4 Ways Kerning Helps Attackers Easily Impersonate Domains

The subtle art of deception hiding in plain sight

In cybersecurity, we often talk about sophisticated exploits, zero-days, and advanced persistent threats. But sometimes, the most effective attacks rely on something far simpler - human perception. One of the more ingenious examples of this is domain impersonation through font kerning.

If you’ve ever mistaken the letters "r" and "n" for an "m" in a tightly spaced font, you’ve already experienced how kerning can trick the human eye. Now imagine an attacker using that same typographic illusion to register a fake domain, such as rnicrosoft.com, and pass it off as microsoft.com.
It’s subtle. It’s effective. And it works.

What exactly is “kerning”?

Kerning refers to the adjustment of spacing between individual letter pairs to create visually balanced text. Designers use it to make typography look clean and professional. For example, the letters A and V might sit closer together than A and T, to achieve optical harmony.

When kerning is applied incorrectly - or manipulated deliberately - those tiny spacing adjustments can change how letters appear. The classic example is the pair "r" and "n", which when tightly kerned, can visually merge into "m". In small fonts or certain sans-serif typefaces, the difference is almost invisible.

And, not only have nefarious actors realised this, but they are also weaponizing it.

How cybercriminals exploit kerning to impersonate domains

Here’s how the trick works in practice:

1. The attacker registers a deceptive domain
   Instead of microsoft.com, they buy rnicrosoft.com. To the naked eye, those letters look nearly identical in many fonts.

2. They weaponize typography
   When the fake domain is displayed in an email client, web browser, or mobile app that uses tight kerning, the illusion is complete. Users skim past it, assuming it’s legitimate.

3. Phishing and credential theft follow
   Emails, login pages, and even fake invoices can now appear to come from a trusted source. Because the attacker controls the domain, their messages can pass SPF, DKIM, and even DMARC checks - giving the appearance of legitimacy.

4. The human eye does the rest
   People see what they expect to see. If the context suggests "Microsoft," our brains fill in the blanks. This cognitive shortcut, combined with typographic trickery, is what makes kerning-based impersonation so dangerous.

Why does this matter?

Unlike obvious "typosquats" such as micr0soft.com, kerning attacks are visually deceptive, not textually different. Security filters that rely on string comparison may fail to flag them, and users are far less likely to notice.

For organisations, that’s a serious problem. A single convincing phishing email from a near-identical domain can lead to:

• Compromised credentials and data breaches

• Fraudulent financial transactions

• Reputational damage from brand impersonation

• Loss of customer trust and compliance exposure (e.g., SOC 2, ISO 27001, DORA)

In short, this isn’t just a design quirk - it’s an operational risk.

Real-world examples

• rnicrosoft.com - impersonating Microsoft

• grnail.com - targeting Gmail users

• customercorn - where "corn" replaces "com"

Each example relies on a simple truth: "rn" looks just like "m" in many fonts and sizes, especially on mobile screens.
It’s not a technical exploit; it’s a psychological one.

How to defend against kerning-based domain impersonation

1. Protect your brand at the domain level

Register obvious look-alike domains - especially those where character pairs could be misread. It’s inexpensive insurance against impersonation.

2. Enable domain-impersonation protection in your email systems

Platforms like Microsoft Defender for Office 365 can detect and flag deceptive domains that visually resemble protected ones.

3. Educate your users

Awareness training should go beyond "hover over links." Teach staff how typography can deceive - particularly with the "rn = m" example.

4. Review font choices in internal tools

Where possible, use monospaced or clearly spaced fonts in email clients and portals to minimise visual merging of characters.

5. Monitor new domain registrations

Services such as BrandShield or DNSTwist can alert you when similar domains are registered - a useful early-warning system.

6. Enforce multi-factor authentication (MFA)

Even if credentials are compromised, strong MFA (ideally hardware-based) can stop attackers from gaining access.

What this means for compliance and risk management

From a governance perspective, kerning-based impersonation should be recognised as a variant of domain spoofing.
In frameworks like SOC 2, ISO 27001, and DORA, it maps to the control objectives around identity management, threat awareness, and incident prevention.

Phenomlab Ltd often helps clients assess these subtle but high-impact risks within broader security awareness, phishing simulation, and brand protection strategies. Addressing the human and typographic layer of security is as vital as patching systems or enforcing policies.

Final thoughts

Typography was never designed to be a weapon - but in the wrong hands, it becomes one. Kerning-based domain impersonation is a reminder that cybersecurity isn’t only about code and firewalls. It’s also about psychology, perception, and design.

When your users trust what they think they see, attackers effectively have one foot in the door. Recognising and mitigating that risk is what separates reactive organisations from resilient ones.