[re]

> getsupport.apple.com.phish.xyz

I notice that a lot of scam texts use domains that start with a TLD followed by a hyphen, like:

  https://wa.gov-phish.fit/dol
  https://seattle.gov-phish.cc/dmv

(Real examples, with "phish" replacing a string of 3-4 random letters)

In some ways, it's a more convincing fake URL, since even if you're used to reading the domain right-to-left, your brain wants to start from the hyphen since it's a different character following a familiar TLD. But that type of domain also seems a lot easier for spam detection rules to catch.

[krackers]

I think you have it the other way, the hyphen should be in a place where it can be confused with a period. E.g. foo-example.com, which at first glance mentally parses similarly to foo.example.com

This is how the scam page in OPs article is formatted, and I think it could easily fool a technical person who's tired. Precisely for the reason you touched on that when you're used to working with reverse DNS notation your eye is drawn to the last period. But hyphen and period are both used as "separators" in different contexts, so you have to be vigilant enough to override the natural instinct to chunk based on any separator.