What a Homograph Domain Is
A homograph domain is a domain name that uses characters from different writing systems that closely resemble standard Latin letters. This is possible because internationalized domain name support allows non-ASCII characters, so domain names can be registered in scripts such as Cyrillic, Greek, or Arabic.
From a technical perspective, these characters are valid and correctly handled by systems. The deception occurs at the visual level. To users, the domain looks normal. Underneath, it contains characters from a different script.
For example, the Cyrillic letter “а” is visually indistinguishable from the Latin “a” but represents a different character entirely. A domain like раypal.com can appear identical to paypal.com, even though the underlying characters and encoding are not the same. Browsers and DNS resolve both accurately. Users, however, see only what looks familiar.
What Are Homograph Attacks
Homograph attacks occur when attackers deliberately use homograph domains as part of phishing campaigns. Instead of creating obviously fake domains, attackers register look-alike domains that coexist alongside legitimate ones within the domain name system.
In these attacks, the legitimate domain is the trusted address users believe they are visiting. The attacker-controlled domain is the homograph version that looks the same but is technically distinct. Because both domains are valid, systems treat them normally, while users are misled by appearance.
Characters from different writing systems enable this deception. Latin letters, Cyrillic characters, and other scripts share shapes that allow subtle substitutions without altering how a domain looks at first glance. This blurs the boundary between legitimate domain names and fake ones.
The difference between a real domain and a homograph domain is not the presence of HTTPS or certificates. It is character integrity. Legitimate domains use consistent, expected characters. Homograph attacks succeed by replacing those characters with visually similar alternatives designed to deceive the user.
How Attackers Use Homograph Domains in Phishing Attacks Step by Step
This section breaks down the typical lifecycle of a homograph phishing attack, from initial domain selection to post-compromise activity. The focus is on understanding attacker behavior at a high level, so the risks are clear without turning the process into an instructional guide.
Step 1. Pick a Trusted Target
Threat actors choose a brand that users already trust, usually finance, email, SaaS, corporate portals, or crypto. The goal is to maximize clicks and credential reuse.
Step 2. Create a look-alike Domain Concept
They plan a homograph domain that looks like the legitimate domain name by swapping one or two Latin letters with visually similar characters from another writing system. This relies on internationalized domain names and Unicode support.
Step 3. Register the Deceptive Domain
They register the domain through normal domain registration channels. Many campaigns use newly registered domains because they are cheap, disposable, and have no negative reputation yet.
Step 4. Prepare the Phishing Site
They build a malicious website that mimics the legitimate website. Pages are copied to match logos, layouts, wording, and login screens, so the user sees something familiar immediately.
Step 5. Add Basic Trust Signals
Attackers often use a valid security certificate so the site loads over HTTPS. This helps the address bar look reassuring, even though HTTPS only means encryption, not legitimacy.
Step 6. Deliver the Lure
Victims receive the link via phishing emails, SMS, ads, or direct messages from unknown or suspicious sources. Targeted campaigns add personalization and urgency to increase click-through.
Step 7. Rely on Browser Display Behavior
If the domain is displayed in readable Unicode form instead of being converted to Punycode, it can look almost identical to the real domain in the address bar. Modern browsers sometimes allow this when the domain uses characters from a single script considered safe.
Step 8. Capture Credentials or Data
On the fake login page, users enter login credentials or other sensitive information. The attacker collects it instantly and can attempt account takeover.
Step 9. Expand Impact After Access
Stolen logins can lead to inbox compromise, payment fraud, internal access, or follow-on phishing. Some campaigns redirect users to malware to spread further.
Step 10. Rotate and Repeat
Once a domain is flagged or blocked, attackers switch to new homograph domains and new delivery messages. That is why this threat persists and evolves.
Why Browsers Do Not Always Block Homograph Domains
Modern browsers apply safety rules when displaying internationalized domains, but those rules are not designed to eliminate all visual deception. Some homograph domains remain readable and convincing, which allows attackers to exploit trust at the address bar level.
Browser Behavior | What Happens | Why Risk Still Exists |
Punycode conversion | Modern browsers convert suspicious international domains into a machine-readable format like xn--pple-43d.com | This exposes the deception, but only when the browser flags the domain as risky |
Unicode display allowed | Domains using characters from a single script deemed safe may be shown in readable Unicode form | Visually similar characters can still impersonate a legitimate domain |
Address bar rendering | The address bar displays what looks like a normal, trusted domain | Users rely on appearance rather than underlying character encoding |
Validation outcome | The browser treats the domain as a valid internationalized domain | The system is technically correct, but the user is misled |
Detection, Defense, and User Education
Protecting against homograph phishing requires coordinated action across detection, technical controls, and user behavior. These attacks exploit both system trust and human perception, which makes single-point defenses unreliable. A layered approach reduces exposure, limits impact, and improves response speed.
Domain Monitoring: Monitoring newly registered domains helps identify look-alike domains that closely resemble legitimate ones. Visual similarities across writing systems can reveal early signs of homograph abuse. Early detection shortens the active lifespan of malicious domains.
Threat Intelligence: Threat intelligence and security research feeds surface emerging homograph patterns and attacker behavior. These insights enhance detection within the Domain Name System. Faster visibility allows teams to respond before phishing campaigns scale.
Email Filtering: Email filtering blocks phishing messages that carry look-alike domains and Unicode-based deception. Stopping malicious links at the email layer prevents user interaction altogether. This control addresses the most common entry point for homograph attacks.
System Updates: Browser and operating system updates improve how internationalized domains are rendered and evaluated. Safer display rules reduce deceptive address bar representations. Up-to-date systems lower the likelihood of visual spoofing.
Access Controls: Multi-factor authentication limits the impact of stolen credentials. Compromised passwords alone are not enough to grant access when additional verification is enforced. This control reduces account takeover risk after a successful click.
User Awareness: User education shifts trust decisions away from visual inspection alone. Understanding how similar characters from different scripts are abused improves judgment. Informed users are less likely to trust domains based on appearance.
Safe Navigation: Safe navigation habits reduce reliance on clicking links in emails or messages. Bookmarks, known URLs, and password managers provide more reliable access paths. These practices remove visual deception from the decision process.
HTTPS Clarity: HTTPS confirms encryption but does not verify legitimacy. Attackers routinely use valid certificates to appear trustworthy. A clear understanding prevents false confidence in malicious sites.
Layered Defense: Combining monitoring, filtering, access controls, and user education strengthens overall resilience. Each layer addresses a different stage of the attack chain. Together, they make homograph phishing harder to execute and easier to contain.
