URL hijacking, also called typosquatting, is a social engineering attack in which an attacker exploits the typing mistakes that users may make when attempting to navigate to a website. For example, a user wishing to visit CompTIA's website might type in their browser: comtpia.org. The browser has no way of knowing this was a mistake, so it sends the user to that literal website, typo and all. An attacker has already registered this domain and is counting on users to make just such a mistake. So, the user essentially gets directed to a malicious site instead of their intended destination.

The malicious site might be very clearly the wrong one, but more clever attackers will turn this into a pharming site that mimics the real one closely. That way, the victim may never even know that they committed an error, and will continue on, ignorant of the problem.

In addition to misspellings, URL hijacking also encompasses instances where the wrong top-level domain is used (e.g., comptia.gov), instances where domains and subdomains are obfuscated (e.g., login.comp.tia.org), and instances where a different form of a word is used (e.g., thecomptia.org). Note that many companies have expended significant effort in combating typosquatted domains, though some do fall through the cracks.