Look-Alike Fraud

On the internet, fraudsters don’t need a wig, putty makeup, and acting lessons to pull off a successful impersonation. Sometimes, the only thing they need is a cheap domain name. Look-alike fraud is a versatile and lucrative scheme that can lead to serious data breaches and cause major damage to your business reputation. 

By mimicking the appearance of legitimate e-commerce sites, cybercriminals can trick unsuspecting victims into giving up personal information or clicking malicious links. Even when discovered, these sites aren’t always easy to shut down. How does look-alike fraud work, and what can merchants do to avoid being impersonated?

You probably wouldn’t take chargeback advice from a site called ChangebankGruus.com, but if all the outward-facing web page design was recreated down to the last detail, it’s entirely possible that a lapse of vigilance while clicking on a URL could end up with you feeding data and clicks to a malicious website.

When we read we first recognize patterns, not the precise arrangement of letters, and if we aren’t paying close attention it’s surprisingly easy to be taken in by a fake website that’s just a typo or two away from the real domain.

There are many nefarious things a cybercriminal can facilitate with a look-alike website, ranging from passive forms of exploitation to devastating large-scale cyberattacks. A key feature of these schemes is that there’s always a merchant or other organization caught in the middle, who will invariably suffer reputational harm (and likely other negative consequences) despite being innocent victims themselves.

Look-alike fraud can strike at any trusted merchant, and depending on the perpetrators’ goals, it can be a very long time before you even become aware of it. Understanding how it works and how to look for it is an important part of any merchant’s anti-fraud strategy.

What Is Look-Alike Fraud?

Look-alike fraud describes any scheme involving deceptive domain names. The idea is that victims can be tricked into visiting the fraudster’s site, thinking it’s a legitimate site that they already know and trust.

The look-alike site can then try to capture the victim’s login credentials, payment information, and other sensitive data. The victim may also be served links that take them to other hostile sites or prompt them to download malware.

Domain names are how the internet turns complex network addresses into easy-to-remember URLs. Unused names are always up for grabs, and cybercriminals can look for ones that are easy to confuse with the site they’re copying.

A famous example is WhiteHouse.com, which currently leads to a political betting site—the domain for the presidential residence’s actual website ends in .gov.

In theory, defeating look-alike fraud is easy: just read the links you’re clicking carefully. In practice, of course, everyone is susceptible to the occasional oversight, and there are lots of sneaky ways to mask a look-alike domain.

How Do Cybercriminals Set Up Look-Alike Domains?

There’s no magic formula for look-alike domains—anything can work as long as it has a chance of fooling somebody. The best scenario for cybercriminals, however, is to find an unused instance of the name of the site they’re hoping to copy attached to a top-level domain.

This is what was done in the White House example above: the .gov site was obviously taken, but somebody was able to privately purchase the .com version. In the early days of the internet, .com was the only top-level domain many people were familiar with, so that’s what they would type into their web browsers.

Internet users are savvier about domains now, but many users probably wouldn’t bat an eye if a site they knew was subtly changed from .net to .com. You’ll also see lookalike sites based on common typos or letter transpositions (ChargebakcGurus.com), adding hyphens (Chargeback-Gurus.com), and replacing similar-looking letters (ChargebachGurus.com).

Subdomains often play a role in look-alike fraud. When paired with the right second-level domain, they can create a look-alike URL that’s only a single period away from the real thing (Char.gebackGurus.com).

Once domains have been acquired, the fraudster can make their fake sites look even more authentic by setting up email servers and obtaining security certificates. They may try to lure people to their fake sites by sending out emails or by posting comments to blogs and social media.

What Types of Look-Alike Fraud Are There?

There are many reasons why a bad actor might want a look-alike domain. Some just want the clicks, and abandon any pretense of impersonation once the visitor arrives on their website. Most others, however, try to keep the ruse going as long as possible.

Monetized links are common—these may be referral links that earn the fraudster money when you click or purchase through them. While this is among the milder forms of look-alike fraud, it can still dilute your branding and harm your reputation with customers.

Look-alike fraud is also frequently employed by counterfeiters who want customers to think they’re buying the authentic product from their rip-off website.

Phishing sites are also frequently encountered. These are the sites that try to trick visitors into entering credit card numbers and other personal data. Fraudsters may set sites like these up to target specific merchants for account takeover attacks.

The worst look-alike sites are the ones that deliver malware—viruses, Trojan horses, spyware, ransomware, and other harmful programs that can be financially ruinous for their victims.

How Can Merchants Protect Themselves?

By using multiple service providers (some of whom may be shady themselves), fraudsters can often keep look-alike sites alive for a long time. Merchants may be able to use laws like the Digital Millennium Copyright Act to get imitator sites shut down, but this is not always possible or expedient.

Preventive action is important, and it may be wise for merchants to buy up similar domains to their own (especially popular top-level domains) whenever they are available for purchase. If you do become the victim of look-alike fraud, be proactive about informing your customers about the threat and how it may have impacted them.


Look-alike fraud doesn’t always lead directly to chargebacks, but when this scheme is leveraged to engage in large-scale credit card fraud or account takeover, merchants can get hit with catastrophic fallout. Even when financial damage is minor, it’s not easy to win back the trust of your customers when you’ve been compromised in such a manner.

As always, education and proactive preparedness are a merchant’s best allies in the fight against this form of fraud. With a strategy that accounts for all of the various attacks you’re likely to experience, you can weather the challenges of modern-day e-commerce.

Thanks for following the Chargeback Gurus blog. Feel free to submit topic suggestions, questions, or requests for advice to: win@chargebackgurus.com

Ready to Start Reducing Chargebacks?