What’s “visual similarity abuse” (logos, colors, etc.)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
You get an email that looks exactly like your bank sent it. The logo is right. The blue is right. The footer matches. The only thing that's off is the sender domain, and most people never check that.
That's visual similarity abuse in a nutshell. It's when an attacker doesn't just register a lookalike domain but also recreates the entire visual experience of your brand's emails to make the fake look indistinguishable from the real thing.
The typical playbook goes like this. They grab your logo from your website. They match your exact hex colors. They copy your email template structure, your button style, your footer layout, your font choices. Then they pair all of that with a convincing domain (think support-paypa1.com or microsofft-alerts.net) and send. Most recipients never look twice.
Some of the most-copied brands in phishing campaigns are PayPal, Microsoft, Apple, and Amazon. Not because their security is weak, but because everyone recognizes their visual identity instantly. Familiarity is exactly what attackers exploit.
And if you're a brand owner, the uncomfortable truth is that you can't stop someone from copying your logo off your own website. What you can do is make authentication visible. BIMI lets verified senders display their logo directly in supported inboxes, which gives recipients a signal that the visual identity they're seeing has been authenticated, not just copied. It's not a silver bullet, but it raises the bar.
For your own brand protection, here's what actually helps:
- Monitor for impersonation domains using tools that scan for new registrations that mimic your brand. Catching the domain early is much easier than chasing the campaign after it launches.
- Lock down your DMARC policy so attackers can't send from your actual domain. DMARC alignment doesn't stop lookalike domains, but it does stop direct spoofing of your real one.
- Educate your subscribers. Tell them what your emails will and won't contain. "We'll never ask for your password by email" is a sentence worth saying more than once.
- Register obvious variants of your domain before attackers do. Typos, hyphens, common misspellings. It costs less than one incident response.
If you're on the receiving end and trying to spot these fakes, visual polish is not a trust signal. A well-designed email is not a verified email. Always check the actual sending domain, not the display name. The logo can be copied. The authenticated domain can't be faked if DMARC is in place.
Think your domain might already be getting impersonated? Our free Blocklist Checker won't catch visual fakes directly, but it'll show you if your domain reputation is already taking hits. If something feels off, our SOS hotline is free and we'll take a proper look with you.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.