The manager for a large commercial builder recently called her IT support with serious concerns. One of their clients received an email that at first looked like it came from her work email account, asking for payment on completed work, but it didn’t originate from her office.
The email address included her name, and the business domain was only one letter off. The sender asked for a wire transfer of payment for labor and materials on a large project costing almost a million dollars, and the recipient almost paid. This manager’s company has fallen victim to typosquatting, and they’re not alone.
Cybersquatting is when someone buys a domain name so they can pretend to be another entity or business. Typosquatting is a form of cybersquatting and occurs when someone buys the misspelling of a domain name to get online traffic from those mistakes. It’s also sometimes called URL hijacking.
A domain name is an entity’s web address, what people type in the navigation bar to visit their website. It might look like businessname.com, localcharity.org or localcollege.edu. Email addresses typically follow a formula similar to bob@businessname.com, amy@localcharity.org or professormike@localcollege.edu.
When users mistype or “fat finger” in the wrong address, they may be taken to a fraudulent website that looks similar to the one they intended to visit. The website owners can use this deception to steal identity information, sell products, or misinform.
They can also send email from the misspelled domain name to try and trick the recipient into thinking it came from someone inside the company being mimicked. Recipients might think they’re dealing with a trusted source when they’re really interacting with someone whose whole intent is to deceive.
Cybercriminals try to stick as close as possible to the original domain name with only slight variations so users will overlook the mistake. URL hijackers often register domain names with the most common typos or misspellings. They might also change the domain suffix, hoping the user will choose to visit yourtown.com instead of yourtown.gov when trying to pay a utility bill or traffic ticket.
Another trick is to add an “s” to the domain name. For example, when yourtownplumber.com becomes yourtownplumbers.com, the user might not even notice the difference.
BBB offers resources to help people know who they can trust on BBB.org. Review BBB ratings, customer reviews, and links that go directly to the business website.
The Anticybersquatting Consumer Protection Act (ACPA) was enacted in 1999 to make it illegal to register Internet domains that are similar to an existing business or personal name with the intent to misuse them. Cybersquatting and typosquatting are illegal, and ACPA requires URL owners to prove they’re acting in good faith.
If you find someone has registered a variation that could be used to impersonate you, notify partners, customers, employees and anyone else who might be deceived so they can be on the lookout. Consider submitting a petition to the World Intellectual Property Organization to gain ownership of a domain that is “identical or confusingly similar” to yours if you can show the domain registrar is acting in bad faith.
Watch out for a simliar scam with tech support phone numbers when looking for IT assistance.
BBB promotes trust in the marketplace. If you or your business experiences typosquatting or anything else that seems like an illegal scheme to mislead consumers, help us investigate and warn others by reporting it to BBB Scam Tracker.
The post "Typosquatting – how “fat fingers” can cost you" appeared first on www.bbb.org