Ask Jack: What Do You Know About The Re-Emergence Of Typosquatting?

By Jack McCalmon, The McCalmon Group, Inc.

I recently received an email, asking me to visit a vendor's site, but it had a hyphen in the URL. I don't remember a hyphen. I deleted the email.  Did I do the right thing?


You did the right thing - when in doubt, never select an embedded link from an email or text.

It is hard to know, but the email you received may have been a social engineering scam called "typosquatting". In a typical typosquatting scam, criminals mimic the design of a popular website and register a URL nearly identical to the site mimicked.

The difference between the real URL and the imposter is often very subtle like an added letter, often an "s"; an added word like "the" ; an added punctuation like an apostrophe; or an added symbol like a hyphen. These changes often escape spell checkers and browser security. They can entrap those that make a typo when entering a URL or simply believe the imposter URL is correct.

Typosquatting has been around for a while, but it is making a comeback. According to one investigation, "200 fake domains impersonating 27 popular brands to trick users into downloading Android and Windows malware" were recently discovered.

To prevent being ensnared by typosquatting, you should avoid links in emails and texts. Instead, go to a trusted search engine and search independently of an email or text. Additionally, make sure you are typing in the correct URL when you are visiting a site. If the site is flagged as unsafe or looks off, even by a little bit, then do not enter any information.

The final takeaway is that typosquatting is a simple, but effective method of deception, especially when embedded in an email from a source believed to be trustworthy.

Jack McCalmon, Leslie Zieren, and Emily Brodzinski are attorneys with more than 50 years combined experience assisting employers in lowering their risk, including answering questions, like the one above, through the McCalmon Group's Best Practices Help Line. The Best Practice Help Line is a service of The McCalmon Group, Inc. Your organization may have access to The Best Practice Help Line or a similar service from another provider at no cost to you or at a discount. For questions about The Best Practice Help Line or what similar services are available to you via this Platform, call 888.712.7667.

If you have a question that you would like Jack McCalmon, Leslie Zieren, or Emily Brodzinski to consider for this column, please submit it to Please note that The McCalmon Group cannot guarantee that your question will be answered. Answers are based on generally accepted risk management best practices. They are not, and should not be considered, legal advice. If you need an answer immediately or desire legal advice, please call your local legal counsel.


Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Ask Jack: Home Office Data Security First Steps

Jack McCalmon offers some data security steps for home offices.?

Ask Jack: Should We Allow Employees To Play Games On Their Laptops?

An employer wants to keep employees happy. One idea is to allow employees to game during work breaks. Jack examines the cyber risks.

Ask Jack: If There Is No Evidence Of Data Being Stolen, Can I Still Be Held Responsible?

Jack McCalmon talks about the importance of not just post-breach exposures, but pre-breach exposures as well.