The World Cup kicked off on 11 June, and the fake FIFA websites went up with it. The FBI saw it coming. On 27 May its Internet Crime Complaint Center named dozens of spoofed FIFA domains, built to take fans' money and harvest their personal and banking data, weeks before a ball was kicked.
If you run security or own the brand at a growing company, the football is not the point. The tactic is. A lookalike domain attack does not care whether you sell tournament tickets or SaaS seats. It needs a recognisable brand, a moment of demand, and a few minutes to register a convincing web address. Every business with customers online qualifies.
This is the playbook we watch get run against ordinary mid-market companies every week. Here is how it works, and how to stop it before it reaches anyone.
What a lookalike domain attack actually is
A lookalike domain is a web address built to impersonate a brand closely enough that people hand over their details without a second thought. Not a clumsy scam email. A working website, at an address that reads as legitimate, doing real damage at the point a customer or an employee trusts it.
The FBI's own FIFA examples show the range. Some are blunt. Others are near-perfect typosquats, like one that swaps the single "w" in the brand for two v's so the address reads almost identically at a glance, and another that adds just one letter to the real name. (We show those addresses below, defanged so they cannot be clicked.) Read in a hurry, on a phone, under time pressure, they pass.
That is the part most defences miss. The harm happens on the fake site, not in your inbox, and not on your network. Your email security and your MFA protect the people inside your perimeter. They do nothing for the customer being phished with your branding on a domain you do not control, or the employee entering credentials into a cloned login page, or the finance team paying an invoice from a typosquatted version of a supplier's address. By the time you find out, the cost is already yours: chargebacks, churn, regulatory exposure, fraudulent payments out the door. Proactive brand protection is the discipline of closing that gap before it opens.
What the FBI's FIFA warning actually named
On 27 May 2026, weeks before kick-off, the FBI's Internet Crime Complaint Center (IC3) published a public service announcement naming dozens of fraudulent FIFA-related domains and spelling out what they were built to do. You can read it in full on the FBI IC3 website.
Two of the named examples show how small the difference can be. Both are shown here defanged, so they cannot be clicked:
wvvw-fifa[.]com
The leading "w" is actually two v's pushed together. At a glance it reads as the real address.
filfa[.]org
A single extra letter dropped into the brand name, easy to miss on a phone under time pressure.
According to the warning, the fake sites were built to take fans' money and harvest their personal and banking data: name, home address, phone number, email address and banking information. The FBI described counterfeit match tickets and hospitality packages being sold, and criminals using harvested details to open fraudulent accounts in victims' names.
None of that is unique to football. Swap FIFA for your brand, and the demand spike for your own product launch or sale, and the playbook is identical.
Why mid-market companies are the target now
There is a comforting story that says impersonation is a Fortune 500 problem. It is no longer true, and AI is the reason.
The same generative tooling that lets a marketing team spin up a landing page in an afternoon lets an attacker clone yours in minutes, register a near-identical domain, and stand up a fraudulent certificate so the padlock shows green. The cost and skill barrier has collapsed. Attackers do not pick targets by size any more. They pick yields, and automation makes low-effort attacks on mid-market brands profitable at scale. You have enough brand recognition to be worth impersonating and, usually, not enough security headcount to notice when someone does.
A major event like the World Cup concentrates that into a spike: huge demand, time pressure, a trusted brand to hide behind. But your product launch, your funding announcement, your seasonal sale, your rebrand, each is a smaller version of the same gift to whoever is paying attention.
How criminals register lookalike domains, and why that is your opening
Here is the part that works in your favour. A lookalike attack has to be built before it can be used, and the building is visible.
The attacker registers the domain. They point it at hosting. They clone the content. They request an SSL certificate so the site looks secure. Every one of those steps leaves a public trace: a new registration in the DNS, a certificate issued in the public Certificate Transparency logs, your own content appearing somewhere it should not. None of that requires a single victim. It all happens before the first phishing message goes out.
That is the window. The whole question of how to stop lookalike domain attacks comes down to whether you are watching during the setup phase, or whether you find out afterwards from a customer complaint.
Detection: watch the setup, not the aftermath
Most brand protection waits until the attack is already running, then races to clean it up. The takedown clock starts after your customers, employees, or suppliers have been hit. That is late, by definition.
