> getsupport.apple.com.phish.xyz

I notice that a lot of scam texts use domains that start with a TLD followed by a hyphen, like:

  https://wa.gov-phish.fit/dol
  https://seattle.gov-phish.cc/dmv

(Real examples, with "phish" replacing a string of 3-4 random letters)

In some ways, it's a more convincing fake URL, since even if you're used to reading the domain right-to-left, your brain wants to start from the hyphen since it's a different character following a familiar TLD. But that type of domain also seems a lot easier for spam detection rules to catch.