Homoglyph
A character that looks visually identical or nearly identical to another character from a different script or encoding, used in domain names and text to deceive users.
Also known as: lookalike character, homograph character, Unicode spoofing character
Last reviewed: 1 June 2026
A homoglyph is a character whose visual appearance is so similar to another character that humans cannot readily distinguish them with the naked eye. For example, the Cyrillic letter 'а' (Unicode U+0430) looks identical to the Latin 'a' (U+0061), and the Cyrillic 'о' is indistinguishable from the Latin 'o'. Fraudsters exploit homoglyphs by registering domain names or usernames that appear to spell a legitimate organisation's name but actually contain characters from a different Unicode script.
This technique is called a homograph attack or homoglyph attack and is particularly effective in environments where users cannot inspect the underlying Unicode code points. A user who sees 'аmаzon.com' in a browser bar may not notice that two of those characters are Cyrillic, making the domain entirely different from amazon.com even though it appears identical.
Internet naming authorities addressed this partially by restricting mixed-script domain names (preventing a domain that mixes Latin and Cyrillic characters). However, pure-script homoglyph domains within a single script remain a challenge. Browsers may display the raw punycode representation for suspicious domains as a warning. Email and messaging security tools use Unicode normalisation and confusable-character databases to flag potential homoglyph attacks.
Examples
- A phishing email contains a link to 'pаypаl.com' where two vowels are Cyrillic characters — the domain resolves to a fraudster-controlled server while appearing identical to paypal.com in the browser address bar.