Designed to Deceive: 6 Common Look-alike Domain Tactics

Learn 6 common look-alike domain tactics, some of the ways attackers use look-alike domains, and steps you can take to reduce your risk.
January 30, 2024

With threat actors lurking around every digital corner, it can sometimes make scrolling through an inbox feel like traversing a minefield. Employing various strategies to deceive their targets, attackers count on end-user oversight to convince the recipients of their malicious emails that the messages (and any included requests) are legitimate.

One effective strategy is the use of look-alike domains—URLs that closely resemble the domain of a real website but are altered slightly to trick targets into visiting fraudulent sites. From subtle character substitutions to Unicode manipulations, threat actors have myriad methods for exploiting human error with these deceptive domains.

In this article, we’ll explore six common look-alike domain tactics, discuss some of the ways attackers use look-alike domains, and share steps you can take to reduce your risk.

6 Ways Attackers Generate Look-alike Domains

1. Using Similar-Looking Letters

Look-alike domains often use similar-looking letters to fool targets. For instance, a lowercase “i” looks enough like a lowercase “l” to pass muster, and vice versa. In practice, this might look like “googie[.]com” instead of “google[.]com” or “wlklpedia[.]org” instead of “wikipedia[.]org.”

Another strategy is to use a double “n” instead of an “m.” In this case, “abnormalsecurity[.]com” becomes “abnornnalsecurity[.]com.” Alternatively, “cnn[.]com” becomes “cm[.]com.” Bad actors also like to put an “r” next to an “n” to resemble an “m,” as in “rnicrosoft[.]com” instead of “microsoft[.]com.”

2. Replacing Letters with Numbers

Sometimes cyberattackers use numbers instead of letters. For example, they may swap the number zero for the letter “o”, as in “yah00[.]com.” Other examples include using the number one for the letter “l” or the number five for “s.” Compared to some other look-alike tactics, these are easier for users to spot due to the difference in size and shape of the characters. Nevertheless, employees can and do fall for these deceptions.

3. Substituting Foreign-Language Letters

Homoglyphs are characters that come from different alphabets or character sets but look visually similar or identical to one another, especially when displayed in certain fonts or styles.

Attackers often use homoglyphs in look-alike domains—for example, substituting the English letter "o" with its near-identical counterpart "о" from the Cyrillic alphabet. This subtle manipulation can easily go unnoticed at first glance, making it difficult for targets to discern the fraudulent nature of the domain.

4. Adding, Removing, or Transposing Letters

The human brain has a built-in autocorrect feature. Because our cognitive processes are tuned to anticipate and interpret information based on familiar patterns and expectations, we often automatically fill in the gaps and correct perceived errors, such as spelling mistakes.

Attackers exploit this by strategically altering domain names through the addition, removal, or rearrangement of letters. For example, “insurrance[.]com” instead of “insurance[.]com”, “travelcity[.]com” instead of “travelocity[.]com,” or “abnomralsecurity[.]com” instead of “abnormalsecurity[.]com.”

5. Utilizing Fake Protocols and Manipulating Domains

Because users often overlook the beginning of a domain, attackers will utilize non-standard protocols like "httpss" instead of "https." Additionally, they engage in subdomain spoofing, transforming legitimate addresses like "[.]com" into deceptive variants like "login-bank[.]com."

Threat actors also append common prefixes or suffixes to legitimate domain names, such as "secure-google-login[.]com,” or manipulate top-level domains, replacing ".com" with alternatives such as ".co" or ".ai." While legitimate international and custom domains exist, these manipulations contribute to user confusion, which attackers can capitalize on.

6. Inserting Unicode Characters

Another especially crafty method is Unicode character abuse. Slashes (/) are commonly seen in address bars, but when they are replaced by certain Unicode characters (u+2044 or u+2215), they can direct users to some scary places.

Could you tell the difference between the legitimate address and the malicious address below?

