because it’s a generic word, it didn’t violate any of Google’s trademarks, resulting in the long process of acquiring control of it.

Protecting yourself

The obvious tip is to slow down and make sure you’re spelling things correctly. If it’s a site you’ll be visiting frequently, create a bookmark or shortcut to it for future visits.

If you aren’t sure about the spelling of a website, type the web address in without “.com” so that it turns into a Google search. Google’s autocorrect, page-ranking algorithm or “Did you mean?” engine will kick in to most likely point you to the legitimate resource.

As far as legitimate support from a specific company goes, try typing the company’s web address followed by “/support” (e.g., hp.com/support) as this is a pretty standard method used by tech companies.

The best way for companies to protect themselves against typosquatting is to register the misspelled versions themselves and redirect the traffic to the proper address. Facebook, for instance, registered commonly misspelled versions of their site, like “facebok.com” and “facbook.com,” both of which now redirect users to Facebook.com.

Ken Colburn is founder and CEO of Data Doctors Computer Services. Ask any tech question on Facebook or Twitter.

Copyright © 2021 The Associated Press. All rights reserved. This material may not be published, broadcast, written or redistributed.


Like WTOP on Facebook and follow @WTOP on Twitter to engage in conversation about this article and others.

© 2017 WTOP. All Rights Reserved.

More from WTOP

Log in to your WTOP account for notifications and alerts customized for you.

Sign up