Skip to main content
Skip to article content

Lookalike Domain Attacks: How One Extra Letter Cost a Startup $1 Million

By SO Email Security7 min read estimated reading time

A lookalike domain is a registered web address that visually resembles a legitimate one: paypa1.com instead of paypal.com, microsft.com instead of microsoft.com, or a vendor domain with an extra 's' added at the end. This post breaks down how lookalike domain attacks work, three real documented cases (including a $1M Israeli startup theft and a $1.3M British PE firm BEC), the five variants attackers use, and the verification habit that catches them.

lookalike domainstyposquattingdomain spoofingbusiness email compromiseBECwire fraudvendor impersonationphishing detectionSMB cybersecurityemail securityhomoglyph attacks

Lookalike Domain Attacks: How One Extra Letter Cost a Startup $1 Million

The $1 Million Lookalike

In 2019, a Chinese venture capital firm wired $1 million in seed funding to what they believed was an Israeli startup they were investing in. The money never arrived. The startup had no idea anything was wrong until their bank called.

The attacker had not compromised either company's email account. They had not deployed malware. They had registered two lookalike domains, one for each side of the transaction, each with just one extra letter appended to the end. From inside that man-in-the-middle position, the attacker rewrote wire instructions and redirected the funds.

The Check Point Incident Response Team investigated and published the full case. Both companies received emails that appeared legitimate. Both companies replied to those emails. Every reply went to the attacker first, who edited the content and forwarded it onward. The two parties were having a conversation through a translator who happened to be a thief.

The money was never recovered.

This case is not unusual. The Zscaler ThreatLabz 2024 analysis examined over 30,000 lookalike domains in a six-month window and found that more than 10,000 were actively malicious. Google, Microsoft, and Amazon collectively accounted for nearly 75% of the brands being impersonated. The economics work in the attacker's favor: registering a lookalike domain costs under $15, takes ten minutes, and can produce wire transfers in the hundreds of thousands.

This post covers what lookalike domains are, the five variants attackers use, three real documented cases, and the verification habit that catches them.

What Is a Lookalike Domain?

A lookalike domain is a registered web address that visually resembles a legitimate one. The resemblance can be exact or near-exact depending on the technique. The goal is always the same: get the recipient of an email or website link to mistake the fraudulent domain for the real one, even after a careful glance.

The five most common variants:

1. Typosquatting. The attacker registers a common misspelling of the target domain. Example: gooogle.com instead of google.com, or amaz0n.com instead of amazon.com. These rely on the recipient typing the URL into the browser bar manually and making a typo, or on the recipient skim-reading a link without noticing the misspelling.

2. Character substitution. The attacker substitutes a character that looks similar to one in the real domain. The most common is "rn" replacing "m" (microsoft.com versus rnicrosoft.com). At small font sizes or on a phone screen, the substitution is nearly invisible. Other common substitutions include "0" for "o", "1" for "l", and uppercase "I" for lowercase "l".

3. Homoglyph attacks. The attacker uses Unicode characters from non-Latin alphabets (Cyrillic, Greek) that are visually identical to Latin characters but technically different. A Cyrillic "а" looks identical to a Latin "a" but is a different character. A domain made entirely of Cyrillic lookalikes will pass visual inspection every time. According to Allure Security research published in 2025, Microsoft Office applications render these internationalized domain names in their deceptive form rather than revealing the underlying Punycode that would expose the substitution.

4. Combo-squatting. The attacker adds extra words to the legitimate brand name. Example: paypal-secure.com or microsoft-login.com. The brand name is technically correct, but the additional words create a domain the brand never registered. These work because recipients pattern-match on the brand name and skip the rest.

5. TLD substitution. The attacker registers the same domain name on a different top-level domain. Example: paypal.co instead of paypal.com, or microsoft.support instead of microsoft.com. The proliferation of new TLDs (.xyz, .coffee, .support, hundreds of others) has created enormous space for this technique.

