What Is Combosquatting?

Combosquatting is a widespread registration abuse where attackers register domain names combining popular brand trademarks with additional words or keywords to deceive users into visiting malicious sites. Unlike typosquatting which exploits typing errors, combosquatting relies on social engineering by embedding recognizable brand names alongside innocuous-sounding keywords. Examples include "netflix-payments.com" or "yourbank-security.com," according to Georgia Tech, Akamai, and CXO Today research published in 2017-2024.

Combosquatting exploits user trust in familiar brand names. When users see a legitimate trademark in a domain name, they may assume the entire domain is legitimate without carefully examining the additional keywords or hyphens.

How does combosquatting work?

Combosquatting attacks follow a systematic approach that combines legitimate brand recognition with deceptive keywords to create convincing malicious domains.

Domain construction creates domains by combining legitimate brand name with contextually relevant keywords like "support," "security," "payment," or "verify." The brand name provides legitimacy while the keyword provides plausible context for why users are being directed to this specific domain.

Social engineering exploits users who see the familiar brand name and trust the domain despite unfamiliar additions. Users may not recognize that "paypal-security.com" is not affiliated with PayPal, assuming instead that it is a legitimate security subdomain or division.

Distribution occurs when attackers embed malicious links in phishing emails claiming to be from the brand, web advertisements appearing in search results or on legitimate sites, search results where combosquatted domains appear for brand-related searches, and social media posts directing users to fake support or verification pages.

No typing errors required distinguishes combosquatting from typosquatting. Users don't need to misspell URLs; attackers provide direct links in emails, advertisements, or search results. Users click these links believing they are accessing legitimate brand services.

Legitimacy spoofing succeeds because domains appear official as they contain the real brand name, users don't scrutinize the additional keywords or hyphens, email filters may not flag domains containing legitimate trademarks, and visual design of malicious sites mimics official brand appearance.

Common keywords in attacks include "support" as the most common keyword used in combosquatting, "security," "payment," "verify," "confirm," "login," "account," "update," and "authentication"—all designed to appear legitimate and contextually relevant, according to Akamai research published in 2022.

Attack objectives include phishing for credentials and sensitive data, credential harvesting from email and SaaS platforms, social engineering attacks impersonating legitimate organizations, affiliate abuse and scams, Advanced Persistent Threats (APT) infrastructure, and trademark abuse and brand impersonation.

How does combosquatting differ from other domain attacks?

Combosquatting employs distinct mechanisms compared to related domain-based attack techniques.

Typosquatting exploits user typing errors while combosquatting does not require mistakes. Domain spoofing is a broader category with combosquatting as a specific subset using keyword combinations. Homograph attacks use visually identical Unicode characters while combosquatting uses legitimate brand plus keywords. Lookalike domains represent a broader category with combosquatting as the most prevalent form. Phishing is the broader attack category with combosquatting often used as the infrastructure enabling phishing campaigns.

The key distinction is intentional distribution versus passive reliance on errors. Typosquatting waits for users to mistype URLs. Combosquatting actively distributes links through emails, advertisements, and social media. This makes combosquatting significantly more scalable and effective.

Combosquatting also appears more legitimate than obvious misspellings. "paypal-security.com" seems more plausible than "paypall.com" because it suggests an official security division rather than a typing error.

Why does combosquatting matter?

The scale, prevalence, and effectiveness of combosquatting demonstrate it as one of the most significant domain-based threats.

A Georgia Tech study identified 2.7 million combosquatting domains for just 268 popular trademarks, according to Georgia Tech research analyzing data from 2017-2023. This massive scale demonstrates the widespread adoption of this technique by threat actors.

Combosquatting domains are 100 times more prevalent than typosquatting domains, according to Georgia Tech and Akamai research published in 2022. This prevalence makes combosquatting the dominant form of domain-based brand impersonation.

60% of abusive combosquatting domains operate for over 1,000 days, nearly 3 years, according to Georgia Tech research. This extended lifespan makes them particularly dangerous and profitable for attackers, allowing long-term campaigns against targeted brands.

Akamai determined in 2022 that combosquatting is the most significant threat of all cybersquatting techniques. Combosquatting outranks typosquatting in both number of active domains and user click-throughs.

