Phishing via look‑alike characters
Security folks are warning about homoglyph phishing — attackers swap visually similar characters (think Cyrillic 'а' for Latin 'a') in domains and messages to trick victims into clicking. It’s low‑tech but effective, because users and some filters don’t notice the subtle character swaps, and defenders need targeted detection rules and user training to catch it. The takeaway is simple: bolstering domain verification, link scanning, and phishing drills reduces the risk these deceptive URLs succeed. (x.com)
A fake website can now look right even when every letter is not right. Attackers swap one character for a look‑alike from another writing system, so a domain that seems to say “paypal” can contain a Cyrillic letter instead of a Latin one. (unicode.org) That trick works because the internet does not use just the 26 English letters. Domain names can use Internationalized Domain Names, a system approved so people can register web addresses in scripts like Arabic, Cyrillic, Greek, and Chinese. (icann.org) Once those extra scripts are allowed, some characters become visual twins. The Unicode Consortium keeps a “confusables” list because characters from different scripts can look identical on screen while still being different underneath. (unicode.org) Security teams usually call this an Internationalized Domain Name homograph attack. The United States Cybersecurity and Infrastructure Security Agency says attackers use these lookalike domains to deliver malware and steal credentials. (cisa.gov) Browsers have been dealing with this problem for years by sometimes showing the ugly machine version of a domain instead of the pretty one. Mozilla warned about this exact phishing risk in 2005 and temporarily displayed suspicious names in “punycode,” the encoded form that starts with “xn--”. (mozilla.org) That encoded form is useful because it exposes the trick. A domain written with mixed scripts may look normal to a person, but the punycode version makes clear that the address is not the plain Latin spelling users thought they were visiting. (icann.org) The reason this still works in 2026 is that phishing usually wins on speed, not sophistication. Unicode’s own security FAQ says lookalike characters are only one slice of phishing, but they become dangerous when they are combined with ordinary social engineering and brand impersonation. (unicode.org) Big defenders treat it as a real operational problem, not a curiosity. Microsoft said in 2021 that its Digital Crimes Unit got a court order to disable malicious homoglyph domains used to impersonate Microsoft customers and commit fraud. (blogs.microsoft.com) The defensive fix is not “tell users to squint harder at links.” The Unicode Consortium publishes security mechanisms for detecting mixed scripts and confusable characters, and the United States Cybersecurity and Infrastructure Security Agency tells defenders to build phishing detections around these domain tricks. (unicode.org) (cisa.gov) For companies, the practical steps are boring and effective: show punycode for risky domains, scan links before delivery, lock down brand‑lookalike registrations, and run phishing drills that include look‑alike URLs. For everyone else, the safest habit is to type important domains yourself or use a saved bookmark instead of trusting a link in a message. (support.mozilla.org) (cisa.gov)
