Let’s talk about the identity gaps every team has to close. Join the convo.
Utility navigation bar redirect icon
Portal LoginSupportBlogContact
Search
Portal LoginSupportBlogContact
Search
Get a Demo
Start for Free
HomeCybersecurity 101
What is a Homograph Attack?

What is a Homograph Attack?

Written by: Lizzie Danielson

Published: 6/11/2026

Person typing on a keyboard
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

A homograph attack is a technique in which a cybercriminal creates a deceptive web domain or email address using characters from non-Latin alphabets that look like those from the Latin (English) alphabet. By swapping a standard Latin letter for a visually similar character from a different alphabet, attackers trick users into visiting malicious sites that steal credentials or spread malware.

Key Takeaways

  • Visual Deception: These attacks (also known as script spoofing) use characters from different alphabets, like Cyrillic or Greek, that are visually indistinguishable from Latin letters to the human eye.
  • Punycode Exploitation: Attackers exploit how browsers translate non-Latin characters from "Punycode" (e.g., `xn--`) to register domains that look like trusted brands.
  • Authentication Bypass: Because the URL looks 100% correct, traditional "look for the lock icon" advice often fails, as these fake sites can have valid SSL certificates.
  • Proactive Defense: Detecting these attacks requires technical verification, such as using password managers or inspecting Punycode, rather than relying on visual inspection alone.

How does a homograph attack work?

At its core, a homograph attack exploits the way computers handle different languages. English speakers use the standard Latin alphabet (A-Z), but the internet supports Internationalized Domain Names (IDNs) to allow for characters in scripts like Cyrillic, Greek, or Armenian.

The problem arises because some characters look exactly like ours. For example, the Latin "a" looks identical to the Cyrillic "а." A hacker can register a domain that replaces the "a" from an English word with the Cyrillic version and, to the naked eye, it appears legitimate.

To prevent total chaos, browsers use a system called Punycode, which translates these special characters into a format starting with `xn--`. For example, a fake version of `apple.com` might actually be registered as `xn--pple-43d.com`. While modern browsers have built-in protections to flag these, clever attackers still find ways to slip through the cracks.

How to detect a homograph attack

Detecting these attacks requires a mix of technical tools and a healthy dose of skepticism. Here is what to look for:

  • Punycode Reveals: If you copy a link and paste it into a plain text editor (like Notepad), a homograph link will often transform from its "look-alike" state into its true `xn--` Punycode form.
  • Certificate Discrepancies: Check the site's SSL/TLS certificate. If you are on what looks like a major banking site, but the certificate is issued to a strange, unrelated entity (or a free provider like Let's Encrypt), be wary.
  • Hover Before You Click: Hover your mouse over any link in an email. Look at the status bar at the bottom of your window to see the actual destination.
  • Unusual Characters: Keep an eye out for small accents or dots (diacritical marks) under letters (like `ạ` instead of `a`) that shouldn't be there.

Preventing a homograph attack

Prevention is about creating layers of defense so that even if a user clicks, the attack fails.

  1. Use a Password Manager: This is the most effective defense. A password manager stores the exact URL of your accounts. If you land on a homograph site, the manager will not auto-fill your credentials because the domain technically doesn't match.
  2. Enable Multi-Factor Authentication (MFA): Even if an attacker steals your password via a fake site, MFA provides a critical second barrier.
  3. Keep Browsers Updated: Modern browsers like Chrome and Firefox are constantly updated with lists of "restricted" characters to automatically flag suspicious IDNs.
  4. Manual Navigation: Instead of clicking links in emails or texts, manually type the web address into your browser or use a trusted bookmark.
  5. DNS Filtering: For businesses, DNS filtering services can block access to known malicious domains and those using suspicious Punycode patterns.

For more information on staying safe from deceptive online practices, the Cybersecurity & Infrastructure Security Agency (CISA) provides excellent resources on avoiding social engineering.

Conclusion

Homograph attacks are a sophisticated reminder that in cybersecurity, seeing isn't always believing. By understanding how attackers use international scripts to mask their intentions, and by utilizing tools like password managers and MFA, you can keep your business secure online. Stay vigilant, hover before you click, and always trust your tools over your eyes.

ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
AI sparkle iconSummarize This Page
ChatGPT logoChatGPTOpens in new tabClaude logoClaudeOpens in new tabPerplexity logoPerplexityOpens in new tabGoogle Gemini logoGoogle AIOpens in new tab
On This Page

FAQs

Not quite. Typosquatting relies on you making a mistake (like typing `gogle.com` instead of `google.com`). A homograph attack relies on the URL looking exactly right even though it uses different characters.

No. Attackers can—and do—get valid SSL certificates for their fake domains. A green lock icon only means the connection is encrypted; it doesn't mean the site is who it says it is.

Most modern browsers have "IDN Spoofing Protection." If a domain contains characters from multiple different languages, the browser will often display the Punycode version (the one starting with `xn--`) to alert you.

The internet is global. People need to be able to register domains in their native scripts (like Chinese, Arabic, or Russian). The challenge is balancing global accessibility with security.

You can report deceptive sites to Google Safe Browsing or the FBI's Internet Crime Complaint Center (IC3).

Glitch effectGlitch effect

Protect What Matters

Secure endpoints, email, and employees with the power of our 24/7 SOC. Try Huntress for free and deploy in minutes to start fighting threats.
Try Huntress for Free