Back to Learning CenterEmail Authentication

What is URL spoofing and how can I stop it?

By Samuel ChenardOctober 6, 2025Updated July 8, 20269 min read
What is URL spoofing and how can I stop it?

URL spoofing is when an attacker crafts a web address that looks like it belongs to a site you trust but actually points to a page they control. The fake link usually leads to a login page that steals credentials or a download that installs malware, and it reaches users through email, text messages, ads, search results, and chat apps. It works because people judge links by how they look, not by where they resolve. Phishing and spoofing was the most-reported cybercrime in the FBI's 2024 Internet Crime Report, with 193,407 complaints. This guide covers how spoofed URLs are built, how to spot them, which controls block them, and where email authentication helps — and where it honestly does not.

URL spoofing illustration

What is URL spoofing?

Only one part of a URL decides where you actually end up: the registered domain, the piece just before the first slash when you read from the right. Everything else — subdomains, paths, query strings, and the clickable link text — can be dressed up freely. URL spoofing abuses that gap. The attacker either registers a domain that looks like the real one or hides the true destination behind redirects, shorteners, or misleading link text. Spoofed URLs are the delivery mechanism for most phishing campaigns, and they often travel together with email spoofing: a forged sender plus a forged link is the classic combination.

How do attackers make a fake URL look real?

Six patterns cover almost everything you will see in the wild:

TechniqueExample patternWhat is really happening
Typosquattingpaypa1.example, gooogle.exampleSwapped, doubled, or lookalike ASCII characters
Cousin domainsyourbank-support.exampleThe brand name plus extra words, in a brand-new registration
Subdomain abuseyourbank.com.verify-login.exampleThe real domain is verify-login.example; the brand is just a subdomain label
IDN homographsаpple.com with a Cyrillic "а"Unicode characters that render like Latin letters
Open redirectstrusted.example/redirect?url=...A legitimate site forwards the click to the attacker's page
Shortenersbit.ly/xxxxThe destination stays hidden until after the click

None of this requires hacking anything. Registering a domain takes minutes and TLS certificates are free, so most spoofed sites show a padlock. HTTPS proves the connection is encrypted, not that the site's owner is honest.

What is an IDN homograph attack?

Internationalized domain names (IDNs) let people register domains in non-Latin scripts. DNS hostnames are still ASCII-only, so Unicode labels are encoded with Punycode (RFC 3492) behind the xn-- prefix. A homograph attack registers a name whose Unicode form renders almost identically to the target:

Latin:    apple.com   ("a" is U+0061)
Cyrillic: аpple.com   ("а" is U+0430 — a completely different domain)

Browsers now push back hard on this. Chrome's IDN display policy refuses to render Unicode when scripts are mixed suspiciously — Latin, Cyrillic, and Greek characters cannot be combined in one label — and it compares each domain's visual "skeleton" against top domains and sites you already use. When something matches, Chrome shows the raw xn-- form or a full-page lookalike warning instead. That closed off the cleanest version of the attack, but plain-ASCII lookalikes (rn for m, 1 for l) still get through, because they are ordinary, legal registrations.

How common are spoofed-URL attacks?

Two independent datasets give a sense of scale:

  • The FBI's IC3 recorded 193,407 phishing/spoofing complaints in 2024 — the top crime type by complaint count — with about $70 million in directly attributed losses. The real cost hides downstream: business email compromise, which often starts with a phished credential, drove another $2.77 billion in reported losses the same year.
  • The APWG observed 1,003,924 phishing attacks in Q1 2025, its largest quarterly total since late 2023.
For an MSP, the volume is the point: at this scale, some spoofed links will land in client inboxes no matter how good filtering is, so detection and response matter as much as prevention.

How can you spot a spoofed URL?

  1. Read the domain from the right. Find the first slash after https://, then step left. In https://yourbank.com.secure-check.example/login, the real site is secure-check.example, not your bank.
  2. Hover before you click. On desktop, hover shows the true destination; on mobile, long-press to preview it.
  3. Expand shortened links. Do not click a shortener from an unexpected message without previewing where it goes.
  4. Watch for pressure. The UK's NCSC flags five manipulation cues — authority, urgency, emotion, scarcity, and current events. Pressure plus a link is the pattern.
  5. Never log in from an unexpected link. Reach the site from a bookmark or by typing the address. NCSC's advice is to contact the organization through details you already know, never the ones in the message.
  6. Test the link, not your luck. Paste suspicious links into Palisade's phishing link checker or check the destination domain with the URL reputation tool before anyone clicks.

How do browsers and mail filters protect users?

