Domain impersonation uses a deceptive web or email domain to appear connected to a trusted company, executive, supplier or service. The attacker does not need to compromise the real organization. A convincing sender address, copied signature and plausible business request may be enough to trigger a payment, credential reset or confidential disclosure.
The CyberRiskEvaluator Domain Impersonation Checker helps identify names that could be mistaken for an organization’s official domain. The results become more valuable when they are mapped to high-risk processes such as invoices, bank-account changes, executive requests, recruitment and customer support.
Review plausible company and brand variations, then prioritize candidates capable of supporting email or transaction fraud.
Check a DomainA fraudulent domain may differ by one character, but it can also add a regional office, product, department or service word. The message context creates legitimacy: “finance,” “procurement,” “careers,” “secure-docs” and similar terms can make a variation appear operationally normal.
MITRE defines impersonation as adversaries pretending to be a trusted person or organization to persuade a target to act. Domain similarity is one mechanism that helps establish that false identity.
These workflows combine authority, urgency and sensitive data. Monitoring should therefore focus on domains that fit the organization’s real language and counterparties, not only generic misspellings.
A domain configured for email may support sender addresses that look authentic in an inbox. However, the absence of visible mail records at one moment does not guarantee future safety; infrastructure can be changed quickly.
When a candidate appears in a real message, preserve the full headers and compare the envelope sender, visible From address, Reply-To address and embedded links. Display names are easy to imitate and should not be treated as proof of identity.
Technical detection should be paired with process controls. Verify changes to bank details, payroll data, delivery addresses and privileged access through a known contact channel—not by replying to the message that requested the change.
Require dual approval for material payments and define escalation rules for urgency, secrecy or unusual timing. A deceptive domain becomes much less effective when the business process does not rely on email identity alone.
Collect messages, headers, URLs, phone numbers, payment details and screenshots. Block the infrastructure, notify likely targets and search historical mail for related domains or wording. Contact affected suppliers or customers through established channels.
If money was transferred, involve the financial institution and law enforcement promptly according to local procedures. If personal data or credentials were disclosed, activate the appropriate breach, identity and account-compromise response processes.
Domain impersonation crosses organizational boundaries. Security can analyze and block infrastructure; legal can evaluate rights and takedown options; communications can publish warnings; finance and procurement can strengthen verification.
Create one intake route for employees, customers and partners to report suspicious domains. Track evidence, actions and status centrally so that repeated campaigns are recognized rather than handled as isolated messages.
It is the use of a domain that creates the false impression of belonging to or representing a trusted company, person or service.
A lookalike domain can make fraudulent emails appear to come from an executive, supplier or colleague and support payment or data theft.
No. Display names are easily copied. Inspect the full sender domain and verify sensitive requests through a known independent channel.
Use independent callback verification, dual approval and controlled vendor-master changes rather than trusting email instructions alone.
Security, legal, finance, procurement, communications and affected business owners should follow a defined joint response process.
Discover plausible typo, lookalike and impersonation domains around a trusted web address, then prioritize the candidates that deserve investigation.
Analyze Your DomainThe following external resources provide additional context on typosquatting, adversary-owned domains, impersonation and internationalized-domain homographs.
Content reviewed on 14 July 2026. Domain similarity is not proof of malicious intent. Legal disputes should be reviewed by qualified counsel, and suspicious infrastructure should be investigated through approved security procedures.