What is URL spoofing and how can I stop it?

URL spoofing is when an attacker crafts a web address that looks like it belongs to a site you trust but actually points to a page they control. The fake link usually leads to a login page that steals credentials or a download that installs malware, and it reaches users through email, text messages, ads, search results, and chat apps. It works because people judge links by how they look, not by where they resolve. Phishing and spoofing was the most-reported cybercrime in the FBI's 2024 Internet Crime Report, with 193,407 complaints. This guide covers how spoofed URLs are built, how to spot them, which controls block them, and where email authentication helps — and where it honestly does not.
What is URL spoofing?
Only one part of a URL decides where you actually end up: the registered domain, the piece just before the first slash when you read from the right. Everything else — subdomains, paths, query strings, and the clickable link text — can be dressed up freely. URL spoofing abuses that gap. The attacker either registers a domain that looks like the real one or hides the true destination behind redirects, shorteners, or misleading link text. Spoofed URLs are the delivery mechanism for most phishing campaigns, and they often travel together with email spoofing: a forged sender plus a forged link is the classic combination.
How do attackers make a fake URL look real?
Six patterns cover almost everything you will see in the wild:
| Technique | Example pattern | What is really happening |
|---|---|---|
| Typosquatting | paypa1.example, gooogle.example | Swapped, doubled, or lookalike ASCII characters |
| Cousin domains | yourbank-support.example | The brand name plus extra words, in a brand-new registration |
| Subdomain abuse | yourbank.com.verify-login.example | The real domain is verify-login.example; the brand is just a subdomain label |
| IDN homographs | аpple.com with a Cyrillic "а" | Unicode characters that render like Latin letters |
| Open redirects | trusted.example/redirect?url=... | A legitimate site forwards the click to the attacker's page |
| Shorteners | bit.ly/xxxx | The destination stays hidden until after the click |
None of this requires hacking anything. Registering a domain takes minutes and TLS certificates are free, so most spoofed sites show a padlock. HTTPS proves the connection is encrypted, not that the site's owner is honest.
What is an IDN homograph attack?
Internationalized domain names (IDNs) let people register domains in non-Latin scripts. DNS hostnames are still ASCII-only, so Unicode labels are encoded with Punycode (RFC 3492) behind the xn-- prefix. A homograph attack registers a name whose Unicode form renders almost identically to the target:
Latin: apple.com ("a" is U+0061)
Cyrillic: аpple.com ("а" is U+0430 — a completely different domain)
Browsers now push back hard on this. Chrome's IDN display policy refuses to render Unicode when scripts are mixed suspiciously — Latin, Cyrillic, and Greek characters cannot be combined in one label — and it compares each domain's visual "skeleton" against top domains and sites you already use. When something matches, Chrome shows the raw xn-- form or a full-page lookalike warning instead. That closed off the cleanest version of the attack, but plain-ASCII lookalikes (rn for m, 1 for l) still get through, because they are ordinary, legal registrations.
How common are spoofed-URL attacks?
Two independent datasets give a sense of scale:
- The FBI's IC3 recorded 193,407 phishing/spoofing complaints in 2024 — the top crime type by complaint count — with about $70 million in directly attributed losses. The real cost hides downstream: business email compromise, which often starts with a phished credential, drove another $2.77 billion in reported losses the same year.
- The APWG observed 1,003,924 phishing attacks in Q1 2025, its largest quarterly total since late 2023.
How can you spot a spoofed URL?
- Read the domain from the right. Find the first slash after
https://, then step left. Inhttps://yourbank.com.secure-check.example/login, the real site issecure-check.example, not your bank. - Hover before you click. On desktop, hover shows the true destination; on mobile, long-press to preview it.
- Expand shortened links. Do not click a shortener from an unexpected message without previewing where it goes.
- Watch for pressure. The UK's NCSC flags five manipulation cues — authority, urgency, emotion, scarcity, and current events. Pressure plus a link is the pattern.
- Never log in from an unexpected link. Reach the site from a bookmark or by typing the address. NCSC's advice is to contact the organization through details you already know, never the ones in the message.
- Test the link, not your luck. Paste suspicious links into Palisade's phishing link checker or check the destination domain with the URL reputation tool before anyone clicks.
How do browsers and mail filters protect users?
Several layers already work in your favor, and MSPs should make sure all of them are switched on:
- Google Safe Browsing warns users before they open known dangerous sites or downloads, across Chrome, Search, Gmail, Android, and Ads — Google says it protects over five billion devices a day.
- Chrome's IDN and lookalike checks (described above) neutralize most homograph tricks at render time.
