← Back to Archive

Two Simple UX Changes That Could Make Phishing Harder

Phishing works because browsers present URLs in the worst possible way. The default sans-serif font makes lookalike characters identical, nothing separates the domain from the noise around it, and non-Latin characters that resemble Latin letters blend right in.

Two small changes could fix most of this:

  1. Highlight the domain so your eye is drawn to the part that actually matters.
  2. Use a distinguishable font — and flag non-Latin characters that could be mistaken for Latin ones.

Neither removes information. Neither requires user education.

The Proposal

Compare a standard address bar with a safer version:

Standard address bar
Legitimate
https://www.paypal.com/signin
Phishing — capital I instead of l
https://www.paypaI.com/signin
Phishing — Cyrillic а, р
https://www.раypal.com/signin
Safe address bar
Legitimate
https://www.paypal.com/signin
Phishing — capital I instead of l
https://www.paypaI.com/signin
Phishing — Cyrillic а, р flagged
https://www.раypal.com/signin

The standard bar makes all three URLs look nearly identical. The safe bar uses a monospace font (making the I/l difference visible), highlights the domain, and flags non-Latin characters with a dotted underline — the Cyrillic р and а look identical to Latin p and a but are different Unicode codepoints.

The same idea works for email, where phishing is arguably worse because clients hide the real address behind a display name:

Standard email client
Legitimate
noreply@amazon.com
Phishing — rn instead of m
noreply@arnazon.com
Safe email client
Legitimate
noreply@amazon.com
Phishing — rn instead of m
noreply@arnazon.com

The rnm trick: arnazon looks like "amazon" in most sans-serif fonts. A distinguishable font keeps the characters visually separate.

Domain Highlighting

Give the registrable domain (the eTLD+1) a subtle background highlight. Firefox already grays out everything except the domain — a proper highlight goes further by actively drawing the eye rather than just dimming the surroundings.

A Distinguishable Font

Switch to a font where I/l/1 and O/0 are unmistakable, and where rn doesn’t collapse into m. Fonts like JetBrains Mono, IBM Plex Mono, or Fira Code are built for exactly this.

Non-Latin Character Flagging

Homograph attacks use characters from other scripts that look identical to Latin letters — Cyrillic а, е, о, р, с, х or Greek ο, α are visually indistinguishable from their Latin counterparts in most fonts. A safe address bar should flag any non-Latin characters in an otherwise Latin-looking domain — for example with a dotted underline or different background. Browsers already have IDN homograph detection; it just needs a visual treatment.

Why This Could Ship

Google tried twice (2014, 2020) to improve URL display by hiding parts of the URL. Both times they abandoned it — users hated it, and it didn’t improve security metrics. The lesson: don’t subtract information, add signal.

These changes are the opposite — low-risk, low-effort, and additive. It’s a font change and a highlight on one UI element. Both Firefox and Chrome already have the eTLD parsing logic. This is a UI tweak, not an architectural change.

Small changes. Won’t stop all phishing. But they make the address bar work with your visual system instead of against it.

← Back to Archive