Catch lookalike-character spoofing
Attackers register domains and create usernames that look identical to a trusted
name but use a different Unicode character — a Cyrillic а instead of a Latin
a, a Greek ο instead of an o, or a fullwidth a. This is the basis of the
IDN homograph attack. This tool scans your text and flags every non-ASCII
character that imitates an ASCII letter or digit, showing which character it is
pretending to be and its code point.
How it works
The detector holds a mapping table of well-known confusable characters keyed
by the ASCII letter or digit they resemble (for example Cyrillic а U+0430,
е U+0435, о U+043E; Greek ο U+03BF, ρ U+03C1; fullwidth forms
U+FF21–U+FF5A; and letterlike/math symbols). It walks the input by code point;
any character that is not in the ASCII range U+0000–U+007F is looked up
in the table. A hit is reported as “looks like x”, along with the character’s
U+XXXX value so you can confirm exactly what it is. Pure ASCII text produces no
flags.
Classic homoglyph substitutions
These are among the most frequently abused in phishing:
| Lookalike character | Imitates | Script | Code point |
|---|---|---|---|
| а | a | Cyrillic | U+0430 |
| е | e | Cyrillic | U+0435 |
| о | o | Cyrillic | U+043E |
| ο | o | Greek | U+03BF |
| ρ | p | Greek | U+03C1 |
| ν | v | Greek | U+03BD |
| Ι | I | Greek capital | U+0399 |
| l | l | Fullwidth | U+FF4C |
| 0 | 0 | Fullwidth | U+FF10 |
Real-world example
The string аpple.com looks identical to apple.com in most fonts, but the
first character is Cyrillic а (U+0430) rather than Latin a (U+0061). A
browser renders this as the Punycode domain xn--pple-43d.com internally, but
the visual in the address bar is indistinguishable from the real Apple domain to
a casual reader.
This category of attack is called an IDN homograph attack (IDN = International Domain Names). The technique has been used in credential phishing, bank fraud, and corporate impersonation campaigns.
Whole-script substitution
The most dangerous variant is not mixing one fake letter into an ASCII string, but writing the entire word in a different script that happens to look identical to a Latin word. For example, the Russian word “аррle” written entirely in Cyrillic letters could visually match “apple” depending on the font. This tool surfaces every non-ASCII character, making any whole-script substitution immediately visible.
Tips for domain verification
- When a domain is flagged, check your browser’s address bar for
xn--…Punycode — internationalised names are encoded this way internally and thexn--prefix confirms a non-ASCII domain is in use. - Compare against the genuine domain from a trusted bookmark or direct Google search rather than clicking a link.
- Security teams can use this tool to scan domains in phishing reports or email headers for lookalike substitutions before analysis.
Detection runs entirely in your browser — nothing is uploaded.