What is IDN homograph spoofing?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine you get an email from what looks like apple.com. The domain looks right. The logo looks right. But something quietly odd is going on. The "a" in that domain isn't a Latin "a" at all. It's a Cyrillic "а". Same shape, completely different character, and a completely different domain.
That's IDN homograph spoofing. IDN stands for Internationalized Domain Name, which allows domain names to use characters from non-Latin scripts like Cyrillic, Greek, or Arabic. The attack works by swapping one or more ASCII characters for a Unicode lookalike from a different alphabet. The result is a domain that looks identical to the real thing but resolves to a different server entirely.
A few real examples of characters that trip people up:
- Cyrillic а (U+0430) looks identical to Latin a
- Cyrillic е (U+0435) looks identical to Latin e
- Greek ο (U+03BF) looks identical to Latin o
- Cyrillic р (U+0440) looks identical to Latin p
Combine a few of those swaps and you can register something that renders as "pаypаl.com" but is actually built from Cyrillic characters. A human eye will almost never catch it.
So how do you actually spot one? Most modern browsers convert suspicious mixed-script domains into their punycode representation, showing something like xn--pypl-43d.com in the address bar instead of the fake-looking version. That's the browser doing you a favor. Email clients are less consistent. Some show the raw Unicode, which means the spoofed domain looks perfectly normal right there in the From header.
For your own defense as a sender (and to protect your recipients from impersonators posing as you), DMARC alignment is the most practical tool. A strict DMARC policy on your legitimate domain won't stop someone from registering a homograph version of your domain, but it does mean that any email pretending to come from your actual domain will fail authentication if it's not genuinely from you. SPF and DKIM also play a role here. If the homograph domain has no authentication records at all, a receiving mail server with DMARC checking active will reject or quarantine it.
For your team's day-to-day awareness, train people to hover over or copy-paste sender addresses into a plain text editor before trusting them. If anything looks off in the punycode form, that's a red flag. Is this threat theoretical? Not really. Researchers have demonstrated working homograph attacks against real brands, and phishing kits using this technique do circulate in the wild.
Want to see what impersonation domains might already exist against your brand? Check out tools that monitor for lookalike domains. Or if you're seeing suspicious emails claiming to be from your domain and want to know what's going on, our SOS hotline is free and someone will actually help you sort through it.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.