URL Tricks Scammers Use: Typosquatting, Look-Alike Letters and Punycode

Updated June 2026 · 4 min read

A scam website can copy almost everything from the real one — the logo, the colours, the login form. The one thing it cannot copy is the real site's address. That makes the address bar at the top of your browser the single best place to look before you type a password or card number anywhere.

Scammers know you might glance up there, though, so they have invented addresses that look right at first sight. Here are the four tricks you will meet most often, and the habits that beat all of them. (Every fake address below is invented — most end in .example, a reserved ending nobody can ever own, so the patterns are real but the addresses themselves are harmless.)

Typosquatting: misspellings that wait for you

Typosquatting is a fancy word for a simple move: scammers register slightly misspelled versions of famous addresses, "squatting" on the typos we all make. Type a little too fast, or skim a link in an email, and you land on their copy instead of the real site. The classic recipes:

One letter doubled: gooogle instead of google.
Two letters swapped: amaozn instead of amazon.
One letter missing: exmple.com instead of example.com.
Right name, wrong ending: example.net when the site you actually use is example.com.

The page itself usually looks identical to the original — the misspelling in the address bar may be the only clue you get.

Letter swaps the eye misses

Some swaps are nastier, because your own brain helps the scammer: we read whole word shapes, not individual letters. Three favourites:

The number 1 instead of the letter l. Look closely at paypa1 — that last character is the digit one, not a lowercase L.
"rn" instead of "m". In many fonts an r pressed against an n melts into an m. Read rnicrosoft slowly and you will see it.
The number 0 instead of the letter o. At address-bar size, the two are nearly identical circles.

When an address matters, don't read it — inspect it character by character, the way you would check a phone number before dialling.

The brand-in-subdomain trick

This one fools careful people too. Whoever owns a web address can put any words they like in front of it, separated by dots — those front parts are called subdomains, and inventing them is free. So a scammer who owns login-check.example can create example.com.login-check.example, and now the address begins with a name you trust.

The defence is to read the address from right to left. Find where it ends (at the end of the line, or at the first /), then walk backwards: the last piece is the ending — .com, .org and friends — and the piece just before it is the real owner. Everything further left is decoration.

login.example.com — read from the right: .com, then example. The owner is example.com. Safe.
example.com.login-check.example — read from the right: .example, then login-check. The owner is login-check.example, a total stranger. The familiar part at the front is bait.

The real owner of a website is whatever sits just before the final ending — the part right before the .com. Everything to the left of that can be faked, so read every address from right to left.

Punycode: letters from another alphabet

Here is the trick you cannot beat with eyesight alone. Web addresses may contain letters from other alphabets — good news for most of the world, and a gift to scammers, because some of those letters are perfect twins of ours. The Cyrillic letter а looks identical to the Latin a you are reading now.

That means exаmple.com — where that single а is Cyrillic — is a completely different address from example.com, even though no human can tell them apart. Behind the scenes, browsers store such addresses in a translated spelling called punycode, which starts with xn--, and many browsers show that spelling when an address mixes alphabets suspiciously. If xn-- ever appears in your address bar, treat the site as a stranger.

How to protect yourself

Read the domain right to left, every time. Five seconds before typing anything private: find the ending, check the piece just before it, ignore the rest.
Bookmark your bank. Type the address carefully once, save it, and only ever arrive by bookmark. A bookmark cannot be fooled by a look-alike letter.
Let a password manager do the typing. A password manager (an app that stores your logins and fills them in for you) matches addresses exactly, so it will refuse to fill your password on examp1e.com. Its silence on a familiar-looking page is an alarm bell.
Get a second pair of eyes. Our free extension checks the addresses you visit for tricks like these and turns its shield red before you type anything.

One last eye test before you go — real on the left, fake on the right:

example.com vs examp1e.com (the digit one)
example.com vs exarnple.com (an r and an n posing as an m)
login.example.com vs example.com.login-check.example (a brand hiding in front of a stranger's domain)
example.com vs exаmple.com (a Cyrillic letter your eyes cannot catch)

None of this needs technical skill. Read from the right for five seconds, and the most convincing fake address becomes just another misspelled word.

Get warned automatically

Our free Chrome extension turns its shield red on dangerous sites — before you type a password or card number.

Spam & Phishing Site Detector →