Script spoofing: What it is and how you can protect yourself

Script spoofing is a newer tactic that some cyber criminals are using to scam their victims.

a red dialogue window with exclamation marks

Spoofing is when a cyber criminal makes their malicious website or email address look like a legitimate source of information. In script spoofing, cyber criminals impersonate a trusted domain name by deliberately — and often very subtly — misspelling the website or email address. This lets them distribute malware to your device or trick you into sharing sensitive information. The ‘script’ part of script spoofing refers to words, letters, numbers, and special characters that look correct but are actually visually similar characters.

For example, an email from info@amα seems to come from Amazon’s official email. But if you look closely, you’ll see that what looks like the second “a” in the Amazon domain name is actually the Cyrillic character “α”. Script spoofing can also be as simple as using the number “0” instead of the capital letter “O”, or the number “1” instead of a lowercase “L” or uppercase “I”.

The characters that cyber criminals use can easily be confused with their legitimate counterparts, which can make script spoofing tough to spot.

How to protect yourself against script spoofing

Using a web browser on a computer can be your first line of defence against script spoofing attacks. Some web browsers can block script spoofing as an extra layer of protection.

A web browser on a computer lets you view the entire URL, which can help you determine whether it is a legitimate site or not. While browsing the web, be cautious and hover your mouse over any hyperlinked text to confirm where it leads before you click on it. It’s a good habit that may save you from clicking on a malicious link.

But since no web browser can detect every script spoofing attempt, this shouldn’t be the only protection you rely on. It is always a good idea to perform system updates, especially on your web browser. Updates contain essential patches that are designed to deter cyber criminals and can help protect against script spoofing.

Be extra cautious when surfing the web on a mobile device. The smaller the screen, the less likely you are to see the entire URL of the website. When you want to visit a website, instead of clicking a link, it is a good idea to type in the name of the website in your web browser so that the browser can redirect you to the right place. Cyber criminals hide script spoofing tactics in emails, chat messages, social media, and other publicly available platforms.

If you think you’ve received a spoofed message, don’t open any attachments or click on links. Instead, if the message appears to be from a service provider, use your browser to log into your account as you normally would and see if there are any alerts on the official website.

Always keep an eye out for script spoofed characters in email addresses and links. Script spoofing messages will often also have similar red flags as phishing messages. This includes things like grammar or spelling mistakes, poor formatting or urgent or threatening language. Remember — if the message seems too good to be true, it probably is.

You should also consider enabling a free DNS firewall, such as CIRA Canadian Shield. CIRA Canadian Shield identifies malicious websites and then prevents you from accessing them.

If you think that you have been the victim of a script spoofing attack, you can report it to the Canadian Centre for Cyber Security.


Now that you know what script spoofing is and the signs to watch out for, you can better protect yourself against it. It’s always better to take a few extra minutes to confirm whether the link you’re clicking is legitimate or not than to be scammed by a cyber criminal.

Report a problem on this page

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Please select all that apply:

Thank you for your help!

You will not receive a reply. For enquiries, please contact us.

Date modified: