Typosquatting are among the cybersecurity threats that deserve a closer look in the financial sector. In fact, the early detection of typosquatting domains can help financial institutions maneuver away from cyber risks that could cause much damage. But to what extent is this the case?

Typosquatting domains that mimic the domain names of banks and other financial institutions have continuously been detected by the Typosquatting Data Feed. An example of this involves Lloyds Bank, a commercial bank headquartered in the U.K. The bank has over 10 million clients across 1,100 branches all over England and Wales. Even a small percentage of the bank’s clientele falling victim to typosquatting domains would thus be damaging.

Lloyds Bank Typosquatting Domains

The Typosquatting Data Feed was able to detect Lloyds Bank-inspired domain names a few hours after they appear in the Domain Name System. Detection is, therefore, almost in real-time. When integrated into security systems, cyber incident response teams can also take action immediately, even before threat actors can start using the typosquatting domains. As such, intelligence from the Typosquatting Data Feed can help organizations fight phishing and malware attacks.

From October 2019 to April 2020, the typosquatting protection database detected a total of 93 newly registered domains (NRDs) that use the words “lloyds bank.” A few examples were boxed in red in the screenshot below. The data boxed in blue indicates the date when they appeared in the daily data feeds, mostly up to 24 hours from their registration dates. Forty-nine of the domains detected were reported on X-Force Early Warning but not until 6 May.

Comparing the Official Lloyds Bank Domain Infrastructure with Those of the Lookalike Domains

As Lloyds Banking Group has a holistic cybersecurity approach, so one could argue that the bank registered these domain names independently. After all, this is a popular strategy among other well-established banks such as Bank of America, which owns bankofamerika[.]com, bank0famerica[.]com, and other lookalike domains. We can easily confirm this by comparing the WHOIS records of the bank’s official website with those of the suspected typosquatting domains.

Using WHOIS Lookup, we found that lloydsbank[.]com is under the registrar Ascio Technologies and the registrant organization Lloyds Bank PLC.

Note that the bank’s official website still uses the email domain lloydstsb[.]co[.]uk even when they split from TSB Bank in 2013, and a Spanish bank bought the latter in 2015. Lloyds Bank also uses these nameservers:

• ns2[.]lloydstsb[.]co[.]uk
• ns5[.]lloydstsb[.]net
• ns7[.]lloydsbanking[.]com
• ns8[.]lloydsbanking[.]co[.]uk
• ns9[.]lloydsbanking[.]com

To compare, we ran the typosquatting domains shown above on Bulk WHOIS Lookup and found out that none of them are registered under Lloyds Bank PLC.

A lot of these domains also have their records redacted, and do not even appear located in the U.K., where Lloyds Bank is registered and operates.

What Can Lloyds Bank Do to Enhance Its Typosquatting Protection?

A bank as large as Lloyds Bank can’t afford leniency with its typosquatting protection strategy. It has almost 2,000 domain names registered under Lloyds Bank PLC, as we found out with the help of Reverse WHOIS Search. We used the following search terms to build a comprehensive reverse WHOIS search report:

• Registrant organization: Lloyds Bank PLC
• Street address: 25 Gresham Street
• Country: U.K.

But if the typosquatting domains detected by the Typosquatting Data Feed is any indication, Lloyds Bank needs to do some real-time monitoring. When we included a date filter to our search parameters, we found only three domains registered between 1 October 2019 to 6 June 2020.

We can’t say for sure that Lloyds Bank doesn’t own any of the 93 domain names cited above. But if the bank indeed doesn’t own them, there is a good chance that these could figure in phishing attacks and business email compromise (BEC) scams. Lloyds Bank’s clients could be tricked into giving out sensitive information, while its partners and suppliers may also become victims of BEC scams.

Reverse WHOIS Search also reveals that the bank has only registered three lookalike domains in the past seven months, even as the Typosquatting Data Feed detected 93 as of 30 April.