A small confession: the first time I saw paypal.com and paypa1.com side by side, I had to enlarge the font to find the difference. And I was actively looking for it. That's the letter-swap trick, and it works because our eyes read words, not letters.
Why can't you just see it?
When you read, you don't inspect every letter. You recognize the overall shape of a word and move on; that's what makes reading fast. Scammers lean on exactly that shortcut.
A homoglyph is a character that looks like a different character. The number 1 looks like a lowercase l. The number 0 looks like the letter O. Swap one into a brand's name, register the result as a new domain, and you get an address that reads like a name you trust, while being, to every computer on the internet, a completely different place owned by someone else.
paypal.comthe brand's registered domainpaypa1.comthe second "l" is the number 1Which swaps do most of the work?
Four substitutions carry almost the whole genre, plus one cousin that doesn't use a look-alike character at all.
| The swap | Example | Why your eye accepts it |
|---|---|---|
Number 1 for lowercase l | paypa1.com | Both are a single vertical stroke; at small sizes they blur together. |
Capital I for lowercase l | netfIix.com | In many plain fonts they are literally identical. |
Zero for the letter o | amaz0n.com, micros0ft.com | Same oval; the difference is a sliver of width you rarely notice. |
rn for m | arnazon.com | Side by side, r and n merge into an m shape at reading speed. |
| A doubled letter | paypall.com | Not a look-alike character, but word-shape reading skips right over it. |
amazon.comthe brand's registered domainarnazon.comthe "m" is actually an "r" followed by an "n"And the swap you can't see at all?
Here are two domains: paypal.com and paypaI.com. The second one is fake; its last letter before the dot is a capital I, not a lowercase l.
In many sans-serif fonts (the plain, straight-lined fonts used by most email apps, browsers, and phones) capital I and lowercase l are drawn as the same vertical bar. Identical pixels. Depending on the font this page uses, you may not be able to tell those two domains apart right now. That's the point: no amount of squinting helps, because there is nothing to see. 😅
Some registrations go further and use Cyrillic letters, the alphabet used for Russian and other languages, where the letter а is a different character to a computer but looks the same as a Latin a to your eye. Same trick, different alphabet.
Where do letter-swap domains show up?
- Email sender addresses. The display name says "PayPal Support," but the part after the
@ispaypa1.com. The display name is free text; anyone can type anything there. The domain after the @ is what counts. - Links in ads and messages. Link text can say one thing while the actual address underneath says another, and lookalike domains turn up in paid ads too.
- Text messages. Small screens, small fonts, and an urgent "your package is on hold" message are the ideal habitat for a one-character swap.
How do you check a domain by hand?
- Copy the exact domain from the sender's real address (after the
@), or by copying a link's address instead of clicking it. Don't retype it; you'll fix the swap without noticing. - Paste it into a plain-text editor (Notes, Notepad, anything) and make the font as large as it will go. Size alone exposes many swaps.
- Change the font. A serif font like Georgia or a monospace font like Courier draws capital I, lowercase l, and the number 1 differently, and usually gives zero a distinct shape from the letter O.
- Type the brand's real domain yourself on the next line and compare the two, letter by letter.
- Or paste the domain into IP Tracker and let the comparison run in seconds instead.
How does IP Tracker name the trick?
IP Tracker is a free Chrome extension. Paste a domain or a full email address into the popup; the free tier gives you 25 checks a day, with no account and no tracking. Only the value you paste is looked up.
For letter swaps, it does the boring version of the manual check above, every time: it normalizes look-alike characters (the number 1 and capital I become a lowercase l, zero becomes the letter O, and common Cyrillic look-alike letters map back to their Latin twins), then compares the result against the official domains of roughly 100 widely impersonated brands: banks, payment and e-commerce services, shipping companies, big tech, government sites, crypto services, and streaming platforms.
An exact match to one of those official domains gets a "verified" note. A match after normalization is flagged HIGH, with an amber banner naming the exact trick, for example: Looks like paypal.com, the second "l" is a capital i. Near-miss spellings like paypall.com, which use no look-alike characters, are spotted by a separate typo-tolerant comparison (short domains allow no typos, medium-length ones allow one, long ones allow two) and flagged as a MEDIUM "possible lookalike" caution. Each brand's real regional domains, like paypal.de, are on the official list, so they aren't flagged.
Around the lookalike check, it also shows whether Google Safe Browsing (Google's list of reported dangerous sites) has flagged the domain, how many security vendors flag it on VirusTotal, community abuse reports, and the domain's creation date. If the domain is under 90 days old, the banner adds a "Registered N days ago" line as a supporting clue, never a verdict on its own.
What can't it do?
Honesty matters more than comfort here, so four limits worth knowing:
- The brand list is about 100 brands. The most impersonated ones, not every brand. A lookalike of your local credit union may not be on it.
- Some swaps don't use look-alike characters. The
rn-for-mtrick, for example, can slip past the automated comparison. The manual font-change check above still works on it. - Encoded international domains aren't decoded yet. Domains built from non-Latin characters travel the internet in an encoded form called punycode (they start with
xn--). IP Tracker doesn't yet decode that form before checking; the team is working on it. Cyrillic swaps are checked only when you paste the visible, human-readable form. - Blocklists lag. Google Safe Browsing is strong on known bad sites, but brand-new phishing domains take time to get reported and listed.
The letter-swap trick beats your eyes, not your habits. When a message arrives with urgency attached, slow down and look at the domain character by character, or get a second opinion that does.
To summarize:
- ✓ Copy the domain; never retype it.
- ✓ Blow the font up and switch it to serif or monospace.
- ✓ Compare with the real domain letter by letter.
- ✓ Or paste it into IP Tracker and let it name the trick for you.
Stay sharp! 😎