Security

Typosquatting – Who Are You Talking To?

Typosquatting is where someone else owns a web address, or domain, that looks just like yours.  If your customers received an email from your web company, including all of your logos and details, would they notice if it were slightly misspelled?  Typosquatting – Who Are You Talking To?

How Does Typosquatting Work?

Anybody can buy any web address, known as a domain, that’s available.  You can go and buy ILoveBeatyConsultancy.com right now if you want to.  Then you can set up email, and send out any email you fancy, to anyone who would accept the email.  You control the domain, and you control the emails you send out.

Why Would Anyone Typo-Squat?

But you could also buy the domain BeatyConsultancyAreRubbish.com, and put anything you like on a website at that address.  There’s nothing I can do about it.  Here in the UK, slander laws are pretty wooly, and that’s before you add the complexity of the internet.  So this covers someone buying a domain name based off a real one.  But what if someone bought a domain name which looks the same as the real one if you’re not paying close attention?  If you received an email from [email protected], would you notice the A and the E are the wrong way around?  Most people wouldn’t.

Set The Rules

So how do you protect against this kind of “attack”?  Well, you could buy all the similar domains up yourself.  If you own WeSellOvalWheels.co.uk, you might want to buy WeSellOvalWheels.com too.  But what about .uk, .net and .org too?  And what about all the miss-spellings?  a zero instead of a letter O in Oval?  A 1 instead of an i?  All of a sudden, you might need to buy tens or hundreds of domains at great expense.

Big companies do this already.  If you have enough money, why wouldn’t you?  But what about small businesses where it isn’t viable to spend hundreds or thousands of pounds every year on domain names?  As is so often the case, education is the answer.

What kinds of messages should your clients and partners expect from you?  Do you routinely send confidential information over email?  How do you manage passwords and shared resources?  If you have strict security protocols for these things, then why not set a hard-and-fast rule with the people you speak to, and agree that these types of information will never be exchanged via email?  Or if they are, they must call you on a phone number they already know, and get the secret from you that way.

Who Are You Talking To?

Of course none of this is completely fool proof.  People make mistakes all the time.  It’s what makes us interesting and awesome.  By the way, my favourite human error is the 2005 Japanese stock trader who sold 650,000 shares for 1 yen, instead of 1 share for 650,000 yen.

Also, it’s going to get more difficult to prove you are who you say you are.  The phenomenon of DeepFakes means it is possible to use technology to spoof a voice on a phone call, as reported by The Verge.

Sensible Security

Any time we talk about security here at Beaty Consultancy, the message is to be sensible about it.  We’re not all perfect, and we don’t all have an infinite budget of money and time to cover every eventuality.  But what we always say is, do the easy things first.  It’s easy to buy the .com version of your domain name, and it’s cheap, so just do it.  It is also super easy to set expectations with your clients and suppliers about your security precautions, so next time you speak to them, just spend a minute outlining those practices.  And lastly, just be aware of the risks.  Now you know about typosquatting, you’re in a much better position to detect it, and defend from it.

Similar articles you may be interested in…

Menu