Digital squatting and phishing are often treated as separate threat vectors, but they are deeply intertwined. Digital squatting is an umbrella term for various deceptive tactics that aim to capitalize on established brands and differ in their specific techniques. If phishing is the scam message, then digital squatting is the trap. Phishing convinces the victim to click. Digital squatting gives them a believable place to land and unknowingly hand over credentials and other sensitive information.
These attacks are indiscriminate and take advantage of a huge attack surface that is nearly impossible to stay ahead of. Especially now that automation and AI have entered the group chat, it’s like forcing security teams into a one-on-one defense scenario where the adversary has endless stamina, instant playbooks, and the ability to change tactics in real time.
Together, digital squatting and phishing can form one of the most successful, scalable, and low-cost social engineering attack chains used by cybercriminals. Here’s how they connect.
Digital squatting creates fake websites that look real.
Fake and lookalike domains are the front end of modern attacks. They’re used to deliver phishing, malware, and business email compromise, often bypassing traditional perimeter defenses because the infrastructure lives outside the company’s network.
Cybercriminals use fake domains because they’re one of the most efficient ways to steal credentials without touching a company’s network. Attackers register web addresses that look almost identical to companies’ real sites—sometimes with just one letter changed. They then use these lookalike websites to fool employees or customers into thinking they’re interacting with your business. Given the massive attack surface, brands cannot defensively register everything, which leaves the doors open to attacks.
Common tactics to make websites appear legitimate include the following:
- Typosquatting: registering commonly misspelled brand names (i.e, gogle[.]com instead of google[.]com)
- TLD Abuse: substituting top-level domains (i.e., “google.co” instead of “google.com”)
- Homograph attacks: character swaps like replacing similar-looking numbers, letters, foreign alphabets, punycode, and more
- Combosquatting: adding keywords like “support,” “secure,” or “login” to the real brand name (i.e. “secure-bank.com”)
These fake sites make phishing attacks far more convincing.
These attacks are particularly effective because they use social engineering elements to bypass security safeguards. Instead of obvious scam links, attackers send emails or texts that appear legitimate because the link looks like a real domain. Attackers hope victims don’t notice misspelled domains that appear similar to trusted brands, or maybe it’s difficult to see the entire URL before clicking on it from a mobile device. Employees see what their eyes expect and click without hesitation. If attackers can impersonate your brand, they can target your users without ever touching your systems.
Digital squatting isn’t just about tricking computers – it's also about manipulating human trust at scale. This tactic works because it turns human behavior into the attack surface, taking advantage of our trust in brand credibility and familiarity. Combine a perfect email with a perfect-looking website, and the scam becomes extremely believable.
It takes only one click to have devastating consequences.
Even one employee entering credentials into a fake website can give attackers email access, customer and/or corporate data, billing credentials, or cloud platform access. One compromised account can cascade quickly.
For instance, security researchers discovered over 40 typosquatted Zendesk domains such as znedesk[.]com and vpn-zendesk[.]com, crafted to mimic real Zendesk login portals. These fake sites hosted fraudulent single sign-on (SSO) pages specifically designed to steal credentials. Victims were often lured through phishing emails, fraudulent support tickets linking to the fake domains, and login prompts that captured credentials before redirecting. This campaign aligns with earlier Scattered Lapsus$ attacks against Salesforce using similar typosquatted infrastructure.
How are attackers are using digital squatting to target brands and users?
This attack generally involves luring victims to a fake lookalike site hosting a cloned real login page. When users enter their usernames and passwords, the attacker captures them in real time, and the victim is often redirected to the real site to avoid raising any suspicions. Modern fake-domain kits now allow attackers to capture MFA tokens or session cookies and proxy logins in real time.
Digital squatting isn’t a new tactic, but AI is evolving it faster and at greater scale than ever before. The recent uptick in digital squatting is directly linked to the commodification of cybercrime through Generative AI (GenAI) and autonomous attack agents. These technologies have enabled threat actors to scale the creation and management of malicious domains at an unprecedented rate. AI-driven digital squatting makes it cheap and fast to generate thousands of believable domain variations, create polished phishing sites and emails, and scale attacks. For instance, threat actors are utilizing both legitimate Large Language Models (LLMs) and purpose-built "Dark LLMs" to automate the squatting lifecycle.
How LastPass can help prevent fall out from these attacks?
The LastPass TIME team regularly monitors for phishing campaigns leveraging our branding targeting LastPass customers. When it pops up, we work to quickly take down and publicly report this activity as soon as it’s detected.
Credential theft rose 160% in 2025, and the fastest-growing tactic behind that surge is deceptively simple. As mentioned, attackers are creating fake versions of legitimate sites with URLs that are engineered to trick your eyes, especially when you're busy or distracted. But here's what makes LastPass your ally: it helps you catch the trick. Via domain binding, LastPass "binds" your credentials to the exact domain where you created them. This means it autofills your information on sites it recognizes. It helps you outsmart digital squatting scams, even if a site looks perfectly familiar to you. LastPass is a defense that helps you stay safe even on your worst, most distracted day. Try LastPass today to start protecting yourself now.
What practical steps can SMBs take to protect themselves from digital squatting scams?
The faster organizations identify and disable digital squatting campaigns, the more effectively they can protect credentials and control risk. Here are a few simple steps SMBs can take to better protect themselves against these threats:
- Register obvious variations of your domain (cheap and effective).
- Enable MFA everywhere (cuts off most credential theft).
- Use email security tools that check for lookalike domains. Tools like DNS firewalls can automatically block employees from visiting risky websites, especially brand-new or suspicious lookalike domains.
- Train employees to hover over links before clicking and check whether they are legitimate.
- Monitor for new domains impersonating your brand. Early alerting and rapid takedown procedures are essential to limit the dwell time of malicious infrastructure.
- Shadow AI visibility is a growing concern. Monitor internal use of AI tools to prevent data leaks that provide attackers with the specific keywords or document naming conventions or system mapping they need to create highly effective impersonation domains. Shadow AI leaks more than people realize by quietly teaching outsiders how your organization works without having to hack systems. If employees paste real internal content into AI tools, that can reveal naming conventions for systems and documents, folder structures, and more that can be leveraged in digital squatting and other social engineering attacks.
