You don’t have to fall for an obvious phishing email to get burned anymore. A growing wave of “digital squatting” relies on routine tiny-domain lookalikes you barely notice, until you’ve already typed – or auto-filled – your login details into the wrong site.
As we become more distrustful of outright cyberscams, there’s a fresh onslaught of malicious social engineering going on, dubbed “digital squatting.”
Security proxy and automated data gatherer Decodo recently defined digital squatting as “using a domain name in bad faith to profit from another party's trademark” in a recent report.
This write-up detailed a 68% rise in digital squatting scams in the last five years, with 2025 alone bringing 6,200 adversarial name cases. But how does something so subtle, yet damaging, come to fruition in the first place?
According to media and public relations strategist Tracy Lamourie, whose job involves raising scam awareness (especially to seniors at the John Parkinson Family Foundation), “digital squatting really works best when it feels boring, and it doesn’t set off suspicious bells.”
“It’s not about tricking users – it’s about disappearing into the user’s routine.”
Tellingly, we are at our least suspicious when we are dealing with tasks such as monotonous workloads or clearing out our email inboxes.
In the eyes of a “squatter,” the end user can be understandably duped, especially when email inbox filters seem binary in their categorizations of “important,” “promotions,” and “spam,” for example.
And when fake digital footprints impersonating real organizations sneak through the filters into your main inbox, they already have a foothold.
As Aimee Simpson, director of product marketing at Huntress, a cybersecurity company, explains, “The more legitimate a URL or email looks, the easier it is to bypass people’s skepticism.”
Who is most at risk?
The front-loaded skepticism of an end user can be overcome by using tried-and-tested household brand names that are often associated with security and big tech.
According to Simpson, “attackers often combine digital squatting with other elements of brandjacking, such as using well-known logos and recognisable slogans to create convincing email content, websites and social media accounts,” with targets including big players such as Microsoft, DocuSign, Amazon, Apple, Dropbox, and Canva.
The aspect that makes such fraud successful is the level of trust the recipient places in these companies without raising an eyebrow. And the fact that virtually all industries, from education to logistics, can be on the receiving end of such correspondence means bad actors can proliferate across any sector.
As Lamourie explains, it can be the menial things that slip through the radar, such as invoices, logins, renewals, and other things “you're not really emotionally engaged in.”
Seniors are particularly affected by such brandjacking, particularly as they are told to be extra vigilant by family members around them.
Fraudulent domains like 'Microsfot' act as a gateway for cyber-swindles, tricking retirees into handing over credentials or paying for fake technical support
While it might sound like boring housekeeping to be checking the domain names of all that we click on, it’s a good practice that surely counts.
What kinds of digital squatting are there?
According to Simpson, the tricks that these online scammers pull off are to “introduce small typos, add in extra words like 'support,’ or replace letters with similar-looking characters such as an uppercase ‘i’ to replace a lowercase L.”
In its report, Decodo categorizes the concept into four types: typosquatting, combosquatting, TLD (Top-Level-Domain), and homograph.
And it’s not just the unsuspecting individual who can suffer as a result. As Lamourie explains, brands have to face the music too.
What is most underestimated is that brands really don't realize how much trust damage can happen really quickly and quietly because users do not always report these incidents. They just stop trusting anything connected to the brand.
Potential workarounds could include blue-chip companies expanding their digital footprint beyond their flagship.com site by registering additional domains, Decodo advises.
Meanwhile, for those unseasoned folk caught in the middle, it’s a case of heightening awareness and double-bolting your door, especially when we know what digital squatters are capable of.
“It's about disappearing into the user's routine. That's what makes it really insidious and a little bit scary,” explains Lamourie.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked