How do scammers use Unicode characters to trick users?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Unicode is the encoding standard that lets computers display characters from every writing system on earth. It's also a rich toolkit for scammers who want text to look like one thing to humans while being treated as something different by security tools.

The classic technique is homoglyphs: characters from other scripts that look visually identical (or nearly identical) to Latin letters. The Cyrillic "а" looks identical to the Latin "a" to the human eye. A URL like "paypa1.com" is obviously suspicious. A URL with the Cyrillic "а" replacing the Latin "a" looks pixel-perfect to most readers but is technically a different domain that bypasses filters looking for known-bad strings.

Zero-width characters take a different approach. Unicode includes characters with no visible width that are invisible in rendered text. Inserting them between letters in a word breaks text-based pattern matching without changing what the reader sees. A filter looking for the string "verify-account" finds nothing. The reader sees "verify-account" perfectly clearly.

Right-to-left override characters can reverse how text displays in some contexts. A link labeled "moc.elppa" with an RTL override might display as "apple.com" in certain rendering environments, while the actual destination is something else entirely.

Unicode normalization attacks exploit the fact that some characters have multiple valid encodings. Security systems might filter on one encoding while email clients display the normalized version that looks completely legitimate.

For organizations defending against these attacks: most modern browsers and email clients apply Unicode normalization and confusable detection. DMARC enforcement limits the ability to spoof your domain regardless of encoding tricks. Security awareness training that teaches people to hover over links (and check the actual URL in the browser bar, not just the display text) helps with the human layer of defense.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Assess my Unicode attack defenses

I'm trying to understand Unicode-based email attacks to improve my organization's defenses. Here's my context: - My concern: [protecting my own users from phishing / preventing my domain from being spoofed / both] - Current defenses: [DMARC policy / email security gateway / employee training / combination] - Whether we've seen Unicode-based attacks targeting us: yes / no / not sure - Our industry: financial / healthcare / technology / other Explain which Unicode attack techniques are most commonly used in our industry context and what defenses would be most effective.

Edit the yellow boxes, then send to the AI of your choice.