You Cannot Trust Your Eyes: How Hackers Hide Fake URLs in Plain Sight
Back to all blogsThat link in your email looks real. But one invisible character is all it takes to send you to a completely different website. Hackers use lookalike characters from different Unicode scripts to register fake domains that your eyes simply cannot catch. Read the full breakdown on how this works and how to protect yourself.
Can You Spot the Difference?
Look carefully at these pairs of domains. Take your time.
| Fake / Real |
|---|
https://pɑypɑl.com |
https://paypɑl.com |
https://pɑypal.com |
https://paypal.com |
https://ɑmɑzon.com |
https://ɑmazon.com |
https://amɑzon.com |
https://amazon.com |
https://gооgle.com |
https://gоogle.com |
https://goоgle.com |
https://google.com |
https://citibɑnk.com |
https://citibank.com |
Most people cannot tell which is real and which is fake.
That is exactly the point.
| Domain | Status | Spoofed Character | Explanation |
|---|---|---|---|
https://pɑypɑl.com | ❌ | Both "a" = Latin small alpha (ɑ) U+0251 | Both letters "a" in paypal are replaced with Latin small alpha. Looks like a normal "a" but has no upper arch. |
https://paypɑl.com | ❌ | Second "a" = Latin small alpha (ɑ) U+0251 | Only the second "a" in paypal is replaced. Harder to spot as only one character is changed. |
https://pɑypal.com | ❌ | First "a" = Latin small alpha (ɑ) U+0251 | Only the first "a" is replaced. One character difference from the real domain. |
https://paypal.com | ✅ | None | Legitimate domain. All characters are standard Latin ASCII. |
https://ɑmɑzon.com | ❌ | Both "a" = Latin small alpha (ɑ) U+0251 | Both letters "a" in amazon are replaced with Latin small alpha. |
https://ɑmazon.com | ❌ | First "a" = Latin small alpha (ɑ) U+0251 | The first "a" in amazon is replaced. Easy to miss on a quick scan. |
https://amɑzon.com | ❌ | Second "a" = Latin small alpha (ɑ) U+0251 | The second "a" in amazon is replaced. The domain looks almost identical at first glance. |
https://amazon.com | ✅ | None | Legitimate domain. All characters are standard Latin ASCII. |
https://gооgle.com | ❌ | Both "o" = Cyrillic о U+043E | Both letters "o" in google are Cyrillic. Completely indistinguishable from Latin "o" in most fonts. |
https://gоogle.com | ❌ | First "o" = Cyrillic о U+043E | Only the first "o" is Cyrillic. The second is a real Latin "o". Mixed script attack. |
https://goоgle.com | ❌ | Second "o" = Cyrillic о U+043E | Only the second "o" is Cyrillic. One character difference from the real domain. |
https://google.com | ✅ | None | Legitimate domain. All characters are standard Latin ASCII. |
https://citibɑnk.com | ❌ | "a" = Latin small alpha (ɑ) U+0251 | The "a" in citibank is replaced with Latin small alpha. Single character substitution. |
https://citibank.com | ✅ | None | Legitimate domain. All characters are standard Latin ASCII. |
These are just a few examples. There are countless domains like these being registered every day, designed to trick users into clicking links they believe are safe.
What Is a Homograph Attack?
A homograph attack, also known as IDN Spoofing, exploits the fact that multiple characters from different writing systems can look visually identical on screen.
IDN stands for Internationalised Domain Name. This feature was introduced to allow non-English languages to register domain names using their native scripts. Arabic, Chinese, Russian, Greek and dozens of other scripts can now be used in domain names.
It was a well-intentioned step toward a more inclusive internet.
But attackers figured out how to weaponise it.
By substituting one or two characters in a well-known domain name with visually identical characters from a different script, attackers can register a domain that looks exactly like the real thing and use it to run phishing campaigns that are almost impossible to detect with the naked eye.
The Characters Behind the Attack
To understand how this works, you need to understand the specific characters attackers use most frequently.
The Latin "a"
This is the letter you type every day. It is part of the standard ASCII character set used across the English language and across the internet for domain names. In most fonts it has a small closed loop with a short tail or arch at the top.
Example: paypal.com ✅
The Latin Small Alpha (ɑ)
This character (Unicode U+0251) is where things get interesting.
The Latin small alpha looks like the lowercase letter "a" but without the upper arch. It has an open, round body that sits cleanly on the baseline. Many fonts, particularly those used in handwriting, print, and even some digital interfaces, naturally render the letter "a" in this open form.
Your brain has been conditioned to read this shape as a completely normal "a." You do not question it.
But to a computer, ɑ and a are entirely different characters sitting at completely different positions in the Unicode table.
Example: pɑypal.com looks identical to paypal.com in most email clients and browsers. But it is not.
The Cyrillic "а" (а)
This character (Unicode U+0430) comes from the Russian and Eastern European Cyrillic script.
In the vast majority of fonts and screen renderings, the Cyrillic "а" is completely indistinguishable from the Latin "a." Your eye sees the same shape. Your brain reads the same letter. But the computer knows they are different.
