Abion / Blog / Watch Out for the Black Sheep of the family: Defending Yourself Against Cousin Domain Attacks
Cousin domains

Image: Ant on Adobe Stock Images

Matteo Socci, one of our Junior IP Counsels, explains what are cousin domain attacks and what can you do to prevent falling victim to them? 

In the ever-evolving world of cybersecurity, new threats and attacks are constantly emerging, and cybercriminals are always finding creative ways to exploit vulnerabilities. One such threat that has gained traction in recent years is the so-called cousin domain attack. Cousin domain attacks are a type of domain spoofing or impersonation attack that can deceive unsuspecting users and organizations, leading to potential data breaches, financial losses, and reputational damage. In this article, we will explore what cousin domain attacks are, how they work, and what you need to know to protect yourself and your organisation.

What is a Cousin Domain Attack?

Cousin domain attacks involve the use of domain names that are similar or closely related to legitimate domain names in order to trick users into believing they are interacting with a trusted entity. These cousin domain names are intentionally designed to resemble legitimate domain names, often through slight misspellings, substitutions, or additions of characters. For example, a legitimate domain name like <example.com> could be spoofed using a cousin domain name like <examp1e.com> or <exampl3.com>.

As with most cybersecurity threats, the main aim of cousin domain attacks is to dupe users into handing over sensitive information (e.g., bank details etc.), spreading malware, conducting phishing campaigns, or perpetrating financial fraud. These attacks can target individuals, businesses, or even government organisations, and can be promoted through various communication channels, including email, various connected websites, social media, and other online platforms.

Examples of how cousin domains work

As mentioned above, the aim of these fake websites is to trick users into believing they are visiting a legitimate website and therefore share their sensitive information. Below we have provided some examples of what cousin domains may look like:

  • Typosquatting: In a typosquatting cousin domain attack, cybercriminals register domain names that closely resemble legitimate domain names but contain slight misspellings or variations. For example, if a company's legitimate domain name is <example.com>, the cybercriminals may register <exampie.com> or <examplee.com>. Unsuspecting users who receive a message from an email address connected with the cousin domain name (such as from accounts.payable@examplee.com instead of accounts.payable@example.com) might believe that the message is genuine, and fall victim to phishing, malware distribution, or other malicious activities.
  • Homoglyph Attack: In a homoglyph attack, cybercriminals register domain names that contain characters that are visually similar to legitimate characters but are encoded differently. For example, they may use the Cyrillic "а" instead of the Latin "a", or the Greek letter "ο" instead of the Latin letter "o". This can make the cousin domain appear virtually identical to the legitimate domain, making it difficult for users to detect the difference.
  • Combo Attack: In a combo attack, cybercriminals combine multiple techniques, such as typosquatting, homoglyphs, or adding or removing characters, to create cousin domain names that closely mimic legitimate domain names. For example, they may register a domain name like where they combine a misspelling and a hyphen to create a cousin domain that appears similar to the legitimate domain . This can be used to conduct spear-phishing attacks or other types of social engineering attacks.
  • Different top-level domains (TLDs): This involves using a different TLD than the legitimate domain name. For example, if the genuine domain name is <com>, the attacker might register <test.net> or <test.org>. These TLDs are less common than .com and may be missed by users who are not paying close attention.
  • Reverse Attack: In a reverse attack, cybercriminals register a legitimate-looking domain name and then create subdomains or subdirectories that mimic the names of legitimate departments or services within a company. For example, they may register <com> and then create a subdomain like <hr.legitimatecompany.com> or a subdirectory like <legitimatecompany.com/payroll>. This can be used to trick employees or customers into divulging sensitive information or downloading malware.

These are just a few examples of the various types of cousin domain attacks that can occur, and cybercriminals are constantly coming up with new techniques and tactics to deceive users. To protect your business against cousin domain attacks, it’s important to closely monitor your business’s online presence. 


What are the dangers of cousin domain attacks

Cousin domain attacks pose significant dangers to individuals, businesses, and organisations. Some of the risks associated with these attacks can include:

Data Breaches: Cousin domain attacks can lead to data breaches, where sensitive information, such as usernames, passwords, credit card numbers, or personal data, is stolen by cybercriminals. This can result in financial losses, reputational damage, and legal liabilities, especially if the breached information belongs to customers or employees.

Financial Losses: Once victims fall for the deception and provide their information or take other desired actions, cybercriminals exploit this information for their nefarious purposes. They may use the stolen information to commit financial fraud, gain unauthorized access to accounts, conduct identity theft, or sell the information on the dark web.

