Every now and then I stumble across something online that makes me shake my head and say, wow, the scammers really are leveling up. Today it was a screenshot of a password reset email that looked perfectly normal at first glance. Clean logo, familiar formatting, even the classic noreply address. But look a little closer and you see the domain is not microsoft.com. It is rnicrosoft.com. That is an r and an n jammed together to look like an m. Same trick as those old CAPTCHA puzzles, except this time the prize for squinting wrong is your account getting hijacked. It is a tiny detail, but tiny details are exactly where these clowns like to hide.
I have seen this same trick hit clients. People forward me emails asking if they are legit, and half the time I can spot the scam before I finish reading the From line. One client once swore he was getting messages from an online service he used, only for me to point out that the domain had one extra L tucked inside like it was smuggling contraband. That same client once clicked an invoice attachment from a totally different fake domain and his PC spent the next three hours doing its best impression of a toaster. Thankfully none of the files in his Access database were damaged, but it was a close call. The scary part is that most of these emails look good. Many of them are clean, professional, and well crafted. The days of broken English and pixelated clip art are long gone. Well, maybe not gone, but becoming rare now that non-English speakers can just use ChatGPT to fix everything up for them with a click.
In the broader tech world, lookalike domains are just one more entry in the long catalog of social engineering tricks. Fake password resets, fake delivery notices, fake subscription renewals, fake antivirus warnings (I really hate these), fake everything. A scammer only needs you distracted for a single second. They try to create that sense of urgency so you react instead of think. They want you clicking before your brain catches up. That is why staying calm and reading carefully is your best defense. Nine times out of ten, the problem reveals itself as soon as you stop rushing.
Business owners get hit even harder. I talk to clients who get bogus invoices that look like they came from their actual vendors. They get emails pretending to be their own employees. They get messages that look like a service renewal, except the domain resolves to somewhere in the digital equivalent of a back alley. The worst part is that these scams rely on the same tricks legitimate software uses. We have trained people for years to trust email notifications and online dashboards. Scammers know it. They weaponize it.
There was even that guy who scammed Google and Facebook by sending fake invoices from a lookalike domain tied to a real vendor they used. He literally registered a company with almost the same name, forged contracts, and emailed perfect invoices that looked exactly like the real thing. They wired him over $100 million before anyone noticed. If two giant tech companies with full security teams can fall for a well crafted fake domain, the rest of us definitely need to keep our eyes open.
This kind of nonsense even creeps into personal life. We all get the robocalls claiming a package is waiting. Or the "your payment failed" text that takes you to a site that looks almost legitimate. Some of my relatives will forward me screenshots with captions like, is this real? Half the time the domain is something like paypaI.com where the L is a capital I. Once you see it, you cannot unsee it. (1)
So here is the uncomfortable truth. The scammers are not geniuses. They do not need to be. They just need us tired, distracted, or rushing. Their biggest weapon is our own inattention. The best defense is slowing down long enough to look at what you are actually clicking. If something feels off, it probably is.
To quote the great George Carlin, Imagine how dumb the average person is, and then realize that half the population is dumber than that. It sounds harsh, but the spirit of it explains why these scams work so well. They do not rely on brilliance. They rely on people being human.
This is Gemini's image. Same prompt. I think ChatGPT (above) wins today.
Michael Olgren
@Reply 8 days ago
What I don’t understand is why our government can’t be bothered to go after the scammers. The scale at what they do (hundreds or thousands of offenses) would merit a tremendous smack down, such as life in prison. Make a few examples and get other countries to crack down and this might stop, or at least slow down.
If you are a Visitor, go ahead and post your reply as a
new comment, and we'll move it here for you
once it's approved. Be sure to use the same name and email address.
