Calculator Inputs
Risk Visualization
The radar chart compares core risk drivers used by the scoring model.
Example Data Table
| Brand Domain | Suspect Domain | Similarity Risk | Homoglyph Risk | TLD Risk | Infrastructure Risk | Final Score | Risk Level |
|---|---|---|---|---|---|---|---|
| paypal.com | paypa1-support.net | 73.20 | 68.00 | 76.75 | 80.00 | 74.41 | High |
| microsoft.com | micr0soft-login.org | 69.10 | 72.50 | 57.00 | 76.00 | 69.16 | High |
| stripe.com | stripe-payments.co | 42.60 | 28.00 | 48.25 | 34.00 | 39.64 | Guarded |
Formula Used
Step 1: String Similarity Risk
Similarity Risk = 100 − ((Levenshtein Similarity × 0.65) + (Character Frequency Similarity × 0.35))
Step 2: Homoglyph Risk
Homoglyph Risk = (Manual Homoglyph Indicator × 0.60) + (Automatic Confusable Pattern Score × 0.40)
Step 3: TLD Risk
TLD Risk = (Observed TLD Abuse Score × 0.55) + (Automatic TLD Mismatch Risk × 0.45)
Step 4: Infrastructure Risk
Infrastructure Risk = WHOIS Privacy + MX Presence + Website Activity + SSL Presence + Fresh Registration + Subdomain Depth Adjustment
Step 5: Final Weighted Score
Final Score = (Similarity Risk × 0.30) + (Homoglyph Risk × 0.18) + (TLD Risk × 0.14) + (Infrastructure Risk × 0.16) + (Brand Exposure × 0.10) + (Email Abuse Signal × 0.07) + (Traffic Signal × 0.05) + (Script Risk × 0.05) + (Repeated Character Risk × 0.03)
Interpretation: 0–24 Low, 25–44 Guarded, 45–64 Moderate, 65–79 High, 80–100 Critical.
How to Use This Calculator
- Enter the legitimate brand domain and the suspicious domain.
- Set exposure, TLD abuse, email abuse, and traffic signal scores from your threat intelligence sources.
- Mark infrastructure indicators such as MX records, SSL, active hosting, privacy masking, and recent registration.
- Adjust the manual homoglyph score if analysts spot visual character substitution not captured automatically.
- Press Calculate Risk to show the result above the form.
- Review category scores, the weighted total, and the recommended response action.
- Use the CSV and PDF options to document evidence for takedown, reporting, or internal triage.
FAQs
1. What is a lookalike domain?
A lookalike domain imitates a legitimate brand domain using small spelling, character, or extension changes. Attackers use them for phishing, fraud, credential theft, or brand abuse.
2. Why does the calculator use weighted scoring?
Not every signal carries equal impact. String similarity matters strongly, but live email, suspicious TLDs, and brand exposure can raise real-world abuse potential significantly.
3. What are homoglyphs in domain analysis?
Homoglyphs are visually similar characters, such as 0 replacing o or 1 replacing l. They make fake domains look trustworthy during quick human review.
4. Does SSL always reduce risk?
No. Many phishing sites use valid certificates. In this model, SSL only adds a small signal because it can support a convincing fraudulent landing page.
5. Why do MX records matter?
MX records suggest the domain can send or receive email. That capability often increases phishing likelihood, especially when brand impersonation is already strong.
6. Can this replace analyst review?
No. It helps prioritize cases. Human review is still needed for campaign context, infrastructure enrichment, legal decisions, and final takedown validation.
7. How should I choose the brand exposure score?
Use a higher score for brands with broad public reach, high transaction value, or strong consumer trust. Those brands attract more impersonation attempts.
8. What score should trigger immediate action?
Most teams should prioritize fast review above 65 and emergency escalation above 80. Your threshold can change with industry risk tolerance and staffing.