When a major investment management firm came to us with a list of around 250 domain names and asked us to register them all, the straightforward response would have been to build a quote and get it done. We didn’t do that. Not because we couldn’t. Not because it was outside our scope. But because sitting with that list for a few minutes made it obvious that registering 250 domains would give the client a sense of security without actually delivering it. And that’s not a service worth providing.
The problem behind the request
The client’s concern was legitimate. Their brand is a well-known name — distinctive enough to attract imitators, and valuable enough that protecting it matters commercially and reputationally. They’d already found a company in another country operating under a nearly identical name, offering similar services, and causing genuine confusion in the market. Legal advice had confirmed that nothing could be done about that particular situation. The name was legally registered, the business was legitimate, and trademark protection didn’t extend far enough to reach it.
So the client had done what most businesses do when they feel exposed: they’d tried to build a fence. Register every domain variant you can think of, and at least nobody can squat on them.
It’s a reasonable instinct. But the list they’d assembled was mostly made up of long-form variants — names like ACMEAssetManagementNamibia.com, ACMEAssetManagementNigeria.com. And here’s the practical reality: owning a domain with a country name appended to a .com doesn’t give you any legal standing if someone else registers ACME.Namibia or ACME.Africa. Those are different domains entirely. The fence has gaps in it, and the gaps are exactly where a sophisticated attacker or imitator will go.
We’d been working with LexSynergy as a domain specialist partner for several years, and we knew they had a more considered answer to this kind of problem. So instead of building a quote for 250 registrations, we arranged a meeting — the client, LexSynergy, and us — to have the right conversation first.
What brand protection actually looks like
That first session opened the client’s eyes to a different framework entirely. LexSynergy revised the domain list, replacing the generic long-form variants with extensions that carry actual legal weight — registrations that, combined with trademark protection, would give the client genuine standing if a disputed domain needed to be challenged.
But the more significant conversation was about global domain blocks.
A global block is different from domain registration. Rather than owning individual domains, a global block uses trademark protection to prevent the name from being registered by anyone across up to 710 domain extensions worldwide. The client doesn’t need to own ACMEAssetManagement.app, ACMEAssetManagement.dev, ACMEAssetManagement.crypto, and every other extension that might emerge. Those registrations simply can’t happen, because the block is in place behind them. It’s protection at the level of the trademark, not at the level of the individual domain.
The session went further still. A second meeting followed — this time with the client’s own lawyers present alongside brand protection specialists from LexSynergy — and the conversation moved into territory that hadn’t been on anyone’s radar when the original domain list was compiled.
The attack most businesses haven’t thought about
One of the more sobering discussions involved what’s known as a homoglyph attack.
The premise is simple and the implications are uncomfortable. An attacker registers a domain that looks, to the human eye, completely identical to the legitimate domain. Not a misspelling. Not a different extension. The same letters, in the same order — but some of those characters are drawn from a different Unicode set than the one used in the original. An ‘o’ that isn’t an ‘o’. A character from a Cyrillic or Greek keyboard that renders identically on screen but carries a different value in the underlying code.
Once that domain is registered, the attacker can configure it with fully valid SPF, DKIM, and DMARC records. Emails sent from it pass authentication checks. They arrive in inboxes looking exactly like they came from the real company. Standard spam filtering won’t catch it, because technically the email is properly authenticated.
The global block plus service addresses this. Where a standard global block covers 710 extensions, global block plus extends protection across more than 108,000 domain variants — including the character-set permutations that make homoglyph attacks possible. It doesn’t just block the obvious squatting attempts. It blocks the sophisticated ones too.
For an investment management firm whose clients are making significant financial decisions based on communications that appear to come from them, the risk profile of this kind of attack is serious. The client’s lawyers left that second session with a clear view of why the original domain list wasn’t the answer, and why the global block approach — with proper trademark backing — was.
Why this matters beyond the specific client
The impulse to register domain variants is almost universal among businesses that have built a recognisable brand. It feels like action. It feels like protection. And in some cases, it genuinely is — owning the obvious typosquat domains is worth doing.
But brand protection in 2026 is a more layered conversation than most businesses have had. The question isn’t just whether you own the domains that competitors or attackers might try to register. It’s whether the protection you’ve put in place would actually hold up if something went wrong — legally, technically, and commercially.
We brought a specialist to the table rather than executing the instruction we were given. The client’s lawyers agreed it was the right call. That’s the kind of advisory value that matters — not the number of domains registered.
If you haven’t reviewed your own brand protection posture, or if your domain strategy has grown organically over the years without a considered framework behind it, it’s worth asking whether the fence you’ve built actually has the gates in the right places.
A threat readiness assessment is a good place to start — and it often surfaces risks that were never on the original list. If you’d like to discuss your organisation’s brand and cyber security posture, our team is ready to help.
