Remember when you first learned to spot phishing emails? You probably thought you’d become pretty good at it. But cybercriminals are dusting off an old playbook, and this time, they’re banking on something deceptively simple: the way your eyes process lowercase letters.

Here’s a quick test. Take a look at these two web addresses:

– microsoft.com

– rnicrosoft.com

Spotted the difference? If you had to squint or look twice, you’re not alone. That second link isn’t Microsoft at all; it’s an imposter using “rn” where the “m” should be. And this seemingly ancient trick is making a comeback in ways that should worry every brand owner, especially those with the letter “M” in their name.

At BrandShelter, we’ve been tracking cybersquatting trends for years, watching as scammers test new tactics, abandon scan that don’t work, and double down on ones that do. Lately, we’ve noticed a resurgence of this form of typosquatting. The goal hasn’t changed though: hijack your brand’s reputation, deceive your customers, and steal money in the process.

What is Typosquatting?

Typosquatting isn’t just about swapping “rn” for “m”, though that’s certainly having its moment. It’s a broader strategy that exploits human error and trust, targeting brands through multiple attack vectors.

The most common approach relies on simple typing mistakes. Miss a letter when typing “amazon.com” and you might land on “amazn.com” or “aamazon.com”. These sites often mirror legitimate domains, complete with familiar logos and color schemes, waiting to harvest login credentials or payment information from unsuspecting visitors.

Then there’s the extension game. Cybersquatters love playing with top-level domains (TLDs), knowing that users often default to “.com” in their minds. They’ll register “yourbrand.co” when you own “yourbrand.com”, or grab “yourbrand.shop” during a new TLD release. The Colombian .CO extension has been particularly popular for this, riding on its similarity to the more familiar .COM.

Character substitution, like our “rn” for “m” example, represents a visual attack. Since DNS is case-insensitive but displays everything in lowercase, combinations like “vv” for “w” or “cl” for “d” can fool even careful users. When these appear in email addresses, the deception becomes even more dangerous. Imagine your accounts team receiving an invoice from “[email protected]” instead of “[email protected]”. In a busy workday, who’s really checking every character?

Some scammers get creative with hyphens and country codes top-level domains (ccTLDs), creating domains like “brandshelter-fr.com” or “es-brandshelter.com” to appear legitimate while actually being completely separate entities. Others leverage homoglyphs, using characters from different alphabets that look identical to Latin letters, though this has become less effective as browsers have improved their detection.

The damage goes beyond stolen credentials or misdirected payments. These malicious sites can distribute malware, harvest customer data, or simply redirect traffic to competitors. Worse, they erode customer trust when people associate bad experiences with your brand, even though you had nothing to do with it.

Taking Control Before They Do

So, what’s a brand to do? Waiting for customers to report suspicious sites is like closing the barn door after the horse has bolted. By then, damage to your reputation, not to mention your bottom line, has already been done.

Manual monitoring isn’t realistic for businesses anymore, even if you prefer to handle your own cybersecurity. With new domains being registered every second and thousands of possible variations of your brand name, you’d need an army of employees doing nothing but checking domain registrations for fake websites. Even then, you’d miss most of them. The typosquatters are counting on this. These aren’t super sophisticated hackers, just busy ones; they know most brands simply can’t keep up.

If your brand contains the letter “M”, you should be taking this resurgence seriously. That innocent-looking “m” in your domain name is now a vulnerability, especially when these spoofed addresses start appearing in email communications. Your finance team might be one convincing invoice away from wiring money to “[email protected]” instead of “[email protected]”.

The good news? You don’t have to figure this out alone. At BrandShelter, we specialize in spotting these threats before they become problems. We monitor domain registrations, track emerging brand protection trends, and help brands take swift action when copycats appear.

Don’t Wait for the First Victim

The cost of proper brand protection is a fraction of what you’d lose from a single successful phishing campaign.

If you’re concerned about your brand’s vulnerability to typosquatted domains, then get in touch with BrandShelter. We’ll help you understand your risk level and build a protection strategy that makes sense for your business. Because when it comes to typosquatting, the question isn’t if you’ll be targeted, but when.

Share article