When typing letters on a computer, you recognize characters based on the way they display, but computers recognize characters based on ones and zeros (binary) Every character you see on the screen has a matching Unicode reference, and some of …

When typing letters on a computer, you recognize characters based on the way they display, but computers recognize characters based on ones and zeros (binary). Every character you see on the screen has a matching Unicode reference, and some of these characters look the same in different languages, even though they have different Unicode references. For instance, the letter “a” looks the same in the English language as well as Russian. It’s this concept that can be used to trick users into falling for a phishing attack. Specifically, this attack is referred to as an Internet Domain Name (IDN) homographic attack.

Unicode Characters and Languages

Before going into the details of an IDN homograph attack, you should first understand the way Unicode translates to letters on the screen. A good example to use is a comparison of Cyrillic letters in the Russian language compared to Latin letters in the English language. In any language, Unicode is the computer code used to create letters that you see on the screen.

Several letters in English look the same in other languages, but the lowercase “a” can be used as an example of homographs. In Latin and in Russian, the lowercase “a” character looks the same, but the Unicode characters used to display them are different. In Latin, the character “a” has a Unicode value of “0061.” In Russian, the character “a” has a Unicode value of “0430.” Because the Unicode values are different, a computer sees these two characters as distinct letters, even though they look the same onscreen.

Using homographic letters, the domain “paypal.com” could have four different Unicode values based on the possible variations with the letter “a.” It’s these “lookalike” alternatives that are used in an IDN homographic attack.

Homographs with Multiple Characters

Using different Unicode characters isn’t the only way to trick users and perform an IDN homograph attack. Some letters look like others when adjacent to each other. For instance, the letters “rn” look like the letter “m” when they are combined. For users not paying attention, they could quickly look at the domain and see “m” when the domain has an “rn” combination.

As an example, you could have a business domain named “example.com.” An attacker can register the domain “exarnple.com” and some users will be tricked into opening the site. This IDN homograph attack requires users who briefly see the domain and don’t recognize the typo, but it’s still an extremely effective way to phish user credentials.

When users access the site, an attacker would be sure to use the same layout, graphics, and text as your official site. Provided the user does not notice the typo in the domain name, an attacker can trick targeted users into entering credentials, private data, and any other information that can be used for identity theft, advanced persistent threats on the corporate network, or data breaches.

Phishing with Homograph Attacks

Now that you know that characters can look the same but have different computer values, apply this to a standard domain name. If you see “paypal.com” in your browser, it will look the same if the “a” characters were in Russian or in English. However, since you know that these letters have different Unicode values, they translate to different domain names and different ones and zeros in binary.

Hackers use this phenomenon to trick users into accessing a phishing site with the same look and feel as the official site. Using the “paypal.com” example, an attacker can register “paypal.com” using Cyrillic letters for the “a” characters and then copying the official PayPal’s website content including layout. Users who click the malicious phishing domain will see “paypal.com” in their browser, see the PayPal layout when the page loads, and then enter their PayPal account credentials.

The way an attacker delivers the malicious URL is similar to any other phishing attack. The URL could be delivered in an email. Since the domain name would be legitimate, an attacker could send email using the homographic domain name. Email filters that detect spoofed email addresses would not label these messages as malicious, as they would be using a legitimate email domain.  

What You Can Do to Protect from IDN Homograph Attacks

It’s very expensive to purchase every possible domain name that could be used in this type of attack, but you can take steps to prevent internal users from falling for it. The first one is to implement two-factor authentication (2FA). Should a user fall for a phishing scam on a homographic domain, the attacker would still be unable to authenticate into the compromised account.

If you have authentication pages on your site, artificial intelligence using third-party libraries can be used to determine if there was a possible account breach. For instance, suppose your users are located in the US but an authentication attempt happened from another country. This could be a sign that the user’s account was compromised. Attackers can use public VPN, but you can also purchase databases with lists of VPNs to get notification if the anonymous attacker is implementing ways to hide their IP address.

User training also helps stop phishing and social engineering attacks. Users should never just click a link and then send authentication information. Instead, any activity that requires authentication should be done after the user types the domain into a browser window. Only then should the user enter authentication details. This method ensures that users are never victim of phishing from emails or any other malicious links on the internet.

Unfortunately, email filters will not be effective against this type of attack unless the malicious domain is on a list that can be downloaded with some anti-malware systems. Email filters are good at detecting phishing, but they usually run on specific anti-spoofing techniques. With homographic domains, the domain is legitimate and no spoofing is necessary.

Content filters use a list of malicious domains to block user access. Some homographic domains could be on a list and will be filtered out if you restrict user access based on these blacklisted domains. However, since attackers use domains in other languages, any filters that work in English won’t detect them. When choosing a filter, make sure they include homographic domains.


IDN homographic attacks are difficult to defend against, but users can be trained to never click links and enter authentication credentials. User training is the best method to avoid becoming a victim of this attack.

Wordpress Hosting

Experience the difference with the fastest WordPress hosting platform.

Elastic Hosting

A flexible managed hosting solution that will grow with you and your needs grow.

Cloud Servers

Your dedicated cloud servers that are managed by us or managed by you.

Made InCanada
Made by Canadians,
for Canadians

Never worry about compliance again. Our servers are hosted directly on Canadian soil, and support is given by a 100% Canadian team.

We Start,
Where Others Stop.

If you've been burned by terrible hosting services before, we get you. We want every client to feel important and fully taken care of, and we'll spend the time it takes to solve any problem that arises.

Trusted by Clients Across All Industries

Don't take our word for it - let our happy clients do the talking. See More

Full Host did an amazing job of migrating my site seamlessly onto their server. My only regret was not switching my site over to them sooner. Now it is performing great, images are uploading way faster than ever before.

" Vancouver Sofa and Patio - Jerry Schmidt

Two thumbs up for Fullhost! Agents reply to me fairly quickly or at least let me know they received the ticket and are looking into it. Kudos to the support team as they have always given me exactly what I need without delays.

" Universal Staffing Inc. - Anthony Calvano

FullHost is an absolute pleasure to work with, and their customer service is exceptional. Whenever I have questions or need adjustments, they are there to help, quickly, efficiently, with answers and insights.

" Mooseworld Inc. Norine Leibel

With coast to coast coverage,
We help you serve the world.

Whether your audience is located in Europe, Asia, Africa, or Australia, provide them with lightening speed!

FullHost's data centers are located in Toronto and Vancouver to ensure worldwide quality and speed.

Get in Touch
We Trust Only The Best Tech to Support You

FullHost operates with the most innovative technology to bring you unparalleled levels of hosting services.