← All articles

Homograph attacks and typosquatting explained

GottaPhish Team · March 25, 2026

A large share of successful phishing comes down to one thing: a victim trusting a domain that isn't what it appears to be. Homograph attacks and typosquatting are the two main techniques attackers use to weaponise that trust.

Typosquatting

Typosquatting registers domains that are one keyboard slip away from a legitimate one, then relies on human error and muscle memory.

Common variants of example.com:

Combosquatting is especially effective because the real brand string is present, so a quick glance reads as legitimate.

Homograph (homoglyph) attacks

Homograph attacks exploit characters that look identical but are encoded differently. Unicode contains many glyphs that render nearly the same as ASCII letters.

An Internationalized Domain Name (IDN) using Cyrillic а in аpple.com is a completely different domain from apple.com, yet visually indistinguishable in many fonts.

Punycode: the defence hiding in plain sight

Browsers encode IDNs to ASCII using Punycode (prefix xn--). The Cyrillic-a version of apple.com becomes:

xn--pple-43d.com

Modern browsers apply script-mixing rules and will often display the raw Punycode instead of the "pretty" Unicode when a label mixes scripts — a key visual warning. But email clients, terminal output, and some tools do not, which is where these attacks land.

Where these show up beyond the browser bar

Detection and defence

For your own brand (proactive):

For inbound protection:

A quick manual check — normalise a suspicious label to Punycode:

# Python: reveal the true ASCII form of a hostname label
python3 -c "print('раypal'.encode('idna'))"
# b'xn--pypal-4ve1c'  ->  not 'paypal'

For users:

The last point matters most: origin-bound credentials turn a convincing look-alike into a dead end, because the browser — not the human — is checking the domain.

How GottaPhish helps

Homograph and combosquatted domains make a malicious link look right, so no amount of careful reading reliably catches them. GottaPhish and its expert support team help you address exactly that risk: simulations built around those very techniques, plus dashboards highlighting who clicks look-alike domains and who reports them. Our experts assist with setup, design scenarios that use realistic look-alike sender domains, help you interpret the results, and support rollout of phishing-resistant MFA so origin-binding — not human vigilance alone — becomes your backstop against lookalike login pages.