Phishing Detection | CertControl Docs

Detect lookalike and typosquatting domains targeting your brand — before they are used in attacks against your customers or employees.

How it works

Phishing Detection scans Certificate Transparency logs for domains that closely resemble your monitored domains. Attackers register lookalike domains (e.g. examp1e.com instead of example.com) and obtain real TLS certificates for them to make phishing sites appear legitimate. Because certificates must be logged publicly, CertControl can detect these the moment a certificate is issued.

CertControl uses several detection techniques in combination:

Typosquatting (edit distance)

Finds domains that differ from yours by 1–2 character insertions, deletions, or substitutions. Catches exampl.com, examplecom.net, etc.

Homoglyph substitution

Detects character swaps that look identical in most fonts: o → 0, l → 1, rn → m, vv → w, a → 4, e → 3, and more.

Keyword affixes

Catches domains with phishing-specific prefixes or suffixes appended to your domain name: secure-example.com, example-login.com, myexample.com, etc.

TLD squatting

Checks common alternative TLDs for your exact domain name: .net, .org, .dk, .io, .co, .info, .biz, .eu.

Embed detection

Finds certificates where your domain name appears embedded inside a longer domain — e.g. example.com.phishing.site or secure.example.com.malicious.io.

Phishing Detection uses your CT Monitor domains

No separate setup is needed. Phishing Detection runs automatically against every domain you have added to CT Monitor. If you have not added any domains yet, go to CT Monitor and add your root domains first.

Review alerts in Phishing Detection

Go to Phishing Detection in the left-hand menu. Alerts are split into two tabs:

Lookalike — domains that closely resemble your domain via typosquatting or homoglyphs
Embed — domains that contain your domain name embedded inside a longer string

Each alert shows the lookalike domain, the match type, the edit distance from your domain, the issuing CA, validity period, and full SAN list.

Tip: Filter by domain using the dropdown at the top of each tab to focus on a specific brand or product domain.

Investigate and respond

For each alert, assess whether the domain is a genuine threat or a benign registration. Common response actions:

Brand abuse / active phishing — report to the registrar and request suspension. Contact your CA if the certificate was issued by one you use
Defensive registration — register the lookalike domain yourself to prevent future misuse
Benign — acknowledge the alert to clear it from the active queue

Acknowledge or dismiss alerts

Click Acknowledge on any alert you have reviewed. This marks it as seen, deactivates the associated finding, and removes it from the unacknowledged count. Acknowledged alerts remain visible in the full list for audit history. Admins can delete alerts entirely.

Run a manual check

A full automated check runs overnight. To run an immediate check, click Run check now on the Phishing Detection page. You can also run a check for a single specific domain by entering it in the domain field before clicking run.