← Back to detection methods

Homograph Attacks

Detecting visually similar characters from different alphabets used to impersonate legitimate domains.

What are Homograph Attacks?

Homograph attacks exploit the fact that many characters from different writing systems look identical or very similar. Attackers use characters from non-Latin alphabets (like Cyrillic, Greek, or Armenian) to create domains that appear legitimate but are actually completely different domains.

This is particularly dangerous because the visual similarity makes it nearly impossible for users to detect the fake domain just by looking at it in their browser's address bar.

Common Lookalike Characters

  • аCyrillic 'a' (U+0430) looks like Latin 'a' (U+0061)
  • еCyrillic 'e' (U+0435) looks like Latin 'e' (U+0065)
  • оCyrillic 'o' (U+043E) looks like Latin 'o' (U+006F)
  • сCyrillic 's' (U+0441) looks like Latin 'c' (U+0063)

Real-World Examples

Apple Domain Attack

High Risk
Legitimate: apple.com(all Latin)
Malicious: аpple.com(Cyrillic 'а')

The first character is Cyrillic 'а' (U+0430) instead of Latin 'a'. Visually identical but completely different domain.

PayPal Spoofing

High Risk
Legitimate: paypal.com
Malicious: pаypаl.com(Cyrillic 'а' used twice)

Multiple Cyrillic 'а' characters replace Latin 'a'. The domain looks perfect in the browser bar.

Why This Attack is So Dangerous

  • Perfect visual match: The fake domain looks exactly like the real one in most fonts
  • Valid SSL certificates: Attackers can obtain legitimate SSL certificates for these domains
  • Browser warnings ineffective: Modern browsers show warnings, but many users ignore them

How We Detect These Attacks

We analyze every character in newly registered domains to identify lookalike substitutions from different alphabets (Cyrillic, Greek, Armenian, and others).

  • When a new domain appears, we check if it contains non-Latin characters that look similar to your brand
  • We maintain a database of visually similar characters across different writing systems
  • If a match is found, you get an alert showing exactly which characters were substituted

Homograph attacks are particularly dangerous because they bypass traditional spell-checking and often look identical in browser address bars, making them extremely effective for phishing campaigns.

Why Browser Protection Isn't Enough

Modern browsers have some built-in protections against homograph attacks, but they're not comprehensive:

  • Mixed script detection: Browsers block some mixed scripts, but single-script attacks (all Cyrillic) can still pass
  • Punycode display: Some browsers show punycode (xn--) for suspicious domains, but users often ignore this
  • Mobile browsers: Mobile devices often have weaker protections and smaller screens make detection harder
  • Social engineering: Attackers use email links and QR codes to bypass direct URL entry

Proactive monitoring allows you to take legal action and request takedowns before users are compromised.

Learn More

Explore our other detection methods to understand how we provide comprehensive brand protection:

Levenshtein Distance →Typosquatting →Combosquatting →