Look-alike domains: the near-identical emails that catch your finance team off guard
Fraudsters register domains that are almost identical to yours or your suppliers'. Here's how to spot a look-alike in thirty seconds — and how to protect your own brand.
You receive an email from a supplier or a customer. Everything checks out: the logo, the tone of voice, even the signature. But something feels off. Maybe the sender address looks ever so slightly different, or the domain ends in .co instead of .nl. Before you know it, you've sent sensitive information or a payment to someone impersonating a familiar company.
This trick is called look-alike domains: domain names that are almost identical to yours or your suppliers'. In 2026, it's one of the most common entry points for invoice fraud and CEO fraud targeting SMBs. In this post, we explain how it works and what you can do about it — no IT department required.
What exactly is a look-alike domain?
A look-alike is a domain name that appears identical to a legitimate domain at first glance, but with a small difference you won't catch if you're reading quickly. A few common variants:
- Different extension: yourcompany.com instead of yourcompany.nl, or .co, .biz, .info.
- Extra hyphen or word: yourcompany-invoices.nl, yourcompany-support.nl.
- Swapped letters: yourcmopany.nl — easy to read straight past.
- Number for letter: a 0 (zero) instead of an o, or a 1 instead of an l.
- Homoglyphs: characters from a different alphabet that look identical, such as a Cyrillic 'а' in place of a regular 'a'.
These domains are cheap to register, and fraudsters use them for two purposes: emailing your customers while posing as you, or emailing you while posing as one of your suppliers. In both cases, your name or relationship is the bait.
Why SMBs are the target
Large companies have a dedicated security team with tooling that actively monitors new domain registrations resembling their brand. SMBs don't. And that's precisely why the trick works so well at smaller companies: the finance team knows suppliers personally, payments move faster, and one person often handles both purchasing and payment. A single unnoticed look-alike domain, and €8,000 can end up in the wrong account just like that.
How to spot a look-alike
Four practical checks you can do in thirty seconds, for every email that contains anything financial or confidential:
1. Check the full sender address, not just the display name
The display name ("Jan from Supplier Ltd") tells you nothing. In Outlook or Gmail, expand the address and read the text after the @. Does the domain match your previous emails from that person exactly? Not sure? Pull up an old email from the same sender and compare it character by character.
2. Copy the domain and paste it into a text file
Homoglyphs are invisible to the naked eye, but they show up immediately when you paste the domain next to the real one in Notepad or a diff tool. Differences jump right out. This trick takes ten seconds and catches most subtle variants.
3. Check how old the domain is
Fraudulent domains are often just days or weeks old. You can use an IP lookup or a WHOIS check to see when a domain was registered. Receiving an "urgent" invoice from a domain that only came into existence last month? Pick up the phone. Every time.
4. Compare against your own supplier list
Keep a simple record of the exact domains your regular suppliers use. A spreadsheet works fine. When in doubt: look it up, compare, call. Use the number you already have on file — not the one in the suspicious email.
Protect your own domain too
Look-alikes aren't only a risk for incoming mail. Fraudsters can also register a domain that resembles yours and use it to approach your customers. Three things you can do about it yourself:
- Register the obvious variants yourself. Have a .nl? Grab the .com, .eu, and any hyphenated variants too. It costs a few euros a year and saves a lot of headaches.
- Set DMARC to p=reject. This ensures that emails spoofing your domain are blocked before they reach the recipient. Without DMARC, spoofing is trivially easy.
- Search for your own brand name occasionally. Google your company name once a quarter and keep an eye out for odd variants in the results.
What to do when you find a look-alike
Found a domain impersonating your business, or one of your suppliers? Here's what to do:
- Report it internally: email your finance team and management so nobody else falls for it.
- Report it to the registrar (the party the domain is registered with). They often take it offline after a complaint.
- If money has been lost: file a police report and notify the Fraudehelpdesk.
- Warn your customers or suppliers so they don't fall into the same trap.
In short
Look-alike domains are cheap, quick, and effective — which is exactly why fraudsters love them. The defence is equally straightforward: train your team to read the full sender address, use a diff tool when in doubt, maintain a supplier domain list, and make sure your own domain isn't easy to spoof.
Want to quickly check whether two domains or email addresses are truly identical? Use our diff tool. And if you want to know whether your own email security is up to scratch, take a look at our email security (SPF/DKIM/DMARC) check.
Volledige gids: Seguridad para pymes sin departamento de TI: ¿qué haces este trimestre?
Dit artikel is onderdeel van onze uitgebreide Security zonder IT-afdeling-gids. Lees de pillar voor het complete plaatje.
Lees de pillar →