I mistyped a web address while following setup instructions for my printer and ended up at a scam support site. How can these guys get away with this?
This question was answered on August 10, 2017. Much of the information contained herein may have changed since posting.
One of the oldest tricks on the Internet is something called ‘typosquatting’ or the registration of misspelled websites.
Since so many users manually type in web addresses every day, all it takes is one character to be off for this scam to be effective. Instead of going to your intended location, you’ll end up at a potentially harmful site that may look close or even identical to the site you were seeking.
Is It Legal?
Typosquatters aren’t always using the misspelled sites for malicious activities and unless a trademarked name is part of the address, there’s no laws being broken.
Registering commonly misspelled websites and redirecting the errant traffic to a legitimate website is perfectly legal and a common practice, especially by a competitor of a large brand.
The more popular a website is like Facebook or Google, the more likely there will be many misspelled versions of it registered to try to take advantage of sloppy spelling errors.
Typically, sites that engage in malicious activities can be brought down by the company that’s hosting the site, but it’s so easy to switch to another host, create their own webservers or switch to another misspelled address in this ongoing game of ‘whack-a-mole’.
Anyone that’s ever been in a hurry when typing in a web address has accidently missed a letter like the ‘c’ in ‘.com’ or typed c before the ‘.’ in their haste. The resulting web address ends with .om which is the country code for Oman. Hundreds of well-known names have been targeted by .om typosquatters.
Another well documented domain that has popped up as a variety of scams over the years is ‘goggle.com’ prior to Google’s long battle to finally acquire the domain.
This highlights one of the problems with regulating website registrations. Clearly ‘goggle.com’ benefited from the misspelling of ‘google.com’ but because it’s a generic word, it didn’t violate any of Google’s trademarks resulting in the long process of acquiring control of it.
The obvious tip is to slow down and make sure you’re spelling things correctly. If it’s a site you’ll be visiting frequently, create a bookmark or shortcut to it for future visits.
If you aren’t sure about the spelling of a website, type the web address in without .com so that it turns into a Google search. Google’s autocorrect, page ranking algorithm or ‘did you mean’ engine will kick in to most likely point you to the legitimate resource.
As far as legitimate support from a specific company goes, try typing the company’s web address followed by /support (ex: hp.com/support) as this is a pretty standard method used by tech companies.
The best way for companies to protect themselves against typosquatting is to register the misspelled versions themselves and redirect the traffic to the proper address. Facebook, for instance, registered commonly misspelled versions of their site like facebok.com and facbook.com which redirects users to Facebook.com.
About the author
Posted by Ken Colburn of Data Doctors on August 10, 2017