What are Homograph Attacks?
Homograph attacks exploit lookalike characters from different alphabets to create domain names that are visually identical to legitimate ones but actually point to a completely different site.
What are homograph attacks?
A homograph attack (also called an IDN homograph attack or script spoofing) uses characters from non-Latin scripts—such as Cyrillic, Greek, or Armenian—that look identical or nearly identical to Latin letters. By substituting these lookalike characters, an attacker can register a domain that appears identical to a legitimate site in the browser's address bar.
For example, the Cyrillic letter "a" (U+0430) looks identical to the Latin letter "a" (U+0061) in most fonts. An attacker can register a domain using the Cyrillic "a" that is visually indistinguishable from the real domain.
Why they are dangerous
Visually undetectable
Homograph domains can be completely indistinguishable from the real domain in most fonts. Even security-conscious users cannot spot the difference by looking at the URL.
Valid SSL certificates
Attackers can obtain legitimate SSL certificates for homograph domains, showing the green padlock. The domain appears secure and trustworthy to the victim.
Email impersonation
Homograph domains can send emails that appear to come from the real organization. Email clients may display the lookalike domain identically to the real one.
Targeted spear phishing
These attacks are often used in targeted campaigns against high-value targets because the lookalike domain withstands close scrutiny.
How homograph attacks work
The attack exploits Internationalized Domain Names (IDN), which allow non-ASCII characters in domain names:
Find lookalike characters
The attacker identifies characters from other scripts (Cyrillic, Greek, etc.) that look identical to Latin characters in the target domain.
Register an IDN domain
Using Punycode encoding (the xn-- prefix), the attacker registers the domain with an IDN-supporting registrar. The Punycode version looks different, but the displayed version looks identical.
Host malicious content
The attacker sets up a phishing page, obtains an SSL certificate, and waits for victims to arrive via phishing emails or social engineering links.
Victim sees the "real" domain
In browsers that display the Unicode version (rather than Punycode), the victim sees what appears to be the legitimate URL with a valid SSL certificate.
Punycode example
apple.com → xn--80ak6aa92e.com (with Cyrillic "a", "p", "l", "e")
The Punycode representation (xn--80ak6aa92e.com) is the actual domain stored in DNS, but browsers may display the Unicode version, which looks like apple.com.
Lookalike character examples
Many characters from different Unicode scripts are visually identical or nearly identical to Latin letters:
| Latin | Lookalike | Script | Unicode |
|---|---|---|---|
a |
а |
Cyrillic | U+0430 |
e |
е |
Cyrillic | U+0435 |
o |
о |
Cyrillic | U+043E |
p |
р |
Cyrillic | U+0440 |
c |
с |
Cyrillic | U+0441 |
x |
х |
Cyrillic | U+0445 |
i |
і |
Cyrillic (Ukrainian) | U+0456 |
o |
ο |
Greek | U+03BF |
Browser defenses
Modern browsers have implemented countermeasures against homograph attacks, though they are not foolproof:
| Browser | Defense |
|---|---|
| Chrome | Displays Punycode when a domain mixes scripts or uses confusable characters. Uses an allowlist of safe script combinations. |
| Firefox | Displays Punycode for mixed-script domains. Users can force Punycode display via network.IDN_show_punycode setting. |
| Safari | Displays Punycode for domains with mixed scripts and displays a warning for potentially deceptive domains. |
| Edge | Uses Chromium's IDN display policy, showing Punycode for suspicious mixed-script domains. |
apple.com may still display as the readable version.
How to protect yourself
Monitor for homograph domains
Use Domain Guarddog to automatically detect when someone registers a homograph lookalike of your domain. These are flagged as high-risk threats.
Use bookmarks for critical sites
Never click links to log into banking, email, or other sensitive services. Use browser bookmarks so you always reach the real domain.
Enable Punycode display
In Firefox, set network.IDN_show_punycode to true in about:config. This forces all IDN domains to show their Punycode representation.
Use multi-factor authentication
Even if credentials are stolen via a homograph phishing site, MFA prevents the attacker from accessing the real account.
Report homograph domains
If you discover a homograph domain targeting your brand, report it to the registrar, Google Safe Browsing, and relevant anti-phishing organizations.
Detect homograph attacks against your domain
Domain Guarddog scans for homograph lookalikes using Unicode confusable analysis and alerts you to high-risk threats.
Get Started Free