“Lookalike” domains are domains that are crafted to impersonate the URLs of other sites in order to trick users into believing they're on a different site. These domains are used in social engineering attacks, from phishing to retail fraud.
In addition to Google Safe Browsing protections, Chrome attempts to detect these lookalike domains using a number of on-device heuristics. These heuristics compare the visited URL against domains that the user has visited previously and other popular domains.
When Chrome detects a potential lookalike domain, it may block the page and show a full-page warning, or it may show a warning overlay, depending on how certain Chrome is that the site is a spoof. These warnings typically have a “Did you mean ...?” message.
|High-confidence warnings||Low-confidence warning|
Chrome's heuristics are designed to detect spoofing techniques in the wild. Some example “lookalike” patterns include:
This list is not exhaustive, and developers are encouraged to avoid using domains that users without technical backgrounds may confuse for another site.
Like all heuristics, Chrome‘s heuristics are not always right. For instance, attackers can choose lookalike domains that Chrome is unable to detect. Our intent with Chrome’s lookalike heuristics is not to make spoofing impossible, but to force attackers to use less convincing lookalikes, allowing users to notice spoofs more easily.
In addition to not catching all spoofs, Chrome's heuristics also label some benign pages as lookalikes. We have several approaches to minimize these mistakes:
If you operate a site that erroneously triggers lookalike warnings in Chrome, you can ask for a manual appeal. These appeals are evaluated manually, and we can suppress the warning for all Chrome users when necessary.
In the case of compelling spoofs, we may ask you to demonstrate that you not only own the site on which the warning is shown, but the site that Chrome believes that your site is spoofing. We may also decline to suppress the warning if the domain is only used internally (i.e. no external users are impacted).
Appeals for domains triggered by a given heuristic are generally considered for the 6 months following the release of that heuristic. These six months are designed to allow Chrome to detect most existing sites that trigger the heuristic erroneously. After that time, we encourage developers to test their new sites in Chrome to ensure that their new domain does not trigger warnings.
If you are a site operator and would like to request an appeal, please fill out a request.