The alternative is to monitor the surfaces where attacker infrastructure shows itself while it is still being assembled. Lookalike domain monitoring watches new registrations across the variations and the top-level domains an attacker would actually use, and scores them as they appear. Certificate transparency monitoring catches fraudulent certificates impersonating your brand in real time, usually the last setup step before a site goes live. And because the cleverest fakes copy your site wholesale, two further layers matter: invisible markers embedded in your own pages that fire the instant your content loads on a domain you do not own, and content fingerprinting that finds your copied material wherever it surfaces on the web. Those last two are the difference between knowing a domain looks like yours and knowing it is actively wearing your brand.
Find it first, before the complaints start
Detecting a threat is only half the job. The other half is getting the fake site taken down. A takedown request goes to the whole chain at once: the registrar, the hosting provider, safe-browsing services and threat-intelligence feeds, end to end and automated, with re-detection if the attacker tries to rebuild.
What separates good brand protection from poor is not the takedown itself. It is how you find out there is a problem in the first place. For most companies, the first sign is the damage: a defrauded customer calling the support desk, an employee who typed their password into a cloned login, a wave of complaints, or worst of all, the company's name in the press. By then the fake site has been working for days or weeks, and the clock only starts once the harm is already done.
Find the fake site yourself, before your customers, your staff, or the press find it for you.
To be clear about the mechanism: you cannot have a domain taken down simply because someone registered it, or because it has an SSL certificate. There has to be something to act on, a live page cloning your brand, a fake login harvesting credentials, your content lifted onto a site you do not own. The advantage of watching from the moment a lookalike domain is registered is that you are there the instant it crosses that line. You see the fake go live, you confirm it is impersonating you, and you move to take it down straight away, while it is fresh and before it has tricked anyone, instead of weeks later when the first victim calls.
What to do about it
If brand impersonation is on your risk register, or it is about to be because the board asked, three moves cover most of the ground.
First, know your exposure. You cannot defend a surface you have not measured, and most companies have more lookalike registrations sitting against their brand than they expect.
Second, monitor the setup surfaces continuously: new registrations, certificate logs, and your own content appearing off-domain. A point-in-time audit tells you about yesterday. Attackers register tomorrow.
Third, wire detection straight to disruption so there is no manual gap between spotting a threat and shutting it down. The faster that handoff, the smaller the window in which anyone can get hurt.
DefendDomain watches for lookalike domains, cloned websites and fraudulent certificates from the moment they appear, so the instant one turns into a live impersonation of your brand we can move to take it down end-to-end, before your customers or your staff are caught out. It is the four-layer approach behind everything above, and it is why we were named Cyber Security Start-up Company of the Year at the 2026 TEISS Awards. The FIFA fakes made the headlines. The same tactic is aimed at your brand every week without one.
Want to see what is already registered against your domain? Run a free domain threat analysis and find out before someone else does. Detect and take down lookalike domains before they reach your customers, your people, or your suppliers.
Frequently asked questions
What is a lookalike domain attack?
A lookalike domain attack uses a web address built to impersonate a trusted brand, such as a typosquat or a near-identical clone, to defraud the people who trust that brand. Victims hand over money or credentials on a fake site that looks legitimate. The targeted business often finds out only after the damage is done.
How do criminals register lookalike domains?
They register addresses that read like the real one. Typosquats add or swap a character; homoglyphs use lookalike letters. In the FBI's FIFA warning, one fake swapped the single "w" for two v's (wvvw-fifa[.]com) and another added one letter (filfa[.]org), shown here defanged. Registration is cheap, fast, and requires no victim.
How can you detect a lookalike domain?
Watch the surfaces where attacker infrastructure shows itself during setup: new domain registrations across likely variations and top-level domains, fraudulent SSL certificates appearing in public Certificate Transparency logs, and your own content surfacing on domains you do not control. Continuous lookalike domain monitoring catches these as they appear, before an attack launches.
Can you take down a lookalike domain?
Yes, end-to-end. A takedown request goes to the registrar and hosting provider, backed by an evidence pack, with submissions to safe-browsing services and threat-intelligence feeds so the threat is neutralised across the ecosystem, not just at one provider. Automated follow-up and re-detection handle escalation and any attempt to come back.
How do you catch a lookalike domain early?
Watch for it from the moment it is registered. Layer 1 flags the lookalike domain at or shortly after registration, and Layer 4 catches the impersonating certificate as it is issued, usually the last step before a site goes live. You cannot take a domain down for merely existing, but that early warning means the instant it goes live impersonating your brand you can act, often before a single customer is caught out.