Most successful attacks combine two or more of these techniques. The Israeli startup case used technique 1 (an extra 's'). The Florentine Banker case used technique 1 across multiple targets in a chain. The 2024 Zscaler research found that homoglyph attacks (technique 3) are the fastest-growing variant because they pass visual inspection completely.

Three Real Cases

The pattern is best understood through specific incidents.

Case 1: The Israeli Startup and Chinese VC ($1M, 2019)

Check Point's Incident Response Team investigated and published this case. A Chinese VC firm had been corresponding with an Israeli startup about a $1M seed funding round. The thread had been active for months.

The attacker spotted the thread (likely through a prior compromise of one party's inbox) and registered two new domains: the Israeli startup's domain with an extra 's' at the end, and the Chinese VC's domain with an extra 's' at the end. The attacker then sent emails from each lookalike domain to the opposite party.

To the VC, the emails appeared to come from the startup's CEO. To the startup, the emails appeared to come from the VC. Both parties replied, and the attacker intercepted every message, edited what was needed, and forwarded the modified version to the other side. From inside this position, the attacker was able to inject fraudulent wire instructions at the moment of payment.

The $1M was wired to the attacker's account. By the time the bank flagged the transaction, the funds had been moved through multiple accounts and were effectively gone. Most striking: even after the attack was discovered, the startup's CFO continued to receive lookalike emails monthly asking for additional wire transfers.

Case 2: The Florentine Banker and British PE Firms ($1.3M, 2020)

Check Point also documented this case, which involved three British private equity firms. The attacker group ("Florentine Banker") used the same lookalike domain technique at scale, targeting deals where venture capital firms were transferring money to startups they were investing in.

The pattern: identify a thread between a PE firm and a target startup. Register lookalike domains for both. Insert into the conversation. Redirect the wire when the transaction stage arrives.

Across three British PE firms, $1.3 million was wired to attacker-controlled accounts. Nearly $700,000 was permanently lost. The remaining funds were recovered only because security researchers alerted the firms in time, which is the exception rather than the rule.

Case 3: Holland & Knight Wire Fraud Lawsuit ($3M, 2020)

Holland & Knight is one of the largest law firms in the United States. In 2020, the firm was sued after allegedly sending $3 million to a fraudulent account in Hong Kong based on wire instructions that came from a lookalike domain associated with the plaintiffs' email system.

The case became a public reference point for wire fraud litigation against law firms. Holland & Knight's defense was that the firm had acted on instructions received in good faith and that the firm's own systems were not compromised. The plaintiffs argued that the firm had a duty to verify wire instructions through a separate channel before transferring funds.

The case illustrated a structural problem in legal practice: law firms handle massive wire transfers on client behalf, often under time pressure, and standard verification protocols are inconsistent across the industry. The FBI's IC3 reports that wire fraud recovery rates for law firms run under 30% even when the attack is reported quickly.

Why Lookalike Domain Attacks Bypass Standard Defenses

Five structural reasons make these attacks effective.

Authentication checks pass. SPF, DKIM, and DMARC are designed to detect spoofing of a domain. They cannot detect a different domain that looks similar. The attacker configures these standards on their own lookalike domain, and all three authentication mechanisms pass cleanly. The receiving mail server has no technical reason to flag the message.

The domain renders as expected in email clients. Modern email clients show the sender's display name prominently, with the actual email address either hidden or shown in a smaller, lower-contrast position. A user scanning quickly sees "Vendor Name <accounts@vendor.com>" and not "<accounts@vendorr.com>". The display name controls perception.

The thread looks authentic. In sophisticated attacks (like the Israeli startup case), the attacker has visibility into the real email thread before launching. The lookalike emails reference previous messages, use the same writing style, and arrive at expected times in the conversation. The recipient has no behavioral signal that anything is wrong.

Lookalike domain registration is cheap and fast. A new domain costs under $15. SSL certificates are free through Let's Encrypt. The Zscaler 2024 research found that nearly half of malicious lookalike domains used Let's Encrypt certificates to appear legitimate and avoid browser warnings.