How to protect yourself against cousin domain attacks?

As cousin domain attacks continue to be a prevalent threat, it is crucial for companies to take proactive measures to protect themselves and their customers, rather than reacting when it is too late. Here are some best practices that organisations can implement to defend against cousin domain attacks:

  • Domain Monitoring: Keep an eye on new domain registrations that could be used for impersonation purposes. Regularly monitor and audit domain names that are similar or closely related to your legitimate domain names and look out for domain names that include misspellings, substitutions, or additions of characters that could be used in cousin domain attacks.
  • Domain Registration: Registering variations of your legitimate domain names and common misspellings to prevent cybercriminals from using them for malicious purposes. This includes registering different TLDs such as .com, .net, .org, and country-specific TLDs, to prevent cousin domain attacks that use similar domain names with different TLDs.
  • Employee Education: Educate employees about the risks of cousin domain attacks and provide training on how to identify suspicious emails, websites, or other communications. Remind employees to be cautious when clicking on links or downloading attachments from unfamiliar sources and to double-check the domain names in emails or websites.
  • Email Authentication: Implement email authentication protocols such as Domain-based Message Authentication, Reporting, and Conformance (DMARC), Sender Policy Framework (SPF), and DomainKeys Identified Mail (DKIM) to verify the authenticity of incoming emails and prevent email spoofing.
  • Website Security: Ensure that your organisation's website and web applications are secure by using HTTPS encryption/SSL certificates, regularly updating software and plugins, and implementing strong authentication mechanisms, such as multi-factor authentication (MFA) for user accounts.
  • Incident Response Plan: Develop an incident response plan that includes procedures for handling cousin domain attacks. This should include steps for identifying and mitigating cousin domain attacks, as well as communication protocols for notifying employees, customers, and law enforcement if a cousin domain attack occurs.
  • Brand Protection: Invest in brand protection services that can help monitor and enforce your brand's online presence, including, but not limited to, identifying and taking down cousin domain names that are being used for impersonation or phishing purposes.
  • Legal Actions: If you do identify cousin domain infringing on your rights, employ professional law enforcement firms to investigate and take the appropriate legal action.


Although Cousin domain attacks are not new, they are becoming more common and are a serious cybersecurity threat that can lead to data breaches, financial losses, and reputational damage. It is therefore incredibly important for organisations to be vigilant in monitoring and protecting their domain names, educating employees, implementing email authentication protocols, securing their websites, and having an incident response plan in place. By taking proactive measures to monitor and defend against cousin domain attacks, organisations can safeguard their digital assets and protect their customers and stakeholders from falling victim to these malicious attacks.

If you would like to speak to one of our experts to find out how we can help you start protecting your business and your customers, contact us here.

Matteo Socci


Matteo Socci

Jr. IP Counsel

Contact me

Get help with your web security

Contact us for a safer environment now. 

Related articles

Gmail mobile

February 2024: New Google and Yahoo email requirements

21, January 2024
Google has announced that starting February 2024, Gmail will require email authentication to be in place when send...
Cyberthreats: Top Concern for Companies

The Growing Battle Against Cyberthreats: Top Concern for Companies

4, December 2023
63 % of companies rank cyber security as their top concern, according to a recent study. As the sophistication and...

This website uses cookies

Cookies ("cookies") consist of small text files. The text files contain data which is stored on your device. To be able to place some type of cookies we need your consent. We at Abion AB, corporate identity number 556633-6169 use these types of cookies. To read more about which cookies we use and storage duration, click here to get to our cookiepolicy.

Manage your cookie-settings

Necessary cookies

Necessary cookies are cookies that need to be placed for fundamental functions on the website to work. Fundamental functions are for instance cookies that are needed for you to use menus and navigate the website.

Functional cookies

Functional cookies need to be placed for the website to perform in the way that you expect. For instance to remember which language you prefer, to know if you are logged in, to keep the website secure, remember login credentials or to enable sorting of products on the website in the way that you prefer.

Statistical cookies

To know how you interact with the website we place cookies to collect statistics. These cookies anonymize personal data.

Ad measurement cookies

To be able to provide a better service and experience we place cookies to tailor marketing for you. Another purpose for this placement is to market products or services to you, give tailored offers or market and give recommendations on new concepts based on what you have bought from us previously.

Ad measurement user cookies

In order to show relevant ads we place cookies to tailor ads for you

Personalized ads cookies

To show relevant and personal ads we place cookies to provide unique offers that are tailored to your user data