Anatomy of a Lookalike Domain Attack: From Registration to $186,000 Wire Transfer
Table of Contents
Lookalike domain attacks are not subtle, but they are easy to miss. The attacker's goal is to register a name that resembles yours convincingly enough that a busy human — an accounts payable clerk, a customer support rep, a CFO — trusts it for a few seconds longer than they should. A few seconds is all it takes.
Below is a composite of several real cases we have seen, condensed into a single twelve-day timeline. The names are fictional. The mechanics are not.
Day 1: The Registration
The target is brightway-logistics.com, a mid-sized freight broker that moves about $40M of goods per quarter. On a Monday morning, a registrant in a different country pays $11.99 to a discount registrar and walks away with brightway-Iogistics.com. The capital "I" in "Iogistics" is a Latin uppercase i, but at the rendering size of an email signature it is indistinguishable from a lowercase L.
The WHOIS record is privacy-protected. The nameservers are the registrar defaults. The domain points nowhere yet. To anyone not actively monitoring, the registration is invisible.
Detection opportunity #1: registration. A digital-risk monitor that watches for newly registered lookalikes against your brand catches this within hours of the WHOIS record going live, days before any weaponisation.
Day 3: The Certificate
Two days later, the attacker provisions a free Let's Encrypt certificate for brightway-Iogistics.com and www.brightway-Iogistics.com. The issuance is published to public Certificate Transparency logs within seconds. A simple landing page now resolves at the lookalike, hosted on a generic VPS.
The page itself is harmless: a basic "under construction" notice. Nothing to scan. Nothing to flag from a content perspective. But the cert exists, the domain resolves, and the lookalike is now operationally ready.
Detection opportunity #2: the CT log entry. Brand-aware CT monitoring catches the issuance the same hour. A name that looks suspiciously close to brightway-logistics.com with a Let's Encrypt cert and no prior history is exactly the alert pattern that should fire.
Day 7: The MX Record
Day 7 is the day the lookalike becomes dangerous. The attacker adds an MX record pointing to a self-hosted mail server and configures SPF and DKIM well enough to pass basic alignment checks. They also generate a few cfo@, billing@, accounts@ mailboxes.
Crucially, the attacker has done their homework. They know who BrightWay's CFO is, they know one of their long-standing customers is a regional grocery chain, and they have copied the BrightWay invoice template — which any past customer has plenty of copies of.
Detection opportunity #3: MX configuration. A lookalike that suddenly has working mail infrastructure is much higher risk than one with just a parked landing page. A digital-risk score that weights MX presence catches this state change.
Day 12: The Invoice
On a Friday afternoon, the grocery chain's accounts payable team receives an email from billing@brightway-Iogistics.com. The from-name is "BrightWay Logistics — Billing". The signature block looks identical to every other invoice they have received from BrightWay over the past five years. The body says BrightWay has changed banks and provides new wire instructions for invoice #18247, due Monday.
At 4:47 PM, the AP clerk wires $186,400 to the new account.
The wire is irreversible by Monday morning. The attacker has already moved the funds through a money-mule chain into crypto. BrightWay is contacted by the grocery chain on Monday afternoon, asking when they should expect another invoice now that the bank change has gone through. Nobody at BrightWay has changed banks. Nobody at BrightWay knows about this email. By the time anyone investigates, the lookalike domain has been deleted by the attacker and the trail is cold.
The Aftermath
The grocery chain's bank refuses to reimburse — the wire was authorised by a legitimate employee. BrightWay's cyber-insurance carrier debates whether the loss is covered (it usually is not, because the breach was at the customer, not at BrightWay). Lawyers get involved. The grocery chain quietly moves a chunk of its freight business to a competitor. Trust is the only thing that breaks.
What Defenders Could Have Seen, And When
The attack worked because nobody at BrightWay was watching the right places. Here is the same timeline from a defender's perspective with continuous digital-risk monitoring in place:
"New lookalike candidate: brightway-Iogistics.com (substitution: l → I, edit distance 1). Registered today. WHOIS privacy. No A record yet." This alert alone gives the defender 11 days to act.
"brightway-Iogistics.com now has a Let's Encrypt certificate. SAN list includes www. First A record observed 2 hours ago, pointing to 198.51.100.42 (generic VPS provider)." Risk score for this lookalike just went up.
"brightway-Iogistics.com just added an MX record. SPF published. The lookalike is now mail-capable." Severity: high. This is the moment to file a takedown with the registrar and warn customers.
Registrar abuse report filed with evidence (similarity score, certificate details, MX presence). Most discount registrars suspend clearly fraudulent lookalikes within 48–72 hours when the evidence is clean. The wire fraud on day 12 never happens.
Building Lookalike Detection That Actually Works
Most lookalike monitoring tools generate too many candidates and not enough actionable alerts. The ones that work share a few properties:
How GuardHound Catches This
Lookalike detection is the core of GuardHound's digital risk pillar — one of the five pillars that feed the eight-dimension risk score. For every domain you monitor, GuardHound generates lookalike candidates across all the algorithms above, checks them against current registration data, and re-evaluates daily.
Each candidate gets a weaponisation score based on real-world signals:
- Registered + WHOIS recent? +1
- Has an A or AAAA record? +2
- Has a TLS cert in CT logs? +3
- Has a working MX record? +5 (this is the dangerous one)
- Resolves to a known-bad ASN? +3
The total feeds the Brand & Digital Risk dimension of your risk score, and crosses your alert threshold the moment a lookalike becomes mail-capable. On Pro, Business, and Agency plans, the lookalike module is fully read-write — you can confirm, dismiss, and (on Agency) trigger the takedown workflow directly from the dashboard.
Because lookalike findings sit alongside uptime, certificates, DNS, and email auth in the same risk score, you do not need a separate brand-protection tool with its own dashboard. The same number that tells you whether your TLS is healthy tells you whether someone is preparing to impersonate you.
See If Anyone Is Already Impersonating Your Domain
Run a free scan to see lookalike candidates for your domain along with your full eight-dimension risk score.
Frequently Asked Questions
What is a lookalike domain?
A lookalike domain is one that is intentionally registered to resemble a legitimate domain — through typos, character substitutions (Cyrillic letters that look Latin), homoglyphs, alternate TLDs, or hyphenation. The goal is to deceive a human reader into trusting the wrong address.
How do attackers actually use lookalike domains?
The most common uses are invoice fraud (sending a fake invoice from a domain that looks like a known supplier), credential phishing (a fake login page hosted on a lookalike), and brand impersonation campaigns. The lookalike usually has its own valid TLS certificate, which makes it look legitimate in browsers and email clients.
How quickly does a lookalike become dangerous?
Often within days. The pattern is: register the domain, get a free Let's Encrypt cert (visible in CT logs immediately), wait a few days for the registration to be considered "aged", then launch the campaign. Detection on day one of registration buys you the most time to act.
Can I just take down every lookalike?
Most lookalikes that are clearly trademark-infringing or being used for phishing can be taken down through the registrar's abuse process or through hosting-provider abuse reports. The takedown success rate depends on having clean evidence (screenshots, certificate records, MX/MTA configuration) and submitting through the right channel. GuardHound Agency includes a guided takedown workflow that handles the evidence packaging.
How does this fit into the broader risk score?
Lookalike domains feed the "Brand & Digital Risk" dimension of the eight-dimension risk score. Active lookalikes, ones with TLS certs, and ones that have working MX records all weight more heavily, so the score reflects not just how many lookalikes exist, but how weaponised they are.