LONDON, 26 January 2026, 12:11 GMT
- Phishers are swapping the letter “m” with “rn” in web addresses, creating lookalikes that are tricky to catch on phones
- Cybersecurity sites reported recent campaigns spoofing Microsoft and Marriott
- Security experts warn against using links received via email to log in and recommend strengthening sign-in protections
Users of Chrome and Safari face new phishing attacks exploiting tiny URL tricks to impersonate trusted brands. The threat worsens on mobile devices, where crucial details often go unnoticed. 1
Timing is crucial since an increasing number of users handle work, travel, payments, and identity verification on their phones. With a smaller browser address bar and links coming via chat and email, the choice to tap—or not—often comes down to a split second.
“The stakes of one distracted tap are way higher now,” Harley Sugarman, CEO of security firm Anagram, wrote in a LinkedIn post. 2
This tactic is known as a “homoglyph” attack—where scammers exploit characters that look alike. Here, the letters “r” and “n” are combined to mimic an “m” when glanced at quickly. According to Dig.watch, researchers have spotted domains like rnicrosoft.com being used in fake security alerts or invoice emails designed to trick users into handing over their credentials. 3
Cybersecurity News revealed that Netcraft, a security company, uncovered a set of domains mimicking Marriott, like rnarriottinternational.com and rnarriotthotels.com. At the same time, another phishing effort focused on Microsoft users with similar deceptive URLs. The report highlighted typical tricks, such as replacing letters with numbers or inserting hyphens to appear more legitimate. 4
The simplest defense for users is straightforward but reliable: avoid signing in through links in unexpected emails or messages, no matter how genuine the logos or wording appear. Instead, use the official app or manually enter the website address to log in safely.
Password managers come in handy here since they usually won’t auto-fill credentials on the wrong domain. That adds a layer of friction when a phishing site looks genuine.
Security teams can cut risk by blocking known lookalike domains at both the network and email gateway levels. They should also train staff to pause and think when messages push urgency around account security or billing.
Passkeys, which use device-based cryptographic sign-ins to replace passwords, also reduce the risk from stolen credentials. Multi-factor authentication (MFA) requires an additional step—like entering a code or responding to a device prompt—before access is allowed.
The real challenge lies in scale and speed. Attackers can swiftly register new lookalike domains, swap characters on the fly, and trick victims into approving login prompts or sharing one-time codes—no passwords needed.
This episode highlights that the issue isn’t a typical “browser bug.” Instead, it’s a human-factor attack exploiting fonts, tiny screens, and rushed behavior—and it succeeds because people tend to skim rather than read carefully.
