LONDON, January 26, 2026, 12:11 GMT
- Phishers are using lookalike web addresses that turn “m” into “rn”, a swap that is hard to spot on phones
- Recent campaigns have impersonated Microsoft and Marriott, cybersecurity sites reported
- Security specialists urge users to avoid logging in from emailed links and tighten sign-in security
Chrome and Safari users are being warned about a fresh wave of phishing attacks that use a tiny URL trick to mimic trusted brands, a problem that gets worse on mobile screens where key details are easy to miss. (News)
The timing matters because more people now manage work, travel, payments and identity checks from a phone. The browser address bar is smaller, links arrive through chat and email, and the decision to tap or not tap often happens in seconds.
“The stakes of one distracted tap are way higher now,” Harley Sugarman, CEO of security firm Anagram, wrote in a LinkedIn post. (LinkedIn)
The tactic is a “homoglyph” attack — a scam that relies on lookalike characters — in this case using the letters “r” and “n” together so they resemble an “m” at a quick glance. Dig.watch said researchers have seen domains such as rnicrosoft.com used in messages posing as security alerts or invoices to lure victims into entering credentials. (Digital Watch Observatory)
Cybersecurity News reported that security firm Netcraft identified a cluster of domains trying to impersonate Marriott, including rnarriottinternational.com and rnarriotthotels.com, while a separate campaign targeted Microsoft users with similar lookalike addresses. The report also flagged common variations that swap letters for numbers or add show-of-legitimacy tweaks such as hyphens. (Cyber Security News)
For users, the basic defence is dull but effective: do not sign in from links in unexpected emails or messages, even if the logo and wording look right. Use the official app, or type the address yourself and sign in from there.
Password managers can help because they tend not to auto-fill on the wrong domain. That creates a speed bump when a fake page looks convincing.
Security teams can reduce risk by blocking known lookalike domains at the network and email gateway, and by training staff to slow down when a message tries to create urgency around account security or billing.
Passkeys — device-based cryptographic sign-ins that can replace passwords — can also cut the value of stolen credentials. Multi-factor authentication (MFA) adds a second step, such as a code or a device prompt, before access is granted.
But the uncertainty is scale and speed. Attackers can register new lookalike domains quickly, rotate to different character swaps, and push victims toward approving login prompts or handing over one-time codes, even when passwords are not involved.
The episode is also a reminder that this is not a “browser bug” in the usual sense. It is a human-factor attack that uses fonts, small screens and hurried habits — and it keeps working because people skim.
