Third-party domains are fueling a rise in phishing and brand abuse, creating real risks that are hiding in plain sight. This blog analyzes the rise in suspicious domains targeting the Forbes Global 2000 and what the data suggests you should watch next.

Fake domains are not a new problem. What’s now changing is the scale and how easily attackers can blend into your domain ecosystem with lookalikes, inactive registrations, and domains set up purely for email.

In the Domain Security Report 2026, we looked into the domain security posture of the Forbes Global 2000 and reviewed suspicious or malicious domain activity targeting those brands. The results revealed a notable pattern: Third-party domains that include brand names persistently show up, and many of them are set up in ways that can support phishing, interception, or brand abuse.

Why do fake domains matter for domain security?

Domain security matters more and more as external attacks surface at a higher frequency, partly due to the availability of toolkits and artificial intelligence (AI), which makes it easier for bad actors to launch a campaign. It matters especially as domains form the foundation of the internet-facing services companies rely on, including websites, email, client and partner portals, and voice over IP (VoIP). When attackers abuse domains, they may not need to breach the firewall first. They can go after the trust that companies build their brands on.

There are multiple ways threats show up in domains, including:

• Malicious domain registrations, including homoglyphs and other spoofing permutations
• Dormant domain names that sit quietly registered but unused for years, until they get weaponized
• Lapsed branded domains that companies let go of, but get reregistered by a third party
• Hijacked subdomains through forgotten or dangling domain name system (DNS) records that can redirect legitimate traffic
• Compromised or hijacked legitimate domains that were left unsecured

Common spoofing tactics used in phishing domains include homoglyphs and character substitutions designed to look like a legitimate brand domain. Some common examples include substituting characters to make a domain visually similar to the real one, such as cornpany.com.

How common are third-party homoglyph domains?

One data point taken from our report’s findings alone should stop you in your tracks: 88% of homoglyph domains are owned by third parties.

Homoglyph domains are one of the more direct “trust attacks” because they exploit how people read, which means they don’t need to be sophisticated to work. If a user is unable to quickly spot the difference between a real domain and a lookalike, then a fake login page or spoofed email can do the rest. This becomes one of the most egregious attack methods used by threat actors.

In fact, if your team is only looking for obvious forms of brand misuse, it may be possible to overlook these deceptive homoglyphs that can pass through fast visual checks undetected.

Why email is still the fastest path to harm

Fake domains don’t need a live website to be dangerous. Email capability alone can be enough. As the Cybersecurity and Infrastructure Security Agency (CISA) reports, more than 90% of successful cyberattacks start with a phishing email.

In our report, we found that 40% of third-party-owned domains had mail exchanger (MX) records in 2025, compared to 42% in the previous year. MX records can be used to send phishing emails, which helps explain why email authentication controls remain a major focus across domain security programs.

This means that as long as a third-party domain looks like yours and has email capabilities, it could easily become a launchpad for brand impersonation and phishing, even if it never hosts a web page.

Dormant domains are not harmless

There’s a common misconception that inactive domains don’t cause any harm. The reality is that dormant domains can still create exposure to cyberthreats.

Thirty-two percent of third-party domains are inactive but contain MX records. The numbers alone are a useful reminder that “inactive” isn’t equivalent to “incapable.” A domain can sit quietly, then switch into active use when an attacker decides the timing is right. An aged domain that has been registered for a long time is also more likely to bypass security filters.

For teams that only triage domains that resolve to a website, you might be missing out on domains that are “email-ready” and waiting.

Where do third-party domains point today?

But how exactly are these third-party domains being used? Our research has revealed that these domains can point to:

• Advertising, pay-per-click ads or domain parking (40%)
• Inactive websites (39%)
• Malicious content (2%)
• A live website not associated with the brand owner (19%)
• Additionally, there’s also the risk of inactive domains that still have active mail records

This mix matters because not all abuse looks like a takedown-worthy phishing kit on day one. Some registrations monetize traffic, while others sit inert. Some host content that can directly damage client confidence.

Getting your enforcement and monitoring approach right includes matching the reality that third-party domains often move through phases, from parked or dormant, to malicious.

Which industries are most targeted by fake domains?

By analyzing suspicious and malicious domains among the Global 2000 companies, we identified the industries where fake domain threats concentrate most heavily. Our findings showed that banking (16.3%), followed by IT software and services (6.6%) and diversified financials (5.8%), were the top industries targeted by fake domains.

Threat actors tend to follow trust and transaction value. If your brand sits in a space where credentials, payments, or sensitive workflows matter, it could be an attractive target for such attacks.

What to do next?

Fake domains create real operational work. They also create real risk, especially when domains are configured for email or built to look nearly identical to trusted brands.

If you want the full findings, including broader domain security posture insights across the Global 2000, download the complete report, and use it as a benchmark for what you monitor and what you prioritize.