Cybercriminals are exploiting a subtle typography trick called evil kerning to disguise fake domains as trusted ones like Microsoft.com or Gmail.com. By tightening letter spacing, “rn” can appear as “m,” making scam addresses like rnicrosoft.com or grnail.com nearly indistinguishable from the real thing. Here’s how the scam works, why it’s so dangerous, and what you can do to avoid falling victim.
The lower-case letters “rn” can be mistaken for the letter ‘m’ in some fonts and displays. Here’s two examples from social media from malicious emails.
They might look obviously fake when enlarged and highlighted, but are easy to miss among all the other emails received.
The horizontal positioning of letters is called Kerning. Don’t know about Kerning? Check out Kerning text simply explained for Word and Powerpoint
Evil Kerning is possible in Word or PowerPoint. Here’s examples using Microsoft’s Segoe UI font with kerning turned on for small font sizes.
Those domains are registered, respectively, to someone in South Korea (rnicrosoft.com) and a privacy service in Colorado (grnail.com).
Here’s how they should look with the correct spelling.
Other examples
Any time there’s a letter “m” in a domain name, there’s a risk of evil kerning.
arnazon . com
rneta . com
telegrarn . com
Learn more about kerning
Most kerning is done for good, not evil. For large type sizes, it’s often vital for easy readability.