  • hxxps://github[.]com/kubernetes/kubernetes/archive/refs/tags/
  • hxxps://github[.]com∕kubernetes∕kubernetes∕archive∕refs∕tags∕

This approach can fool even the most vigilant security professionals.

How Threat Actors Use Look-alike Domains

The three most common ways threat actors utilize look-alike domains are phishing emails, typosquatting, and brand impersonation.

Look-alike domains are often a key component of phishing emails and social engineering attacks as they help enhance the credibility and authenticity of the fraudulent communications. This enables attackers to deceive recipients and manipulate them into divulging sensitive information or performing harmful actions.

Typosquatting involves registering domain names that are intentionally similar to popular and legitimate websites but contain slight typographical errors. For example, they might register "googgle[.]com" instead of "google[.]com." Also known as URL hijacking, it’s a deceptive tactic used by cybercriminals to capitalize on typos made by internet users when typing in a website's domain name.

Attackers also register domains that closely resemble the names of well-known brands and then use these domains to host fake websites that mimic the branding, layout, and content of the legitimate sites. This can be as simple as “microsoft-security[.]com” instead of “microsoft[.]com/en-us/security.” Hackers can also merge words that are commonly associated with legitimate websites, like "slacksecurity[.]com."

The risks associated with look-alike domains can grow when combined with other activities, like poor password hygiene and malware attacks. Reused passwords can give hackers access to multiple accounts, and malware attacks can compromise or corrupt devices.

Defending Against Attacks Leveraging Look-alike Domains

By recognizing common look-alike domain tactics, practicing safe browsing habits, and remaining alert, you can effectively shield yourself from the dangers posed by these fraudulent websites.

Here are a few ways to avoid falling prey to look-alike domains:

  • Read through the domain name yourself to spot potential red flags.

  • Rather than clicking links found in emails, type in the web address yourself into the address bar.

  • Type the intended website into a trusted search engine to ensure you’re landing on the website you intended.

If you think you’ve fallen prey to a look-alike domain attack, do not share any sensitive information, download anything, or sign into the website. Report it to your security team as soon as possible.

While staying cautious is a good defense against cybercrime, it’s not perfect. Organizations can protect their employees from malicious emails containing suspicious links by using Abnormal Security. Abnormal analyzes email behavior to identify malicious links, even when they mimic trusted websites. By leveraging AI and machine learning, Abnormal proactively blocks emails with malicious URLs before they reach employees.

For more insight into popular attack strategies, download our report, 5 Emerging Email Attacks to Watch For in 2024.

Download the Report
Designed to Deceive: 6 Common Look-alike Domain Tactics

See Abnormal in Action

Get a Demo

Get the Latest Email Security Insights

Subscribe to our newsletter to receive updates on the latest attacks and new trends in the email threat landscape.


See the Abnormal Solution to the Email Security Problem

Protect your organization from the full spectrum of email attacks with Abnormal.

Integrates Insights Reporting 09 08 22

Related Posts

B 1500x1500 MKT477 Energy Infrastructure Data Blog
Energy and infrastructure organizations face an increased risk of business email compromise and vendor email compromise attacks. Learn more.
Read More
B Mr Wonderful Talks AI
Explore the future of AI and cybersecurity and learn why prioritizing security investments is crucial with Kevin O’Leary of Shark Tank fame.
Read More
B 1500x1500 MKT468a Open Graph Images for Phishing Subjects Blog
Discover the most engaging phishing email subjects, according to Abnormal data, and how to protect your organization from these scams.
Read More
B Threat Report BEC VEC Blog
Our H1 2024 Email Threat Report revealed significant year-over-year increases in both business email compromise and vendor email compromise. Learn more.
Read More
B 2 7 24 Product Update
Abnormal product enhancements improve detection efficacy, reporting on QR code attacks, productivity, and protection from account takeover.
Read More
B 1500x1500 Quishing Stats Blog 02 05 24
Today we released our H1 2024 Email Threat Report, which examines the threat landscape and dives into the latest evolution in phishing: QR code attacks.
Read More