Cybercriminals have found a clever way to trick people by swapping real letters in website addresses with characters that look almost the same. These are called homoglyph attacks, and they are becoming a growing problem across the internet.
A single character swap — like replacing a Latin “o” with a Greek omicron — can fool both users and security tools into thinking a fake website is real. This kind of deception is simple to pull off but can cause serious damage to individuals and organizations.
Homoglyph attacks take advantage of the fact that many character sets exist across different languages, including Latin, Cyrillic, Greek, and Armenian.
When these lookalike characters are placed inside a domain name, email address, or filename, they create a false sense of trust.
Victims who click on such links may land on phishing pages, download malware, or hand over their login credentials without realizing anything is wrong.
The threat covers a wide range of attack types, from spear-phishing and brand impersonation to Business Email Compromise and software supply chain manipulation.
Seqrite researchers identified that these attacks are especially dangerous because they are low-cost and highly effective.
Attackers can register lookalike domains through registrars that accept Internationalized Domain Names, obtain valid TLS certificates for those domains, and then host convincing phishing pages that are nearly impossible to tell apart from the real thing at first glance. The combination of a familiar-looking URL and a valid security certificate gives victims little reason to pause.
The impact of homoglyph attacks stretches across industries. Finance-targeted phishing campaigns have used mixed Latin and Cyrillic characters to impersonate payment portals.
SaaS login pages have been cloned using Internationalized Domain Names paired with real TLS certificates to harvest credentials. Executives have been impersonated through display name spoofing in email clients, leading to fraudulent payment requests.
Meanwhile, fake software download portals hosted on lookalike domains have pushed malware payloads that even sandbox tools sometimes miss because the domain reputation appears clean and new.
How Unicode, IDNs, and Punycode Enable Homoglyph Deception
Understanding why homoglyph attacks work so well requires a closer look at how the internet handles international characters. The Domain Name System was originally built to support only ASCII characters.
To allow domain names in other languages, a system called Internationalized Domain Names in Applications was created, which uses Punycode encoding to convert non-ASCII characters into ASCII-compatible strings prefixed with “xn--.”
For example, a domain containing Cyrillic characters gets stored in DNS as its Punycode equivalent, but modern browsers often display the original Unicode version to users — making the fake domain look perfectly legitimate.
The problem deepens when attackers combine characters from multiple scripts inside a single domain. These mixed-script domains are particularly tricky because many security tools do not flag them as suspicious.
Additionally, Unicode normalization forms such as NFC, NFD, and NFKC affect how characters are compared, meaning security systems that skip normalization may completely miss a homoglyph match.
Bidirectional text controls, such as the Unicode character U+202E, add another layer of confusion by reversing how text is visually rendered, further helping attackers disguise filenames and display names.
Organizations should take a layered approach to defend against these attacks. Email gateways and web proxies must normalize Unicode and display Punycode warnings when suspicious links are detected.
DNS filtering systems should treat newly observed xn-- prefixed domains as high-risk until properly reviewed. Certificate transparency monitoring should alert security teams whenever certificates are issued for domains that visually resemble trusted brands.
From a policy standpoint, organizations should register common lookalike domain variations of their own brand names and enforce clear rules against mixed-script domains in official communications.
Brand monitoring programs should track domain registrations and abuse reports in close to real time. Phishing simulations that include realistic homoglyph scenarios should be run regularly to sharpen user awareness.
Multi-factor authentication must be enforced on all sensitive services, and secondary verification should be required for any financial or credential-related requests.
As attackers increasingly automate homoglyph domain generation and expand this technique into software supply chains and cross-channel impersonation, staying ahead requires consistent vigilance, strong technical controls, and well-trained users who know what to look for before clicking any link.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
