When customers think of typosquatting, they typically think of one variant: a domain that looks like the brand name with a single character changed. acmme.com instead of acme.com. The technique is real and common. It's also a small subset of the lookalike-domain landscape attackers actually use.
The full typosquatting family covers eight match-type variants. Detecting at scale means handling all of them.
Exact match
A domain registered with the brand name exactly, on a different TLD: acme.io when the legitimate brand is acme.com. Often used for cybersquatting (squatting on the domain to extract a sale) but also used for phishing where the TLD difference doesn't trigger user suspicion.
Contains match
A domain containing the brand name plus other characters: acme-support.com, secure-acme.com, acme-billing.net. Particularly common for customer-service-impersonation campaigns where the appended terms make the domain look like a legitimate support channel.
Fuzzy match
A domain that's a close-but-not-exact match through character substitution, deletion, or insertion: acmne.com, acmf.com, acmie.com. The classic typosquat: built around predictable typing errors.
Fuzzy contains match
Combining the above with brand-plus-suffix patterns: acmne-support.com. The intersection of typo-based fuzzy matching and customer-service-impersonation patterns.
Confusable exact match
A domain identical to the brand name but using visually similar characters from different scripts: a Cyrillic 'а' replacing a Latin 'a'. The character looks identical to readers but is technically a different Unicode character, and a different domain. Browsers may render them identically. This is the homoglyph attack.
Confusable contains match
Confusable characters used in brand-plus-suffix patterns: аcme-support.com where the 'a' is Cyrillic.
Confusable fuzzy match
Confusable characters combined with fuzzy substitution: аcmne.com (Cyrillic 'a' plus a fuzzy substitution). The detection equivalent of a defense-in-depth technique by attackers.
Confusable fuzzy contains match
Combining all three: confusable characters, fuzzy substitution, brand-plus-suffix pattern. The most sophisticated lookalike pattern, designed to evade detection that handles only the simpler variants.
Why all eight matter
A platform handling only "exact match" typosquats catches the obvious cases. Real defense requires detection across all eight variants, run continuously against newly-registered domains across the full domain corpus.
The practical impact is substantial. Phishing campaigns calibrate their domain selection to whatever evades a target's monitoring. A defense that catches three of eight match types is a defense whose blind spots get exploited. A defense that catches all eight forces phishers to escalate to other techniques.
Detecting at internet scale matters because the registration volume is enormous. Hundreds of thousands of domains register daily. The tiny fraction that match brand-protection rules across confusable, fuzzy, and contains patterns is where the signal lives. Surfacing it requires the data corpus and the matching logic working together.