Glossary.

Phishing is a fraud technique where threat actors impersonate a trusted brand or individual to trick a target into handing over credentials, money, or sensitive information.

The attacker’s lure is usually delivered by email, SMS, or social media with a link to a fake login page or support form. The page is hosted on a lookalike domain or a compromised legitimate site, and harvests credentials the moment they are typed. Attackers then sell the credentials, use them to drain accounts, or pivot deeper into corporate environments.

Phishing remains the single most common initial-access vector in breach data year after year. The defenses that work are layered: domain monitoring to catch impersonating infrastructure before it is weaponized, takedowns to remove active phishing pages, and security awareness so the people who receive the lure can spot it.

DomainGuard’s Owl tier monitors for lookalike domains and known phishing infrastructure, and runs takedowns end to end when malicious intent is identified.

See Owl →

A lookalike domain is one registered to visually or semantically resemble a legitimate brand domain, with the intent to deceive customers, employees, or partners.

Common patterns include character substitution (acme.com to rn for m to acrne.com), punycode and IDN homoglyph variants (Cyrillic letters that render identically to Latin ones), additional words attached to the brand (acme-support.com, acme-helpdesk.org), or alternative top-level domains (acme.help, acme.jobs). Attackers also register domains based on common typing mistakes, known as typo squatting: swapping adjacent keys, doubling letters, or dropping characters.

Lookalike domains usually appear before a phishing campaign goes live, and the lead time is the defender’s window. Detecting registrations early lets you take down the infrastructure or block it at the corporate gateway before attackers turn it on.

DomainGuard runs continuous lookalike-domain monitoring as part of the Owl tier, ingesting public domain data sources and proprietary feeds to surface impersonating registrations the day they happen.

See Owl →

A homoglyph is a character that looks identical or near-identical to another character despite being a different code point.

The classic examples are zero versus capital O, lowercase l versus uppercase I versus the digit 1, or Cyrillic а versus Latin a. In domain abuse, attackers exploit homoglyphs to register domains that read as the legitimate brand to a human eye but resolve to attacker-controlled infrastructure. A lowercase Cyrillic а in pаypal.com is invisible to the reader and indistinguishable in most fonts.

Detection requires unicode-aware comparison: encoding domain names as punycode (the xn-- form) reveals the underlying code points, and visual-similarity scoring at registration time catches near-misses that simple string equality misses.

Homoglyph attacks predate the IDN era but became dramatically easier when registries opened up internationalized domain names. Today most modern browsers display the punycode form of suspicious mixed-script domains as a defense, but users still encounter them in email and SMS where the rendering is less defensive.

DomainGuard’s lookalike-domain monitoring includes homoglyph and visual-similarity scoring across registered domains.

See Owl →

Brandjacking is the unauthorized use of a brand’s identity, content, or assets to deceive customers or extract value.

It overlaps with phishing and lookalike-domain abuse but extends further: fake mobile applications, copycat customer support handles on social media, sponsored search ads pointing at fraudulent support pages, malicious browser extensions claiming to be official, and dark-web mentions where stolen brand assets are bought and sold.

The damage from brandjacking is rarely concentrated in one venue. A typical campaign might include a lookalike domain hosting credential harvesting, a copycat Twitter or Telegram support handle handling the conversation, and a sponsored search ad driving traffic. Defending one venue without the others leaves the customer experience compromised and the brand’s reputation eroded.

Brand monitoring exists to catch the full picture: identity surfaces beyond the corporate domain, where attackers actually meet customers. Good brand monitoring tracks app stores, social media, search ads, dark-web forums, and key-employee accounts as a single program.

DomainGuard’s Shield tier monitors the brand and identity surface across all of those venues.

See Shield →

An attack surface is the set of all externally accessible systems, services, and data an attacker could try to compromise.

For most organizations, the external attack surface is larger than the security team realizes. It includes the obvious (production web applications, mail servers, marketing sites) but also the less obvious (forgotten subdomains from a long-finished project, an inherited environment from an acquisition, a development server someone left exposed, an outdated API version still answering on a load balancer). Anything an attacker can reach over the public internet is part of the surface.

Attack-surface management means three things: discovery (finding what’s out there), inventory (knowing what’s yours and what runs on it), and monitoring (catching changes and exposures the day they appear). The first two are usually a one-time-but-recurring effort. The third is continuous.

Because attack surfaces grow on their own, the defensive question is not whether your surface is bounded, but whether you know about every change as it happens. External attack-surface monitoring answers that.

DomainGuard’s Guardian tier delivers attack-surface monitoring with continuous discovery, inventory, and alerting on exposed services and configuration changes.

See Guardian →

Vishing (voice phishing) is a fraud technique where threat actors use phone calls or voice messages to impersonate a trusted brand or person and trick the target into handing over credentials, money, or sensitive information.

The lure is typically delivered as a phone call from an apparent corporate number, a voicemail asking for a callback, or an in-progress video call where the attacker impersonates an executive or recruiter. Spoofed caller ID, free VoIP accounts, and now AI-generated voice make vishing much harder to spot than it used to be: an attacker can reproduce a CEO’s voice from a few seconds of public-speaking audio and place a convincing urgent-wire-transfer call to the finance team.

Defenses are partly procedural (out-of-band verification of any sensitive request, no matter how authentic the voice sounds) and partly visibility-based (monitoring for impersonating phone numbers, lookalike call-center domains, and accounts on free conferencing platforms).

DomainGuard has documented several real-world vishing and video-call impersonation campaigns; the Shield tier monitors for the supporting infrastructure (lookalike domains, fraudulent video conferencing accounts, dark-web mentions of leaked credentials) that vishing campaigns rely on.

See Shield → · Read: Video call platforms as scammer tools →

Business Email Compromise (BEC) is a fraud technique where threat actors impersonate an executive, vendor, or trusted partner over email to trick a target into wiring money, changing payment instructions, or releasing sensitive data.

BEC differs from generic phishing in that it is highly targeted, often patient, and rarely involves malware. The attacker spends time observing email patterns, learns the typical language used between the impersonated party and the target, and times the lure to coincide with a real transaction or organizational event. The send usually arrives from a lookalike domain (acme-finance.com instead of acme.com), a compromised legitimate mailbox, or a display-name spoof in a thread the target already trusts.

BEC drives one of the largest single categories of cyber-loss reported to the FBI’s Internet Crime Complaint Center year after year, with average per-incident losses in the hundreds of thousands of dollars.

Defenses are layered: domain monitoring for impersonating sender domains, DMARC, DKIM, and SPF enforcement on your own mail, payment workflows that require out-of-band verification of any change to payee details, and security awareness so the recipient pauses on a request that feels off.

DomainGuard’s Owl tier monitors for the lookalike domains BEC campaigns rely on, with takedowns when impersonating infrastructure goes live.

See Owl →