Homograph attacks and typosquatting explained
A large share of successful phishing comes down to one thing: a victim trusting a domain that isn't what it appears to be. Homograph attacks and typosquatting are the two main techniques attackers use to weaponise that trust.
Typosquatting
Typosquatting registers domains that are one keyboard slip away from a legitimate one, then relies on human error and muscle memory.
Common variants of example.com:
- Omission:
exaple.com,exmple.com - Transposition:
examlpe.com,exapmle.com - Repetition / adjacency:
exampple.com,examole.com - Wrong TLD:
example.co,example.cm,example.org - Combosquatting: appending plausible words —
example-login.com,example-support.com,secure-example.com
Combosquatting is especially effective because the real brand string is present, so a quick glance reads as legitimate.
Homograph (homoglyph) attacks
Homograph attacks exploit characters that look identical but are encoded differently. Unicode contains many glyphs that render nearly the same as ASCII letters.
- Cyrillic:
а е о р с хlook identical to Latina e o p c x. - Greek:
ο(omicron) versus Latino. - Latin look-alikes: the digit
0vs. letterO,1vs.lvs.I,rnrendering likem.
An Internationalized Domain Name (IDN) using Cyrillic а in аpple.com is a completely different domain from apple.com, yet visually indistinguishable in many fonts.
Punycode: the defence hiding in plain sight
Browsers encode IDNs to ASCII using Punycode (prefix xn--). The Cyrillic-a version of apple.com becomes:
xn--pple-43d.com
Modern browsers apply script-mixing rules and will often display the raw Punycode instead of the "pretty" Unicode when a label mixes scripts — a key visual warning. But email clients, terminal output, and some tools do not, which is where these attacks land.
Where these show up beyond the browser bar
- Email sender domains —
paypa1.comin a From header. - Link text vs. href — visible text says
bank.com, the anchor points elsewhere. - OAuth and SSO redirects — a lookalike consent screen host.
- Package registries — typosquatted npm/PyPI packages (
crossenvvscross-env) for supply-chain attacks. - QR codes — the destination is never visible until scanned.
Detection and defence
For your own brand (proactive):
- Register the highest-risk permutations and common TLDs, and set them to redirect to your real site.
- Monitor Certificate Transparency logs for newly issued certs on look-alike domains.
- Use domain-monitoring or DNS threat feeds that flag registrations similar to your brand.
For inbound protection:
- Enforce DMARC (
p=reject), SPF, and DKIM so spoofed sends of your domain are dropped. - Deploy detection that computes edit distance and script-mixing against known brands.
- Block newly registered domains (NRDs) at the proxy for a cooldown window.
A quick manual check — normalise a suspicious label to Punycode:
# Python: reveal the true ASCII form of a hostname label
python3 -c "print('раypal'.encode('idna'))"
# b'xn--pypal-4ve1c' -> not 'paypal'
For users:
- Hover to reveal the true href; on mobile, long-press.
- Type known URLs or use bookmarks rather than clicking links in messages.
- Prefer phishing-resistant MFA — even if a user reaches a homograph login clone, FIDO2/WebAuthn binds the credential to the real origin and will refuse to authenticate to the impostor domain.
The last point matters most: origin-bound credentials turn a convincing look-alike into a dead end, because the browser — not the human — is checking the domain.
How GottaPhish helps
Homograph and combosquatted domains make a malicious link look right, so no amount of careful reading reliably catches them. GottaPhish and its expert support team help you address exactly that risk: simulations built around those very techniques, plus dashboards highlighting who clicks look-alike domains and who reports them. Our experts assist with setup, design scenarios that use realistic look-alike sender domains, help you interpret the results, and support rollout of phishing-resistant MFA so origin-binding — not human vigilance alone — becomes your backstop against lookalike login pages.
