Lookalike domain scams: what your business needs to know

Picture this: your finance person receives an urgent email from what looks like your accountant. The domain is almost right, ‘acountants-uk.com’ instead of ‘accountants-uk.com’, close enough that most people won’t notice under time pressure. They click the link, type in their login details, and the attacker is in.

This is a lookalike domain scam, and it’s on the rise. Attackers register deliberate misspellings of trusted company names, swapping letters, adding hyphens, or using a different ending (.co.uk instead of .com), then send emails that look like they’re from a supplier, accountant, or bank. The cunning part is that the domain itself is real and registered, so standard email filters wave it through. Even the technical controls that stop spoofed emails (DMARC, SPF, and DKIM, the checks that verify a sender is who they claim to be) don’t help here, because the attacker isn’t spoofing anything. They’ve just registered a domain that looks right at a glance.

Why small businesses are in the firing line

Smaller firms tend to get hit harder because they often don’t have additional email security tools beyond whatever came in the box. If you run a ten-person professional services firm in Mold or Denbigh, you’re working with suppliers and clients over email every day, and that’s exactly the environment these attacks are built for. What makes it worse is that a successful attack on your business can also be a side door into your larger clients’ systems. Supply chain risk runs both ways.

The emails usually carry urgency: ‘urgent payment needed’, ‘please verify your details’, ‘update your credentials now’. Staff are busy. A one-letter typo in a domain name is easy to miss when you’re juggling five other things.

What actually helps

Takedown requests for fraudulent domains exist, but they’re slow and attackers have usually moved on by the time anything happens. Prevention matters more:

• Password managers. These only autofill on the exact domain they were set up for. If staff have saved credentials for ‘accountants-uk.com’, the password manager won’t autofill on the lookalike, the user pauses, notices something is off, and checks. This one change catches a lot.
• Staff awareness. Train people to hover over links before clicking, to see where they actually lead. More importantly, build a culture where ‘I’m not sure, let me ring them on a number I already have’ is praised rather than seen as wasting time.
• Domain monitoring. Some services watch for lookalike registrations of your own company name and alert you early. Useful if your business name is regularly impersonated.
• Report suspicious emails. The NCSC has a forwarding service for suspected phishing, forwarding these helps get fake sites taken down faster.
• Enhanced email filtering. If you handle client payments or sensitive data, email security tools that flag unusual sender behaviour add a genuinely useful layer on top of the basics. This kind of attack looks like staff carelessness after the fact, but it’s really a gap in defences, and most of those defences can be put in place fairly quickly. According to the 2025 government cyber survey, phishing accounts for 85% of UK business breaches, and lookalike domains are one of the main delivery methods.

The best thing you can do is layer up: password managers so the fake domain gets caught automatically, clear reporting channels so staff feel safe flagging something odd, and simple awareness so ‘ring and verify’ becomes second nature.

If your business handles payments or sensitive client files and you’re not sure whether your current email setup would catch this kind of thing, Dragon Digital sets up phishing defences and staff awareness training for businesses across North Wales, including password managers and the monitoring that flags suspicious emails before they reach your inbox.