DMARC and Lookalike Domains: How to Protect Your Customers from Getting Duped

4 min readFeb 20, 2020


Editor’s Note: This blog post was originally found on the Agari Email Security blog

By Ramon Peypoch

Hint: DMARC Alone Won’t Cut It

Think the prospect of cybercriminals using your domains to launch phishing attacks sounds bad for your brand? Just wait until you hear the latest on lookalike domains.

Over the last few months, researchers have been discovering a troubling number of phishing sites that feature domains meant to impersonate leading brands in a variety of industries.

Sometimes referred to as “cousin” domains, lookalikes are crafted to resemble a brand’s domains as closely as possible, replacing an “I” with a “1” — as in vs., for example. The goal is to trick users into revealing passwords, payment card details, and other sensitive information.

Over this past holiday season, researchers reportedly identified more than 100,000 lookalike domains mimicking major retailers. And BankInfoSecurity reports threat actors using Ukraine-based email infrastructure have created hundreds of lookalike domains for phishing attacks targeting customers of more than a dozen Canadian banks.

Some of these lookalikes, like a recently discovered phony Citibank login page, use TLS certificates and even facilitate OTP codes to convince visitors they’re logging into their bank’s legitimate website.

Account Takeovers Aren’t All Created Equal

While there is a nominal cost involved with registering close-cousin domains, they do hold key advantages for email fraudsters. For one thing, they’re easy to set up and hard for impersonated brands to detect. For another, they can help the perpetrators more masterfully bilk targets when integrated with account takeover (ATO)-based attacks.

In one recent incident, cybercriminals used a pair of cousin domains to steal $1 million from a Chinese venture capital fund. According to Dark Reading, the hackers compromised an Israeli startup’s email server and surveilled communications, including an ongoing thread about a possible multimillion-dollar seed fund with the investment firm.

Next, the fraudsters registered two lookalike domains, spoofing each firm by adding an “s” to the end of their legitimate domain names. They then sent an email to the VC firm from the lookalike domain mimicking the startup, as well as an email to the startup from the lookalike posing as the VC firm — essentially hijacking the entire conversation.

Thirty-one emails later, the fraudsters had impersonated various individuals within each firm, managed to get in-person meetings cancelled to reduce the chances of discovery, and had bank account details changed so that funds sent from the investment firm would end up in the scammers’ hands instead of the startup’s.

Lookalike Domains Do Lasting Damage

What do you think this incident did to the relationship between the Chinese VC firm and the Israeli startup? Even when both sides are victims, the financial damage and the publicity generated by impersonation attacks can be brutal.

In 2018, a particularly brazen phishing attack impersonating a European financial institution, the bank’s call centers were overwhelmed with more than 93,000 complaints from customers, and as many as 10,600 cases of potential fraud were identified. Whether it’s a bank, a major retailer, a technology firm, or a tiny startup, trust in impersonated brands can get mauled in social media tirades that can spread like wildfire — along with everlasting Google links to nightmare headlines.

And that’s not even the worst of it. Email remains the most important digital channel for marketing and ongoing customer communications, with an ROI of $40 for every $1 spent — by far the best of other digital channels. But when a brand is impersonated, its legitimate email campaigns and communications can become repellant to recipients. The blow can be calamitous for revenue streams generated and fostered through email programs.

But what does it take to short-circuit these social engineering-based impersonation ploys?

Why DMARC Alone Can’t Protect You

To defend themselves, it’s essential that brands take steps to prevent email-based brand impersonation. But for many companies, that can be easier said than done.

As we’ve discussed many times, it’s critically important to deploy Domain-based Message Authentication, Reporting and Conformance (DMARC), the open standard email authentication protocol that prevents a brand’s domains from being used to launch phishing campaigns.

But while that’s a relatively straightforward proposition when you’re talking about a single domain, it should also be implemented across all domains in a brand’s portfolio, even those that don’t send email. For large businesses, that can mean hundreds or thousands of domains spanning numerous departments, divisions, and acquired businesses — not to mention outside agencies and other email distribution partners that send email on a brand’s behalf.

It also won’t protect you from lookalike domains. While many businesses register countless “defensive domains” to eliminate as many close-cousins as possible, it’s impossible to secure an infinite number of possibilities.

To address both of these challenges, businesses must take a comprehensive approach to brand protection. Automated DMARC implementation tools are required to manage the complexities of deployment across large email environments. And modern domain defenses that employ real-time threat intelligence will be needed to root out malicious domains for rapid remediation with takedown vendors.

Kicking Imposters Where It Counts

According to Forrester Research, implementing proper brand protection can pay off. Not only do impersonations drop precipitously, but so do the costs associated with finding and shutting down phishing sites, crisis management, legal services and more.

DMARC deployment is a big part of that. But given the fact that 1 in 5 email attacks are now launched from close-cousin domains, lookalike domain defenses are required to fully protect a brand’s customers, partners, and the public at large from costly brand impersonations.

To learn more about the threat from brand impersonation attacks and how to protect and restore customer trust in your email communications, download the Agari Brand Protection solution brief.




Agari is the Trusted Email Identity Company™, protecting companies and people from phishing and socially-engineered email attacks.