Ever clicked what looked like "amazon.com", only to discover the “o” was actually a Cyrillic “о” and you were potentially in trouble?

Homoglyphs are characters that look visually identical (or almost so) but are entirely different under the hood. The Latin "a" (U+0061) and Cyrillic "а" (U+0430) look the same to your eyes, but computers treat them as entirely separate characters. This isn't about being careless — it's about attackers exploiting how human perception works. Your brain's pattern recognition says "legitimate" even when the actual characters are from completely different alphabets. It's an attacker's weaponizing how human perception fundamentally works^[ref].

How fraudsters exploit homoglyphs:

🕵️ Domain impersonation: Attackers register look-alike domains (like "microsоft.com" with a Cyrillic "о") and use them for credential phishing or malware delivery.

📧 Email spoofing: By substituting characters in sender domains ("support@paypаl.com" with a Cyrillic "а"), attackers bypass spam filters and deceive recipients into thinking emails are legitimate.

💸 Payment diversion: Fraudsters fake vendor URLs or addresses using homoglyph domains, diverting payments without raising suspicion.

🧑‍💻 Supply-chain attacks: Malicious actors use package names or file identifiers that visually mimic trusted ones, slipping backdoors into software pipelines. (Related tactic: using "svch0st.exe" vs "svchost.exe" - harder to catch at a glance.)

🌍 Punycode manipulation: By mixing scripts (Latin + Cyrillic + Greek), attackers create domains that look identical in most fonts but resolve to "xn--…" addresses pointing to malicious sites.

A typical 10-character domain could have millions of look-alike variants if each character has multiple homoglyph alternatives. While attackers don't register them all, monitoring tools have detected thousands of active homoglyph domains targeting major brands^[ref].

🚨 Do This Right Now (2 minutes):

- Bookmark your bank, email provider, and other critical services, then always access them through bookmarks rather than typing URLs.

- If your browser has an option to show Punycode for IDN domains, enable it (most modern browsers now warn about mixed-script domains automatically).

⚠️ Ongoing Habits:

- Always inspect the full domain in your browser's address bar, look for tiny anomalies like odd scripts or "xn--" prefixes.

- On mobile devices or with small fonts, be extra cautious, homoglyphs are much harder to spot.

- If you receive an unexpected email with a link that looks legitimate, navigate to the site manually (not via the link) or contact the sender through a verified channel.

- Hover over links before clicking to preview the actual URL destination.

🎓 The good news? Awareness is your strongest defense. Now that you know homoglyphs exist, you're already significantly less vulnerable. These attacks rely on invisibility; once you know to look twice at "legitimate" URLs, you've eliminated the attackers' primary advantage.

Share this knowledge with colleagues, friends, and family, especially those less tech-savvy. The more people who understand this threat, the harder it is for these fraudsters.

🧪 TEST YOURSELF: Can You Spot the Fake? Which of these is the real Microsoft domain?

1. microsoft.com

2. microsоft.com

3. micrοsoft.com

4. rnicrosoft.com

Answer: All four are different! The real one is #1. Domain #2 uses a Cyrillic "о", #3 uses a Greek "ο" and #4 uses "rn" instead of "m".