Punycode
An encoding standard that converts Unicode domain names into ASCII-compatible form, which fraudsters exploit to create domain names that visually impersonate legitimate sites when displayed in browsers.
Also known as: IDN homograph encoding, internationalised domain encoding
Last reviewed: 1 June 2026
Punycode is a standard encoding (RFC 3492) that allows domain names containing non-ASCII Unicode characters — such as those using accented letters or non-Latin scripts — to be represented in the ASCII format required by the Domain Name System. An internationalised domain name (IDN) like 'münchen.de' is stored in DNS as 'xn--mnchen-3ya.de'. Browsers typically display the decoded Unicode form rather than the punycode, making the address readable to users.
Fraudsters exploit this display behaviour through IDN homograph attacks: they register domains containing Unicode characters that are visually indistinguishable from Latin characters used in trusted domain names. When a browser renders the decoded form, the address looks legitimate. The attack succeeds because users are accustomed to seeing familiar brand names in the address bar and do not look more closely.
Major browsers have added protections that display the punycode form for domains mixing characters from different scripts or using characters that are confusable with ASCII. However, pure-script IDN domains remain displayable in their Unicode form. Organisations protect against IDN abuse by defensively registering common homoglyph versions of their domains and by monitoring for look-alike domain registrations through brand protection services.
Examples
- A fraudster registers a domain using Cyrillic letters that render identically to a well-known brand name; when the browser displays the Unicode form, users see what appears to be the legitimate domain with a valid HTTPS certificate.