How do scammers register visually similar domains (homoglyphs)?
Still have a question, spotted an error, or have a better explanation or a source we should cite?
Imagine getting an email from "paypa1.com" or "arnazon.com". At a glance, those look fine. That's exactly the point. Homoglyph attacks work because our brains read fast and fill in gaps. Scammers count on that.
A homoglyph domain is a domain that looks like a trusted brand's domain but uses visually identical (or near-identical) characters in place of the real ones. The registration process itself is completely ordinary. They just pick lookalike characters, check if the domain is available, and register it like anyone else would. No hacking required.
The most common character swaps you'll see in the wild:
- The letter O swapped for the number 0 (paypal.com becomes paypa1.com or pay0al.com)
- The lowercase letter l (L) swapped for the number 1 or a capital I (lloydsbank.com is a classic target)
- The letter rn side by side, which looks like m at small font sizes (arnazon.com reads as amazon.com)
- Cyrillic characters that are visually identical to Latin ones. The Cyrillic "а" and the Latin "a" look the same on screen but are completely different Unicode code points. So "аpple.com" using a Cyrillic "а" is a different domain from apple.com, even though you'd never know from looking.
That last one is what makes internationalized domain names (IDNs) such a useful tool for attackers. IDN support was introduced so that domains could be registered in non-Latin scripts (Arabic, Chinese, Cyrillic, Greek, and so on). Legitimate and important. But it also opened up a huge pool of characters that look identical to Latin letters. Mixing scripts inside a single domain is technically possible in some registrar setups, which makes detection even harder.
So why don't registrars just block this? Some do, partially. ICANN has guidelines around confusable characters, and many registrars apply restrictions within a single top-level domain. But enforcement is inconsistent across registrars, especially the cheaper ones, and across different TLDs. A scammer blocked at one registrar just moves to another. The domain registration market is large, distributed, and not centrally policed.
The industries targeted most often are the ones where urgency and trust matter most. Banks and financial services, payment platforms, healthcare providers, logistics companies ("your DHL package" phishing is a classic), and large e-commerce brands. If people expect regular emails from a brand and act quickly when they see one, that brand is a homoglyph target.
If you're trying to spot a homoglyph domain in an email you've received, don't just read the sender address. Copy it and paste it into a plain text editor, then look carefully at each character. Better yet, check the raw email header to see what domain actually sent the message. The display name and the actual sending domain are often two different things entirely.
If you run a brand and want to protect it, the defensive move is proactive monitoring. Register the most obvious homoglyph variations of your domain yourself (especially the O/0 and rn/m swaps), and set up alerts for new domain registrations that closely resemble yours. Lookalike domain attacks are far easier to stop early than to clean up after the fact.
If you think your domain is already being impersonated and your authentication isn't locked down, our SOS hotline is free. No pitch, just help.
Contributors
Who worked on this answer
Every name links to their profile. Every company links to their site. Real people, real accountability.