The Gist
It only takes one typo. A single character change in an email domain cost a Connecticut school district over $6 million. The scam? Lookalike domains. A fraudster registered a domain nearly identical to a trusted vendor’s—changing just one letter—and used it to redirect payments. The result: a textbook case of modern social engineering: low effort, high payout, and invisible to traditional controls.
New research from BlueVoyant shows a sharp increase in the number of lookalike domains being used to facilitate email-based social engineering attacks and financial fraud scams. These cybercriminals are targeting a wide variety of industries with these attacks, like finance, construction, legal services, and insurance.
What are Lookalike Domains?
Lookalike domains are fake web addresses crafted to mimic real ones—often by changing a single character.Attackers might swap characters—like an “l” for a “1” or an “O” for a zero—or use alternate top-level domains (TLDs) like .co instead of .com to keep the domain virtually identical. These subtle tricks are enough to convince employees—and sometimes even automated systems—that a spoofed email is the real deal.
How they’re doing it.
These attacks often begin with a fraudster registering a domain that closely mimics a trusted brand and setting up email servers behind it. With help from GenAI, attackers harvest personal and organizational details from data breaches, social media, and public records to craft believable, targeted messages. The result? Emails that look legitimate, sound familiar, and slip past defenses. They coax recipients into clicking malicious links, sharing credentials, or approving fraudulent payments.
What used to take hours of careful impersonation can now be executed in under 30 minutes with GenAI. Attackers can use AI tools to instantly generate realistic email copy in a vendor’s tone, set up lookalike domains like @vend0r-payments.com, and launch a believable scam with minimal effort. Because these emails don’t contain the usual “urgent wire transfer” language or phishing giveaways, they often evade traditional keyword filters and rule-based security systems entirely.
Trustmi’s Take
The real challenge isn’t catching typos—it’s spotting behaviors and signals.
At Trustmi, we analyze behavioral patterns across users, vendors, and transactions and layer in technical signals, like domain age, registration mismatches, and subtle inconsistencies between known vendors and new senders. A one-character domain swap might look legitimate to a human—or even to a system—unless it’s flagged in the context of the broader payment behavior.
Want to learn more about email-based cyberattacks? Check out the webinar, “Why Email is Still the Easiest Way in for Attackers“.
