HSTS, or HTTP Strict Transport security header(Strict-Transport-Security) is set on your domain, a browser will do all requests to your site over https from then onwards. In case when a hacker is redirecting this user to a fake domain.com, the browser remembers to use SSL because of the HSTS, so requests the secure site.
Browser needs to visit your site first to see this header, this will be active only after the first visit.
You can set SSL certificate on your domain, anyone can still use your site over http. The simplest solution is to add a redirect to your site and forces it over SSL. But user is open to attacks when the hackers directs the request to a site pretending to be non secured domain.