Defensive registration of all variants is economically impractical. A target company would need to register hundreds of permutations of their domain (every typo, every homoglyph, every TLD) to fully defend. The math doesn't work for any company. Even companies that aggressively defensively register can only cover the obvious variants.

The combination means that lookalike domain attacks land in inboxes that have passed every standard security check, look identical to legitimate correspondence, and arrive at the moment when verification feels least necessary.

The Five-Step Verification Protocol

A consistent verification habit catches nearly every lookalike domain attack. The protocol has five steps.

Step 1: Inspect the sender's full email address before responding to any unusual request. Don't rely on the display name. Hover over the sender name (on desktop) or tap to expand the sender field (on mobile). Look at the full email address. Compare it character by character against a known-good address.

Step 2: Check for additional letters, character substitutions, or alternate TLDs. Common patterns: an extra letter at the end ('s', 'a'), an extra hyphen, "rn" instead of "m", "0" instead of "o", a different TLD (.co vs .com, .support vs the legitimate one). The Israeli startup case used an extra 's'. The Florentine Banker case used the same pattern across multiple targets.

Step 3: For any financial request, verify through a different channel before acting. Phone the requester at a number you already have, not one provided in the email. This is the single most effective defense because lookalike domain attacks rely entirely on the email channel. Five minutes of phone verification beats five hundred thousand dollars of fraud loss.

Step 4: For ongoing vendor relationships, establish a verification protocol up front. When you onboard a new vendor or finalize a contract, exchange phone numbers for wire verification specifically. Establish that any wire instruction change requires a phone call. Document this in the contract if possible. The protocol is much easier to follow when both sides expect it.

Step 5: Use email security tooling that flags lookalike domains automatically. The character-by-character inspection is hard for humans to do reliably across hundreds of emails per day. Automated lookalike domain detection runs the comparison for you and flags suspicious patterns before you see the email.

What Ṣọ Catches

Ṣọ's Engine 01 includes Identity detection as one of its five categories. The engine catches lookalike domain patterns including typosquatting (extra letters, missing letters, character swaps), character substitution (rn for m, 0 for o), and TLD substitution (.co vs .com). Each suspicious domain triggers a flag that surfaces in your inbox before you decide whether to act on the email.

This is not an exhaustive defense. Sophisticated homoglyph attacks using Cyrillic characters can evade automated detection if the legitimate domain hasn't been registered as a known reference. Email security tooling reduces the volume of attacks that reach your eyes; it doesn't eliminate the verification habit at the human layer.

The architecture: email content is processed on Ṣọ servers via HTTPS/TLS, analyzed in seconds, and deleted immediately. Zero retention. No human access. We earn revenue from subscriptions, never from your data.

Bottom Line

Lookalike domain attacks are one of the most cost-effective fraud techniques available to attackers today. The setup cost is under $15. The payout can be hundreds of thousands of dollars. Authentication standards (SPF, DKIM, DMARC) don't catch them. Display name conventions in email clients work in the attacker's favor.

The defense is part technical (automated lookalike domain detection) and part behavioral (a five-step verification habit that includes phone confirmation for financial requests). Either alone is incomplete. Both together catch nearly every documented case.

If you handle wire transfers or vendor payments, the verification habit is the highest-leverage security investment you can make. Five minutes of phone confirmation beats five hundred thousand dollars of fraud.

For automated detection at the email layer, install Ṣọ in 2 minutes at soemailsecurity.com. Free tier covers Engine 01 Identity detection including lookalike domains.

Sources: Check Point Research Incident Response casefiles (2019, 2020); Zscaler ThreatLabz Phishing Typosquatting and Brand Impersonation Trends 2024; Allure Security Typosquatting and Homoglyph Attacks 2026; FBI Internet Crime Complaint Center; Proofpoint State of the Phish 2023.

Encrypted in transit. Processed in seconds. Deleted immediately.