Example: pаypal.com uses the Cyrillic а. It is not PayPal's domain. It has nothing to do with PayPal. But it looks exactly like it does.
The Cyrillic "о" (о)
The same trick applies to the letter "o." The Cyrillic "о" (Unicode U+043E) looks identical to the Latin "o" in virtually every font, on virtually every screen.
Example: gооgle.com uses two Cyrillic о characters replacing both Latin o letters. To most people reading this right now, it looks exactly like google.com. It is not.
Are Domain Registrars Doing Anything About This?
Yes. And it is worth acknowledging that the domain registration industry is aware of this problem and has taken steps to address it.
ICANN, the body that oversees global domain name policy, has introduced guidelines that restrict the registration of mixed-script domains. Under these rules, a domain that mixes Latin and Cyrillic characters within the same label, such as pаypal.com where the "а" is Cyrillic and the rest is Latin, is technically prohibited for most generic top-level domains including .com, .net, and .org.
Major browsers like Chrome, Firefox, and Safari have also introduced protective measures. When they detect a domain using mixed or suspicious scripts, they display the raw Punycode version of the domain in the address bar instead of the visual rendering. For example, pаypal.com would appear as xn--pypal-4ve.com, which is immediately recognisable as suspicious.
These are meaningful steps forward.
However, attackers continue to find ways around these restrictions.
Enforcement varies significantly across country code top-level domains such as .ru, .io, .cc, and many others. Less regulated registrars operating in certain jurisdictions apply these rules inconsistently or not at all.
Attackers also work around script-mixing rules by using characters entirely from one non-Latin script, making every character in the domain Cyrillic rather than mixing scripts, which can bypass detection in some systems.
The Latin small alpha (ɑ) presents a separate challenge entirely. Because it belongs to the Latin character set, not a foreign script, it does not always trigger mixed-script warnings. It simply looks like a stylistic variant of the letter "a" to most systems and to most human eyes.
The result is a continuous cat-and-mouse situation. Registrars and browser vendors tighten the rules. Attackers find new character combinations, new registrars, or new TLDs to exploit. The defences are improving but they are not yet airtight.
What Happens When You Click
Once an attacker has registered a spoofed domain, they build a site that looks identical to the real one. Same layout. Same logo. Same colour scheme. Same login form.
You land on the page. Nothing feels wrong. You enter your username and password. The page might even redirect you to the real site afterwards so you do not suspect anything.
But your credentials are now in the hands of an attacker.
The consequences extend well beyond a stolen password.
For individuals this means compromised bank accounts, stolen identities, and unauthorised transactions that can take months to resolve.
For businesses the damage is significantly greater. A single successful homograph attack can lead to:
- Business email compromise
- Invoice fraud and wire transfer scams
- Unauthorised access to corporate systems
- Data breaches affecting customers and partners
- Regulatory and reputational consequences
According to FBI reports, business email compromise costs organisations billions of dollars globally every year. Homograph attacks are one of the techniques that make this possible.
Why Your Eyes Cannot Protect You
The uncomfortable truth is that visual inspection is not a reliable defence against this type of attack.
Even if you hover over a link in your email client, the spoofed domain renders in its visual form. Some browsers have improved at detecting and displaying Punycode for mixed-script domains, but this protection is inconsistent across platforms, email clients, and mobile devices.
Your password manager is actually one of your better defences here. Because it matches domains at the character level, not the visual level, it will refuse to autofill your credentials on a spoofed domain. If you visit what looks like paypal.com and your password manager does not offer to fill in your details, treat that as a serious red flag and close the page immediately.
But the safest habit is to check the link before you click it.
How to Protect Yourself
There are several steps you can take to reduce your exposure to homograph attacks.
Never rely on visual inspection alone when clicking links in emails, SMS messages, or social media posts.
Pay attention to your password manager. If it does not autofill on a page where you expect it to, stop and investigate before entering anything.
Be cautious with urgent messages. Any email or SMS that creates urgency, asks you to verify your account, or prompts you to take immediate action is a common social engineering trigger that attackers pair with spoofed domains.
Check links before you click using a tool that analyses the actual characters in the domain, not just how they appear on screen.
Check Any Link Before You Click
At CyberCheck360 we built a free link checker for exactly this purpose.
Paste any suspicious link and instantly get:
- A safe or malicious verdict
- A live screenshot of exactly where the link leads
- Domain age, redirect hops, blacklist status, and SSL verification
- The option to open the link inside a fully isolated sandbox so your device is never at risk
- A full threat intelligence report if you need to investigate further
It works for links from emails, SMS messages, and social media. No login required for basic checks. Free to use.
👉 cybercheck360.com/link-checker
Next time a link lands in your inbox and something feels slightly off, do not click. Check it first.
Conclusion
Homograph attacks are one of the most sophisticated and underreported phishing techniques in use today. They require no malware and no complex infrastructure. Just a carefully chosen Unicode character, a convincing email, and a target who trusts their eyes.
Domain registrars and browser vendors are working to close the gaps. But the defences are not yet complete, and attackers continue to adapt.
The most reliable protection is not technical. It is a simple habit.
Check before you click.