Is LinkThreatScan free to use?

Yes. LinkThreatScan is completely free. Simply paste any URL and get a full risk report instantly.

What does the website scanner check?

We check SSL certificates, DNS configuration, HSTS, open ports, global threat blacklists, phishing indicators, domain age, content security policies, and many more signals to generate a risk score.

How long does a scan take?

Most scans complete in under 30 seconds. Some network-level checks (like port scanning) may take up to 2 minutes for slow hosts.

Can I scan any website?

Yes. You can scan any publicly reachable URL including HTTP and HTTPS sites. Localhost and internal network addresses are not supported.

Back to blog

Phishing6 March 2026 · 7 min read

What Is Domain Spoofing and How Can You Protect Yourself?

Attackers create fake variants of trusted domains to intercept traffic and steal credentials. Here's how it works and how to detect it.

Emil Gheonea

Software engineer & founder of LinkThreatScan · 6 March 2026

Domain spoofing is the practice of registering or crafting a domain name that closely resembles a legitimate one, with the intention of deceiving users or automated systems. It underpins phishing campaigns, business email compromise (BEC) scams, and brand impersonation attacks. Understanding how it works is the first step toward recognising and avoiding it.

Types of domain spoofing

Typosquatting involves registering common misspellings of popular domains (googlr.com, facebok.com). Homograph attacks replace ASCII characters with visually identical Unicode characters — for example, using the Cyrillic 'а' (U+0430) instead of the Latin 'a'. The resulting domain is indistinguishable to the naked eye. Combosquatting appends or prepends words to a legitimate brand name: paypal-security.com, amazon-support-centre.com. None of these are the real domain.

Subdomain spoofing

Attackers don't always need to register a lookalike domain. If they can create a subdomain on a legitimate-looking domain, they can construct URLs like paypal.com.attacker.net. The 'paypal.com' part is a subdomain of 'attacker.net' — not the PayPal domain at all. Reading URLs right-to-left from the first single slash helps: the actual domain is always the part immediately before the first slash.

Email domain spoofing

Email headers can be trivially forged if the targeted domain has not configured SPF, DKIM, and DMARC records. An attacker can send an email that appears to come from [email protected] even without access to the company's email server. This is how business email compromise attacks trick employees into transferring funds or disclosing credentials.

How to detect spoofed domains

Hover over links before clicking and read the full URL carefully. Use a Unicode normaliser to check whether domain characters are actually standard ASCII. Check the domain's registration date — spoofed domains are almost always very recently registered. Run the URL through a scanner that checks for brand-similarity patterns and homograph characters.

How organisations can defend themselves

Configure SPF, DKIM, and DMARC records for your email domains — a DMARC policy of 'reject' prevents spoofed emails from reaching recipients. Register common typosquats and homograph variants of your domain preemptively. Use brand monitoring services to detect new registrations that resemble your domain. Educate users to verify URLs before clicking, especially in emails.

About the author

Emil Gheonea is a software engineer and the solo developer behind LinkThreatScan. He built this tool out of a genuine need for a fast, transparent, and free way to assess whether a link is safe before clicking it. He writes about web security topics to help everyday users and developers make better decisions online.

LinkedIn profile

Check any URL for free

Use LinkThreatScan to instantly analyse any link for the threats described in this article.

Scan a URL now