How Attackers Trick You With Addresses
Georgia Tech researchers analyzed 468 billion DNS records and found 2.7 million combosquatting domains registered against just 268 popular trademarks — that’s over 100 times more prevalent than typosquatting. Attackers don’t need to hack anything. They just need you to misread a URL.
In the last lesson, you learned that the real domain is the last two parts before the first slash. Now let’s look at the five tricks attackers use to make you ignore that rule.
Trick 1: The subdomain trick — putting the brand at the beginning
https://amazon.com.order-update.net/tracking
At first glance, your eye catches amazon.com and your brain says “Amazon.” But apply the rule: what are the last two parts before the /?
order-update.net
That’s the real domain. The amazon.com at the beginning is a subdomain — a label the domain owner added. It’s like writing “Amazon Headquarters” on the front of a random warehouse. The sign says Amazon, but it’s not Amazon’s building.
Anyone who owns a domain can create any subdomain they want. The owner of order-update.net can create amazon.com.order-update.net, chase.com.order-update.net, or whitehouse.gov.order-update.net. It costs nothing and takes seconds.
| What you see | What your brain reads | Real domain |
|---|---|---|
amazon.com.order-update.net/tracking |
Amazon | order-update.net |
chase.com.secure-banking.net/login |
Chase | secure-banking.net |
login.microsoft.com.verify-account.workers.dev |
Microsoft | workers.dev |
paypal.com.payment-review.info/confirm |
PayPal | payment-review.info |
support.apple.com.device-check.net/verify |
Apple | device-check.net |
The attacker is counting on you reading left-to-right and stopping at the first familiar name. Don’t. Always find the last two parts before the slash.
Trick 2: Combosquatting — adding words to a real brand
This is the most common domain trick in use today, and it’s the hardest to catch.
Combosquatting means registering a domain that contains a real brand name plus additional words. According to Akamai’s 2023 research, “support” is the single most common keyword attackers append — because real companies actually do have support portals, making the fake domain feel plausible. Other popular keywords include “verification,” “account,” “login,” and “security.”
What makes combosquatting dangerous is staying power. The Georgia Tech study found that nearly 60% of combosquatting domains remain active for over 1,000 days. These aren’t fly-by-night operations. They’re built to last.
| Real Domain | Fake Domain | What changed |
|---|---|---|
slack.com |
slack-support.com |
Added “-support” |
chase.com |
chase-secure.com |
Added “-secure” |
docusign.net |
docusign-signing.com |
Added “-signing,” changed .net to .com |
microsoft.com |
microsoft365-login.com |
Added “365-login” |
zoom.us |
zoom-meetings-app.com |
Added “-meetings-app,” changed .us to .com |
These are completely different websites owned by completely different people. The brand name is spelled perfectly — which is exactly why your brain doesn’t flag them.
Trick 3: Typosquatting — swapping characters you won’t notice
Zscaler ThreatLabz analyzed 30,000 lookalike domains registered against the top 500 websites and found over 10,000 that were actively malicious. These domains exploit the fact that certain characters look nearly identical, especially on phone screens and in small fonts.
| Real | Fake | What changed |
|---|---|---|
amazon.com |
arnazon.com |
rn looks like m |
paypal.com |
paypa1.com |
Number 1 replaces letter l |
google.com |
gooogle.com |
Extra o |
microsoft.com |
rnicrosoft.com |
rn instead of m |
apple.com |
appIe.com |
Capital I replaces lowercase l |
Try squinting at arnazon.com. On a phone screen, in a notification preview, at the end of a long day — it looks exactly like amazon.com. The difference between rn and m disappears in most fonts.
This is why you can’t rely on just “looking carefully” at a URL. Sometimes the visual difference is invisible to the human eye.
Trick 4: Legitimate platform abuse — the scam inside the trusted mall
This is the sneakiest trick because the domain IS real. The attacker doesn’t create a fake website. Instead, they put their scam content on a platform you already trust.
Phishing pages hosted on Cloudflare Pages increased 198% in 2024. Attacks on Cloudflare Workers were up 104%. And attackers aren’t limited to Cloudflare — they use Google Forms, Microsoft Forms, Notion, SharePoint, WeTransfer, and dozens of other platforms.
The domain passes every check. forms.google.com IS Google. notion.site IS Notion. But anyone can create a Google Form or a Notion page, including an attacker.
Think of it like a scammer renting a booth inside a mall you trust. The mall is real. The booth is a scam. The mall’s address on the invitation is genuine — but the person inside the booth is not who they claim to be.
This means checking the domain alone isn’t always enough. When the domain is a platform that lets anyone publish content, you also need to ask whether the content makes sense. Would your bank really ask for your password through a Google Form? We’ll explore this further in Module 2.
Trick 5: Homograph attacks — invisible character swaps
This trick goes beyond typos into something your eyes literally cannot detect.
The Cyrillic letter “a” (U+0430) looks identical to the Latin letter “a” (U+0061) on screen — but to a computer, they’re completely different characters. Attackers exploit this by registering domains using lookalike characters from other alphabets, creating URLs that appear pixel-perfect to the naked eye.
Under the hood, browsers convert these international characters into something called Punycode. So what looks like apple.com in your address bar might actually be xn--pple-43d.com — a completely different domain.
Modern browsers (Chrome, Firefox, Safari, Edge) now display the Punycode version when a domain mixes characters from different scripts, which helps. But older systems, email clients, and mobile notifications may not. And in an email body or a chat message, the visual lookalike might be all you see.
The defense here is the same as always: don’t trust what you see in the link. Navigate to the website yourself.
Practice: Spot the real domain
For each URL below, identify the actual domain. Then ask yourself: is this the company the attacker wants me to think it is?
| # | URL | Real domain | Legitimate? |
|---|---|---|---|
| 1 | https://www.dropbox.com/scl/shared-file |
dropbox.com |
Yes |
| 2 | https://dropbox.com.file-share.net/download |
file-share.net |
No |
| 3 | https://login.microsoftonline.com/oauth2/authorize |
microsoftonline.com |
Yes |
| 4 | https://microsoft-support.secure-login.com/reset |
secure-login.com |
No |
| 5 | https://chase.com.account-verify.net/secure |
account-verify.net |
No |
| 6 | https://secure.chase.com/web/auth/login |
chase.com |
Yes |
| 7 | https://docs.google.com/forms/d/e/1FAIp... |
google.com |
Real domain, but anyone can create content here |
| 8 | https://arnazon.com/gp/cart |
arnazon.com |
No — rn mimicking m |
| 9 | https://slack-support.com/workspace/login |
slack-support.com |
No — combosquat of slack.com |
| 10 | https://app.slack.com/workspace/login |
slack.com |
Yes |
Notice entry #7. The domain is genuinely Google’s. But Google Forms is an open platform — so you need to evaluate the content, not just the domain.
The Rule: If the brand name isn't the domain itself, it's decoration.