Several layers already work in your favor, and MSPs should make sure all of them are switched on:

  • Google Safe Browsing warns users before they open known dangerous sites or downloads, across Chrome, Search, Gmail, Android, and Ads — Google says it protects over five billion devices a day.
  • Chrome's IDN and lookalike checks (described above) neutralize most homograph tricks at render time.
  • Microsoft Defender for Office 365 Safe Links rewrites URLs in inbound mail and re-checks them at time of click in email, Teams, and Office apps. Attackers often weaponize a URL only after delivery, so click-time checking matters.
Treat these as strong seatbelts, not guarantees. Reputation systems need time to learn that a brand-new domain is bad, and attackers exploit exactly that window.

Does DMARC stop URL spoofing?

Part of it — and it is worth being precise, because vendors often oversell this. DMARC ties the domain shown in an email's From header to SPF and DKIM checks, letting receivers verify that a message aligns with the sender's real domain. Enforced at p=reject, it stops exact-domain email spoofing: receivers that honor the policy reject any mail claiming to be yourclient.com. That removes the most convincing lure an attacker can pair a spoofed URL with.

What DMARC does not do: it never inspects the links inside a message, and it cannot touch a lookalike domain, because the attacker owns that domain and can pass SPF, DKIM, and DMARC on it perfectly. This is one reason phishing emails can pass SPF and DKIM. So run two separate workstreams:

  • Enforce DMARC on every real domain you manage — check where each one stands with the DMARC checker. Palisade automates the monitoring and enforcement work across a whole client portfolio, which is what makes this practical for MSPs.
  • Handle lookalikes on their own track: monitor new registrations that resemble client brands and pursue takedowns when they appear.

A layered stack, roughly in order of effort:

  1. DNS filtering — block resolution of known-bad and newly registered domains at the network level.
  2. Time-of-click URL protection — Safe Links or an equivalent rewriting/click-check service on every mailbox.
  3. Browser protections on by default — Safe Browsing or SmartScreen enabled through policy, not left to users.
  4. MFA everywhere — a phished password alone should never be enough to log in.
  5. DMARC at enforcement for every managed domain, so clients' own brands cannot be borrowed for lures.
  6. Defensive registrations — register the obvious typo variants of client brands before someone else does.
  7. Training plus testing — teach the hover habit, then verify it sticks with regular phishing simulations.
  8. Baseline and track — score each client's posture with the email security score and re-check quarterly.

Common issues

Reset the password immediately, revoke active sessions and app passwords, and check the mailbox for forwarding rules or filters the attacker may have added. Review recent sign-in activity for unfamiliar locations, then report the URL — in the US, to the FBI's IC3.

Legitimate international domains show up as xn-- strings in logs

That is Punycode, not automatically an attack. Decode the label first: a legitimate Japanese or German domain decodes to a sensible name in one script, while a homograph decodes to something mimicking a brand. Chrome showing xn-- in the address bar, though, is a deliberate warning.

URLs rewritten to *.safelinks.protection.outlook.com are Safe Links doing its job, not an infection. Per Microsoft's documentation, hovering over a wrapped link shows the original URL. Teach users to hover-preview rather than to distrust every wrapped link.

A lookalike of a client's brand is live, but DMARC dashboards show nothing

Expected. DMARC reporting only covers mail sent using the exact domains you monitor; a cousin domain never appears in it. Detection has to come from domain monitoring, certificate-transparency watching, or customer reports — and the fix is a registrar abuse complaint and takedown, not a DNS record.

Frequently asked questions

Does the padlock mean a site is safe?

No. The padlock only means the connection is encrypted. Free certificates mean most phishing sites have one, so treat HTTPS as the minimum, never as proof of identity. Verify the domain itself.

Are URL shorteners dangerous?

Not inherently, but they hide the destination, which is exactly what an attacker wants. Preview or expand short links from unexpected messages before clicking, and use full, descriptive URLs in your own business mail so clients never learn to click blind.

Can DMARC block lookalike domains?

No. DMARC protects the exact domains you control — with SPF and DKIM, it stops mail pretending to be sent from them. A lookalike is a different domain owned by the attacker, who can authenticate it fully. Pair DMARC enforcement with lookalike monitoring and takedowns.

Do not open it on a production machine. Hover or long-press to read the true domain, expand any shortener, then run it through Palisade's phishing link checker. If it targets a client brand, capture screenshots and headers before it gets taken down — you will want the evidence.

Keep going with AI

Ask AI how this applies to you

Take this guide to your assistant — each question opens pre-filled, with a link back to this page so it can read the details.

  • What is URL spoofing and how can I stop it?
  • How does this apply to my domain?
  • What should I do about it, step by step?

Share this article

Samuel Chenard

Written by

Samuel Chenard

CEO & Co-Founder, Palisade

Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.

More from Samuel

Related articles