Find out how to stop cyber criminals cashing-in on misspellings to deprive your charities of much-needed donation
Falling victim to a typosquatting attack could cost your charity thousands or even millions of pounds in lost donations. For that reason alone, it is important to understand what typosquatting is, and how to prevent it.
Typosquatting is a type of cyber threat that charities face for the simple reason that many people make mistakes, or typos, when they type the web address of a charity – for example, goolge.com instead of google.com.
Typo squatters – who are often cyber criminals – exploit this fact by registering common misspellings of charity names as domain names. That means that when someone makes a typo when they enter the address of a charity into their web browser, they end up at the typo squatter’s website instead of the charity’s.
If this website is designed to look and feel like the genuine charity site, then visitors who want to make a donation to the charity may end up mistakenly making a payment to the cyber criminals. This is of particular concern during the COVID-19 pandemic when cyber criminals are looking to exploit the fact that many people are looking to make charitable donations to help out. For example, in the United States, the FBI found that criminals were collecting funds that donors thought they were giving to the American Red Cross, according to Jeremy Hendy, Chief Executive of digital risk protection company, Skurio.
To make things worse, the typo squatters may also make a record of the credit card number and other personal information that the victim enters, and then sell it on the dark web or use these details to commit fraud. Another (albeit less common) threat is that the websites may automatically download malware such as ransomware onto the unwitting visitor’s computer.
Other typo squatters may be opportunists rather than cyber criminals, exploiting the traffic directed to their site due to the typos to earn money by displaying ads.
Cyber criminals may also send out phishing emails purporting to be from a charity asking for donations, with a link to their fake charity website. Since their typosquatting domain name is very similar to the genuine charity’s domain name, the victim might not notice when they click on the link and end up at a fake website.
Research by the security company, Domain Tools, found that cyber criminals had registered typosquatting domains related to many popular charities (although some of these may no longer be operational).
The best way to protect your charity against typosquatting is to be proactive by registering any domain names which are common misspellings of your real domain name.
Registering domain names is relatively inexpensive, and by registering a dozen or more you could save your charity a great deal of money in lost donations.
There are three popular ways to work out what domain names to register:
1. Find out what typos you make. This involves you (and other volunteers if possible) typing your domain name out many (perhaps one hundred) times and then looking at what the most common typos were.
2. Create a typo and misspelling list. This second option involves looking at your domain name and modifying it in different ways such as transposing pairs of vowels (such as domian instead of domain), making simple spelling mistakes such as using a single "l" instead of a double "ll", or replacing the letter "m" with the letters "r" and "n" or the letter "l" with the digit "1".
3. Generate a list automatically using a tool such as DNStwister or Domain Check. Both of these tools use your charity’s domain name to generate a list of possible typosquatting domain names that you may wish to register
Other measures you can take include:
If you notice a sudden drop in traffic to your website or a drop in online donations at your website, then typo squatting could be the reason. If you discover a site which is typosquatting, then the first thing to do is contact the registrant of the domain if you can. You can find sometimes find the details of the owner using a Whois service such as who.is, or whois.com, or by carrying out a more complete Whois search.
If you can contact the owner, ask them to transfer the domain to you, either for nothing or for a small payment. Paying a typo squatter may be an unattractive proposition but if they are causing harm to your charity it may be the quickest and lowest cost solution.
An alternative approach in the UK is to use Nominet’s Dispute Resolution Service (DRS). Nominet is the official registry for UK domain names. For non-UK domain names it may be possible to take advantage of the Uniform Domain-Name Dispute-Resolution Policy (UDRP) set up by the Internet Corporation of Assigned Names and Numbers (ICANN). ICANN is a global partnership that helps manage the internet.
The final option is to take legal action: in the UK you may be able to sue on the grounds of fraud, or copyright or trademark violation. In the United States, you can use the provisions of the Anti-cybersquatting Consumer Protection Act (ACPA).