“Lookalike” domains are domains that are crafted to impersonate the URLs of other sites in order to trick users into believing they're on a different site. These domains are used in social engineering attacks, from phishing to retail fraud.
In addition to Google Safe Browsing protections, Chrome attempts to detect these lookalike domains by comparing the URL you visited with other URLs that are either very popular, or that you have visited previously. These checks all happen within Chrome -- Chrome does not communicate with Google to perform these checks.
When Chrome detects a potential lookalike domain, it may block the page and show a full-page warning, or it may show a pop-up warning, depending on how certain Chrome is that the site is a spoof. These warnings typically have a “Did you mean ...?” message.
High-confidence warnings | Low-confidence warning |
---|---|
These warnings do not indicate that the site the user has visited is malicious. The warnings indicate that the site looks like another site, and that the user should make sure that they are visiting the site that they expected.
Chrome's checks are designed to detect spoofing techniques in the wild. Some example “lookalike” patterns that trigger warnings include:
goog0le.com
.google.com.example.com
.goƶgle.com
.This list is not exhaustive, and developers are encouraged to avoid using domains that users without technical backgrounds may confuse for another site.
Chrome‘s lookalike checks are not always right. Chrome can not detect all lookalike domains, and often lookalike domains are not malicious. Our intent with Chrome’s lookalike warnings is not to make spoofing impossible, but to force attackers to use less convincing lookalikes, allowing users to notice spoofs more easily.
While Chrome's checks sometimes label some benign pages as lookalikes, we use several approaches to minimize mistakes:
Chrome shows warnings in part based on a users' browsing history. This allows Chrome to be both more helpful (by providing better recommendations) and make fewer mistakes (by not flagging lookalikes for irrelevant sites).
Chrome only shows warnings on sites that the user has not used frequently. Further, Chrome will only recommend sites that are either well-known (i.e. top) sites, or the user has an established relationship.
Sites that show a warning to you may not show for another user, unless that user has visited the same sites that you have.
It is possible to remove warnings on sites where Chrome is incorrectly showing a warning.
If you own both the site where Chrome is showing a warning, as well as the site that Chrome is recommending, you can suppress these warnings by proving that you control both sites using a special form of Digital Asset Links.
assetlinks.json
containing the following:[{ "relation": ["lookalikes/allowlist"], "target" : { "namespace": "web", "site": "https://example.com"} },{ "relation": ["lookalikes/allowlist"], "target" : { "namespace": "web", "site": "https://example.net"} }]
example.com
and example.net
with the domain where the warning is shown, and with the domain that Chrome recommends users visit. Do not use subdomains (e.g. use “example.com”, not “www.example.com”)./.well-known/assetlinks.json
. For instance, in our example, you would upload the files at both https://example.com/.well-known/assetlinks.json
and https://example.net/.well-known/assetlinks.json
.Once you submit the request, please allow a few days for all warnings to stop. If verification fails, you should be notified via email within a few hours. If you don't get an email indicating verification failure and your sites still show a warning after a week, please submit a manual review using the process below.
Important notes:
assetlinks.json
file.assetlinks.json
file in place so long as you wish to suppress the warnings. If you remove either file, Chrome may resume showing warnings.assetlinks.json
to support more than two domains, or to support additional Digital Asset Links entries, if needed. Please note that Chrome does not support include
statements in assetlinks.json
files.If a site triggers erroneous lookalike warnings in Chrome, you can ask for a manual review. Please only use this process if you are unable to use the Automated Process above. In some cases, we may require that you use the automated process to demonstrate that you control both sites.
Requests for manual review are generally considered for six months following after that warning would have started (i.e. after Chrome introduces the check). After that time, we encourage developers to test their new sites in Chrome to ensure that their new domain does not trigger warnings.
If you are unable to use the automated process above, and would like to request a manual review, please fill out a manual review request. Please provide an email address with a valid Google account, otherwise you won't get updates.
There are several reasons that may lead us to deny your appeal. The following are some of the most common reasons that don't qualify for manual appeals:
Please note that the automated process is not subject to these restrictions.