Annual growth in combosquatting registrations was observed between 2011-2016, according to Georgia Tech research. This sustained growth indicates continued attacker investment in the technique.

Phishing attacks, often facilitated by combosquatting domains, cost organizations average of $4.88 million per breach (IBM, 2024). WIPO handled record 6,200 domain name disputes in 2025; cybersquatting cases rose 68% since 2020, according to WIPO data published in 2025.

What are the limitations of combosquatting attacks?

Despite widespread prevalence, combosquatting attacks face operational and defensive constraints that limit effectiveness in certain scenarios.

User scrutiny can detect combosquatting when users who carefully inspect full URLs before clicking can identify the malicious components. Email filtering can block emails containing known combosquatting domains. Browser URL bar highlighting can make additions to brand names visible. Trademark holders can pursue rapid ICANN takedowns via UDRP (Uniform Domain-Name Dispute-Resolution Policy). WHOIS data can help identify attackers for law enforcement action. Search engines increasingly deprioritize obviously spoofed domains.

Defense capabilities exist but face gaps. Direct distribution via private emails bypasses search engine protection. New keywords are constantly introduced, making preemptive registration difficult. International domain variations expand the attack surface significantly. Small and medium-sized brands lack resources for continuous domain monitoring. Many users do not inspect URLs carefully before trusting links. Reactive takedown processes remain slower than domain registration. Mobile users may not see full URLs in certain interfaces.

Organizations with strong security awareness programs achieve better results against combosquatting compared to those relying solely on technical controls. However, the scale of combosquatting—millions of domains across hundreds of brands—makes comprehensive defense challenging even for well-resourced organizations.

How can organizations defend against combosquatting?

Defense against combosquatting requires combining proactive registration, continuous monitoring, rapid takedown, and user education.

Implement brand monitoring by continuously monitoring new domain registrations combining brand names with keywords through automated domain monitoring services. Deploy monitoring for common keyword combinations including "support," "security," "payment," "verify," "confirm," "login," and "account." Monitor across multiple TLDs including .com, .net, .org, and new TLDs. Set up real-time alerts for newly registered combosquatting domains.

Deploy proactive domain registration by registering common keyword combinations with brand name before attackers can, prioritizing high-risk keywords like "support," "security," "payment," and "verify," registering across multiple TLDs particularly .com, .net, and .org, and maintaining defensive registrations even for domains not actively used. While complete coverage is impossible, registering the most likely combinations reduces attack surface.

Pursue UDRP filings by rapidly pursuing Uniform Domain-Name Dispute-Resolution Policy actions against known malicious domains through ICANN. UDRP is faster and cheaper than traditional litigation. Maintain documentation of trademark rights and evidence of cybersquatting. Work with specialized law firms experienced in domain disputes. Establish procedures for rapid response when combosquatting domains are identified.

Implement email authentication through SPF (Sender Policy Framework) to limit authorized mail servers, DKIM (DomainKeys Identified Mail) to digitally sign outgoing emails, and DMARC (Domain-based Message Authentication, Reporting and Conformance) with p=reject policy to prevent email spoofing from combosquatted domains.

Deploy user training through cybersecurity awareness training focusing on inspecting full URLs before clicking links, teaching users to verify sender domains match official organizational domains, educating users that legitimate organizations use consistent domain patterns, training users to navigate directly to official websites rather than clicking links in emails, and conducting simulated phishing exercises using combosquatted domains to test awareness.

Maintain network blocking by maintaining blocklists of known combosquatting domains in email filters and web proxies, subscribing to threat intelligence feeds that include combosquatting domains, implementing DNS filtering to block access to known malicious domains, and deploying web application firewalls that detect and block combosquatting patterns.

Monitor search result placement by monitoring search engines for malicious ads using brand plus keyword combinations, reporting malicious advertisements to search providers for removal, monitoring organic search results for combosquatted domains ranking for brand-related queries, and using trademark protection programs offered by major search engines.

Deploy technical controls including browser-based URL verification plugins that warn users about suspicious domains, Content Security Policy (CSP) to prevent redirects to external combosquatting sites, Certificate Transparency log monitoring for suspicious SSL certificates, email link rewriting to prevent direct clicks to unverified domains, and DNS sinkholing for known malicious domains.