“Lookalike” Warnings in Google Chrome

What are lookalike warnings?

“Lookalike” domains are domains that are crafted to impersonate the URLs of other sites in order to trick users into believing they're on a different site. These domains are used in social engineering attacks, from phishing to retail fraud.

In addition to Google Safe Browsing protections, Chrome attempts to detect these lookalike domains by comparing the URL you visited with other URLs that are either very popular, or that you have visited previously. These checks all happen within Chrome -- Chrome does not communicate with Google to perform these checks.

When Chrome detects a potential lookalike domain, it may block the page and show a full-page warning, or it may show a pop-up warning, depending on how certain Chrome is that the site is a spoof. These warnings typically have a “Did you mean ...?” message.

High-confidence warnings	Low-confidence warning

These warnings do not indicate that the site the user has visited is malicious. The warnings indicate that the site looks like another site, and that the user should make sure that they are visiting the site that they expected.

Examples of lookalike domains

Chrome's checks are designed to detect spoofing techniques in the wild. Some example “lookalike” patterns that trigger warnings include:

• Domains that are a small edit-distance away from other domains, such as goog0le.com.
• Domains that embed other domain names within their own hostname, such as google.com.example.com.
• Domains that use IDN homographs, such as goögle.com.

This list is not exhaustive, and developers are encouraged to avoid using domains that users without technical backgrounds may confuse for another site.

Lookalike checks are imperfect

Chrome‘s lookalike checks are not always right. Chrome can not detect all lookalike domains, and often lookalike domains are not malicious. Our intent with Chrome’s lookalike warnings is not to make spoofing impossible, but to force attackers to use less convincing lookalikes, allowing users to notice spoofs more easily.

While Chrome's checks sometimes label some benign pages as lookalikes, we use several approaches to minimize mistakes:

• Checks are tuned to minimize warnings on legitimate pages.
• Users are never prohibited from visiting the site requested, and the warnings shown are designed to be helpful and informative, rather than scary.
• We monitor what sites trigger the most warnings on a regular basis, and disable warnings when we identify mistakes.
• For domains used in company environments, we provide an Enterprise Policy allowing businesses to selectively disable warnings as needed for their users.
• For several months following the roll-out of new lookalike checks, we accept review requests from site operators whose sites have been flagged.
• New lookalike checks launching in Chrome 88 or later will trigger a console message informing site owners of the issue for at least one release prior to triggering user-visible warnings.

Not all users see all warnings

Chrome shows warnings in part based on a users' browsing history. This allows Chrome to be both more helpful (by providing better recommendations) and make fewer mistakes (by not flagging lookalikes for irrelevant sites).

Chrome only shows warnings on sites that the user has not used frequently. Further, Chrome will only recommend sites that are either well-known (i.e. top) sites, or the user has an established relationship.

Sites that show a warning to you may not show for another user, unless that user has visited the same sites that you have.

Removing Lookalike Warnings from a site

It is possible to remove warnings on sites where Chrome is incorrectly showing a warning.

• If you are the owner of both the site showing the warning and the site that Chrome thinks users should visit, you can use our automated warning removal process.
• If you are not the owner of both sites, or you can't follow the automated process, you can request a manual review.

Automated warning removal

If you own both the site where Chrome is showing a warning, as well as the site that Chrome is recommending, you can suppress these warnings by proving that you control both sites using a special form of Digital Asset Links.

Instructions

1. Create a file named assetlinks.json containing the following:

[{
  "relation": ["lookalikes/allowlist"],
  "target" : { "namespace": "web", "site": "https://example.com"}
},{
  "relation": ["lookalikes/allowlist"],
  "target" : { "namespace": "web", "site": "https://example.net"}
}]

2. Replace example.com and example.net with the domain where the warning is shown, and with the domain that Chrome recommends users visit. Do not use subdomains (e.g. use “example.com”, not “www.example.com”).
3. Upload this file to both of your sites at /.well-known/assetlinks.json. For instance, in our example, you would upload the files at both https://example.com/.well-known/assetlinks.json and https://example.net/.well-known/assetlinks.json.
4. Fill out an automated verification request. Please provide an email address with a valid Google account, otherwise you won't get updates.

Once you submit the request, please allow a few days for all warnings to stop. If verification fails, you should be notified via email within a few hours. If you don't get an email indicating verification failure and your sites still show a warning after a week, please submit a manual review using the process below.

Important notes:

• You only need to submit the verification request form once with a single domain. All other domains are discovered automatically, since you should have listed them in the first domain's assetlinks.json file.
• You must keep the assetlinks.json file in place so long as you wish to suppress the warnings. If you remove either file, Chrome may resume showing warnings.
• You can extend the example assetlinks.json to support more than two domains, or to support additional Digital Asset Links entries, if needed. Please note that Chrome does not support include statements in assetlinks.json files.

Requesting a manual review

If a site triggers erroneous lookalike warnings in Chrome, you can ask for a manual review. Please only use this process if you are unable to use the Automated Process above. In some cases, we may require that you use the automated process to demonstrate that you control both sites.

Requests for manual review are generally considered for six months following after that warning would have started (i.e. after Chrome introduces the check). After that time, we encourage developers to test their new sites in Chrome to ensure that their new domain does not trigger warnings.

If you are unable to use the automated process above, and would like to request a manual review, please fill out a manual review request. Please provide an email address with a valid Google account, otherwise you won't get updates.

Reasons an appeal might be denied

There are several reasons that may lead us to deny your appeal. The following are some of the most common reasons that don't qualify for manual appeals:

• Domains that are only used internally, such as for testing or in enterprise settings. We recommend using the Enterprise Policy in this case.
• For new sites or where very few users are impacted. We encourage domain owners to choose domains that do not look like domains used by other sites commonly visited by your users.
• For high-risk sites. In some cases, some domains might be particularly vulnerable to spoofing attacks (for instance, where money exchange is involved). In these cases, we deny appeals that aren't from the site owner.

Please note that the automated process is not subject to these restrictions.