You think you're clicking citibank.com, but you're actually on a fake site built to steal your login credentials. The URL looks identical. Your browser shows no warning. Even your antivirus stays silent. This isn't a future threat — it's happening right now, and the technique has a name: homoglyph attack.
The Problem: Characters That Lie to Your Eyes
A homoglyph attack exploits the fact that certain characters from different alphabets are visually indistinguishable from each other. The attacker doesn't hack the real website — they build a perfect clone and trick you into visiting it via a URL that looks identical.
Here's the core of the deception — study both rows carefully:
U+0430 — not Latin 'a'U+0456 — not Latin 'i'The Cyrillic alphabet — used in Russian, Ukrainian, Bulgarian, and Serbian — contains characters that are pixel-perfect matches for Latin letters. Your eye sees the same string. DNS sees two completely different domains. Victims report losing thousands of dollars in a single session, with identity theft consequences lasting years.
How the Attack Works: Step by Step
Here's exactly how a homoglyph phishing campaign is constructed — from the attacker's first move to the moment your credentials are stolen.
The attacker picks a high-value financial institution. Australian banks, UK clearing banks, and US retail banks are the most impersonated worldwide.
Using a registrar that accepts Internationalised Domain Names (IDNs), the attacker registers a lookalike. The fake domain looks identical in your browser — but it's a different string entirely.
Automated tools mirror the bank's login page in under 5 minutes — same logo, same layout, same SSL padlock. HTTPS doesn't mean safe; it only means the connection is encrypted.
Mass email with the fake link and spoofed sender: "Your account has been flagged. Verify now." Urgency bypasses rational thinking.
You enter your username and password. Those credentials are logged instantly and forwarded to the attacker. Some campaigns silently install malware in parallel. Account takeover can happen before you close the tab.
The HTML behind a homoglyph link reveals the truth — if you know where to look:
citibank.com href="https://c%D1%96tibank.com"
How to Detect a Homoglyph Attack
Paste Into a Text Editor
Copy the suspicious domain and paste into Notepad (Windows) or TextEdit (Mac, plain text mode). Some editors flag non-Latin characters visually.
Inspect the HTML
Right-click any link → Inspect Element → check the raw href attribute. Percent-encoded Cyrillic characters will be visible there.
Unicode Analyser
Paste the domain into a Unicode codepoint tool. Each character's codepoint will be listed — any non-Latin character will stand out immediately.
Use OziShield (Free)
No account. No install. Paste the link and get a verdict in under a second — even for domains registered this week.
The manual methods work if you know what to look for. Most people don't — and shouldn't have to. Here's what an OziShield scan looks like on a homoglyph domain:
What to Do If You've Already Clicked
Act quickly. The window between clicking and credential theft can be very short.
By the Numbers
Check Any Suspicious Link Now
Free. No account required. Used in 36 countries.
→ Scan a Link on OziShieldNot sure if a link, message or document is real?
Paste it into the free OziShield scanner — instant forensic analysis.
No login. No account. No cost. Takes 10 seconds.