What is a homoglyph attack?

A homoglyph (or homograph) attack swaps a normal character for a different Unicode character that looks identical, so аpple.com using a Cyrillic а can impersonate apple.com. It is common in phishing domains and fake usernames.

Does this catch every confusable?

It covers the most-abused mappings — Cyrillic, Greek, fullwidth and several mathematical/letterlike forms that imitate ASCII letters and digits. The full Unicode confusables set is huge, so treat any flag as a strong warning rather than the absence of one as a guarantee.

Is plain ASCII ever flagged?

No. Characters in the ASCII range (U+0000 to U+007F) are considered the legitimate baseline and are never flagged. Only non-ASCII characters that resemble ASCII are reported.

Is my text sent anywhere?

No. Detection runs in JavaScript in your browser against a built-in mapping table. Nothing is uploaded, which is appropriate for checking sensitive domains and credentials.

How do I verify a real domain after a flag?

Inspect the Punycode form (an internationalised domain shows as xn--… in the address bar), and compare it against the genuine site you reached through a trusted bookmark or search.

Homoglyph / Lookalike Character Detector

Catch lookalike-character spoofing

Attackers register domains and create usernames that look identical to a trusted name but use a different Unicode character — a Cyrillic а instead of a Latin a, a Greek ο instead of an o, or a fullwidth ａ. This is the basis of the IDN homograph attack. This tool scans your text and flags every non-ASCII character that imitates an ASCII letter or digit, showing which character it is pretending to be and its code point.

How it works

The detector holds a mapping table of well-known confusable characters keyed by the ASCII letter or digit they resemble (for example Cyrillic а U+0430, е U+0435, о U+043E; Greek ο U+03BF, ρ U+03C1; fullwidth forms U+FF21–U+FF5A; and letterlike/math symbols). It walks the input by code point; any character that is not in the ASCII range U+0000–U+007F is looked up in the table. A hit is reported as “looks like x”, along with the character’s U+XXXX value so you can confirm exactly what it is. Pure ASCII text produces no flags.

Example

The string аpple.com looks like apple.com, but the inspector flags the first character as Cyrillic а (U+0430) imitating Latin a. That single substitution is enough to fool a quick glance and route a victim to an attacker-controlled site.

Tips and notes

When a domain is flagged, check whether your browser shows it as xn--… Punycode — that confirms it is an internationalised (non-ASCII) name.
Whole-script confusables (an entire word written in Cyrillic that spells a Latin word) are the hardest to spot by eye and the most dangerous; this tool surfaces every non-ASCII letter so a mixed-script string stands out.