- Microsoft Defender for Office 365 Safe Links rewrites URLs in inbound mail and re-checks them at time of click in email, Teams, and Office apps. Attackers often weaponize a URL only after delivery, so click-time checking matters.
Does DMARC stop URL spoofing?
Part of it — and it is worth being precise, because vendors often oversell this. DMARC ties the domain shown in an email's From header to SPF and DKIM checks, letting receivers verify that a message aligns with the sender's real domain. Enforced at p=reject, it stops exact-domain email spoofing: receivers that honor the policy reject any mail claiming to be yourclient.com. That removes the most convincing lure an attacker can pair a spoofed URL with.
What DMARC does not do: it never inspects the links inside a message, and it cannot touch a lookalike domain, because the attacker owns that domain and can pass SPF, DKIM, and DMARC on it perfectly. This is one reason phishing emails can pass SPF and DKIM. So run two separate workstreams:
- Enforce DMARC on every real domain you manage — check where each one stands with the DMARC checker. Palisade automates the monitoring and enforcement work across a whole client portfolio, which is what makes this practical for MSPs.
- Handle lookalikes on their own track: monitor new registrations that resemble client brands and pursue takedowns when they appear.
What should MSPs deploy to stop spoofed links?
A layered stack, roughly in order of effort:
- DNS filtering — block resolution of known-bad and newly registered domains at the network level.
- Time-of-click URL protection — Safe Links or an equivalent rewriting/click-check service on every mailbox.
- Browser protections on by default — Safe Browsing or SmartScreen enabled through policy, not left to users.
- MFA everywhere — a phished password alone should never be enough to log in.
- DMARC at enforcement for every managed domain, so clients' own brands cannot be borrowed for lures.
- Defensive registrations — register the obvious typo variants of client brands before someone else does.
- Training plus testing — teach the hover habit, then verify it sticks with regular phishing simulations.
- Baseline and track — score each client's posture with the email security score and re-check quarterly.
Common issues
A user clicked a spoofed link and entered credentials
Reset the password immediately, revoke active sessions and app passwords, and check the mailbox for forwarding rules or filters the attacker may have added. Review recent sign-in activity for unfamiliar locations, then report the URL — in the US, to the FBI's IC3.
Legitimate international domains show up as xn-- strings in logs
That is Punycode, not automatically an attack. Decode the label first: a legitimate Japanese or German domain decodes to a sensible name in one script, while a homograph decodes to something mimicking a brand. Chrome showing xn-- in the address bar, though, is a deliberate warning.
Users complain that links look "wrapped" and unreadable
URLs rewritten to *.safelinks.protection.outlook.com are Safe Links doing its job, not an infection. Per Microsoft's documentation, hovering over a wrapped link shows the original URL. Teach users to hover-preview rather than to distrust every wrapped link.
A lookalike of a client's brand is live, but DMARC dashboards show nothing
Expected. DMARC reporting only covers mail sent using the exact domains you monitor; a cousin domain never appears in it. Detection has to come from domain monitoring, certificate-transparency watching, or customer reports — and the fix is a registrar abuse complaint and takedown, not a DNS record.
Frequently asked questions
Does the padlock mean a site is safe?
No. The padlock only means the connection is encrypted. Free certificates mean most phishing sites have one, so treat HTTPS as the minimum, never as proof of identity. Verify the domain itself.
Are URL shorteners dangerous?
Not inherently, but they hide the destination, which is exactly what an attacker wants. Preview or expand short links from unexpected messages before clicking, and use full, descriptive URLs in your own business mail so clients never learn to click blind.
Can DMARC block lookalike domains?
No. DMARC protects the exact domains you control — with SPF and DKIM, it stops mail pretending to be sent from them. A lookalike is a different domain owned by the attacker, who can authenticate it fully. Pair DMARC enforcement with lookalike monitoring and takedowns.
How do I check a suspicious link safely?
Do not open it on a production machine. Hover or long-press to read the true domain, expand any shortener, then run it through Palisade's phishing link checker. If it targets a client brand, capture screenshots and headers before it gets taken down — you will want the evidence.
Keep going with AI
Ask AI how this applies to you
Take this guide to your assistant — each question opens pre-filled, with a link back to this page so it can read the details.

Written by
Samuel ChenardCEO & Co-Founder, Palisade
Samuel Chenard is the CEO and co-founder of Palisade, the DMARC automation platform for MSPs. He writes Palisade's guides on DMARC, SPF, DKIM and email deliverability.
More from Samuel →


