Risks

Threat actors register look-alike domains to mimic corporate sites and email addresses, driving credential theft, wire-fraud (BEC), and investor deception. Proofpoint reports that email attacks using compromised or look-alike domains contributed to record cybercrime losses in 2024–2025. 

Typo squatted sites and fake social profiles are used to harvest partner information and staff identities (for later intrusions). Recent SOC write-ups show coordinated campaigns where malicious look-alike domains plus fake X/Twitter accounts were created to mirror corporate brands according to this blog post on Darktrace.

Threat actors are increasingly exploiting cloned domains and deceptive online identities to harvest credentials, infiltrate networks, and extract strategic information. In one notable case, the Iranian state-sponsored APT42 group impersonated major media outlets—such as The Washington Post, The Economist, and Jerusalem Post, using typo squatted domains (for instance, “washinqtonpost[.]press”. These deceptive sites were paired with fake social media profiles and spear-phishing emails, enabling the group to harvest credentials and infiltrate target cloud environments, including think tanks and NGOs.

Threat actors register look-alike domains to mimic corporate sites and email addresses, driving credential theft, wire-fraud (BEC), and investor deception. Proofpoint reports that email attacks using compromised or look-alike domains contributed to record cybercrime losses in 2024–2025. 

Failing to preempt domain abuse invites UDRP/SIDN disputes, PR fallout, and if personal data is involved, regulatory action (and, in serious cases, notification to affected data subjects under GDPR Art. 34).

Many ransomware campaigns begin with phishing emails sent from spoofed domains. Once inside, attackers can escalate privileges, encrypt systems, and demand payment. 2024 - 2025 reports on threat intelligence from Kroll and CyberInt show that ransomware remained highly impactful, with thousands of published incidents and evolving actor tradecraft tied to phishing origins. 

• Bogus websites or press pages can move markets (e.g., historic Emulex hoax wiped >50% intra-day before being exposed). In 2000, an ex-employee issued a fake press release claiming Emulex had restated earnings to a loss and its CEO had resigned. Using a freshly created Yahoo email, he posed as the company’s publicist. Within 20 minutes, the stock fell over 60%, erasing $2.5 billion in value before the hoax was exposed. This case shows how quickly false, “official-looking” information can move markets, a risk amplified today by unprotected or cloned corporate domains. Even a dated case illustrates today’s amplified risk where automated news-scrapers ingest “official-looking” sites.