“Lookalike” domains are domains that are crafted to impersonate the URLs of other sites in order to trick users into believing they're on a different site. These domains are used in social engineering attacks, from phishing to retail fraud.
In addition to Google Safe Browsing protections, Chrome attempts to detect these lookalike domains using a number of on-device heuristics. These heuristics compare the visited URL against domains that the user has visited previously and other popular domains.
When Chrome detects a potential lookalike domain, it may block the page and show a full-page warning, or it may show a warning overlay, depending on how certain Chrome is that the site is a spoof. These warnings typically have a “Did you mean ...?” message.
|High-confidence warnings||Low-confidence warning|
These warnings do not indicate that the site the user has visited is malicious. They only indicate that the site looks like another site, and the user should make sure that they're on the site that they expected.
Chrome's heuristics are designed to detect spoofing techniques in the wild. Some example “lookalike” patterns include:
This list is not exhaustive, and developers are encouraged to avoid using domains that users without technical backgrounds may confuse for another site.
Like all heuristics, Chrome‘s heuristics are not always right. For instance, attackers can choose lookalike domains that Chrome is unable to detect. Our intent with Chrome’s lookalike heuristics is not to make spoofing impossible, but to force attackers to use less convincing lookalikes, allowing users to notice spoofs more easily.
In addition to not catching all spoofs, Chrome's heuristics also label some benign pages as lookalikes. We have several approaches to minimize these mistakes:
Chrome shows warnings in part based on a users' browsing history. This allows Chrome to be both more helpful (by providing better recommendations) and make fewer mistakes (by not flagging lookalikes for irrelevant sites).
Chrome only shows warnings on sites that the user has not used frequently. Further, Chrome will only recommend sites that are either well-known (i.e. top) sites, or the user has an established relationship.
Sites that show a warning to you may not show for another user, unless that user has visited the same sites that you have.
If you operate a site that erroneously triggers lookalike warnings in Chrome, you can ask for a manual appeal. These appeals are evaluated manually, and we can suppress the warning for all Chrome users when necessary.
In the case of compelling spoofs, we may ask you to demonstrate that you not only own the site on which the warning is shown, but the site that Chrome believes that your site is spoofing. We may also opt to suppress warnings, but only for a limited period of time (generally 6 months). This is generally used for cases where a site is changing its domain name.
Appeals for domains triggered by a given heuristic are generally considered for the 6 months following the release of that heuristic. These six months are designed to allow Chrome to detect most existing sites that trigger the heuristic erroneously. After that time, we encourage developers to test their new sites in Chrome to ensure that their new domain does not trigger warnings.
If you are a site operator and would like to request an appeal, please fill out a request.
There are several reasons that may lead us to deny your appeal. Most commonly, appeals are denied for domains that are only used internally (i.e. for testing or in an enterprise setting) or where we think few users will see the warning.
For sites that are used for testing or in an enterprise setting, we recommend using the Enterprise Policy to suppress the warning for impacted users.
For newly created sites, we encourage domain owners to choose domains that do not look like domains used by other sites commonly visited by your users.
Many warnings are also only encountered by a small fraction of users who happen to intersect with both sites. See a further description of this above.