A small confession: the first time I saw paypal.com and paypa1.com side by side, I had to enlarge the font to find the difference. And I was actively looking for it. That's the letter-swap trick, and it works because our eyes read words, not letters.

Why can't you just see it?

When you read, you don't inspect every letter. You recognize the overall shape of a word and move on; that's what makes reading fast. Scammers lean on exactly that shortcut.

A homoglyph is a character that looks like a different character. The number 1 looks like a lowercase l. The number 0 looks like the letter O. Swap one into a brand's name, register the result as a new domain, and you get an address that reads like a name you trust, while being, to every computer on the internet, a completely different place owned by someone else.

Realpaypal.comthe brand's registered domain
Fakepaypa1.comthe second "l" is the number 1
A swapped-character domain isn't a "typo version" of the real site. It's a separate address anyone could have registered, pointing wherever its owner wants. Often a login page built to collect your password.

Which swaps do most of the work?

Four substitutions carry almost the whole genre, plus one cousin that doesn't use a look-alike character at all.

The swapExampleWhy your eye accepts it
Number 1 for lowercase lpaypa1.comBoth are a single vertical stroke; at small sizes they blur together.
Capital I for lowercase lnetfIix.comIn many plain fonts they are literally identical.
Zero for the letter oamaz0n.com, micros0ft.comSame oval; the difference is a sliver of width you rarely notice.
rn for marnazon.comSide by side, r and n merge into an m shape at reading speed.
A doubled letterpaypall.comNot a look-alike character, but word-shape reading skips right over it.
Realamazon.comthe brand's registered domain
Fakearnazon.comthe "m" is actually an "r" followed by an "n"

And the swap you can't see at all?

Here are two domains: paypal.com and paypaI.com. The second one is fake; its last letter before the dot is a capital I, not a lowercase l.

In many sans-serif fonts (the plain, straight-lined fonts used by most email apps, browsers, and phones) capital I and lowercase l are drawn as the same vertical bar. Identical pixels. Depending on the font this page uses, you may not be able to tell those two domains apart right now. That's the point: no amount of squinting helps, because there is nothing to see. 😅

Some registrations go further and use Cyrillic letters, the alphabet used for Russian and other languages, where the letter а is a different character to a computer but looks the same as a Latin a to your eye. Same trick, different alphabet.

Where do letter-swap domains show up?

How do you check a domain by hand?

  1. Copy the exact domain from the sender's real address (after the @), or by copying a link's address instead of clicking it. Don't retype it; you'll fix the swap without noticing.
  2. Paste it into a plain-text editor (Notes, Notepad, anything) and make the font as large as it will go. Size alone exposes many swaps.
  3. Change the font. A serif font like Georgia or a monospace font like Courier draws capital I, lowercase l, and the number 1 differently, and usually gives zero a distinct shape from the letter O.
  4. Type the brand's real domain yourself on the next line and compare the two, letter by letter.
  5. Or paste the domain into IP Tracker and let the comparison run in seconds instead.

How does IP Tracker name the trick?

IP Tracker is a free Chrome extension. Paste a domain or a full email address into the popup; the free tier gives you 25 checks a day, with no account and no tracking. Only the value you paste is looked up.

For letter swaps, it does the boring version of the manual check above, every time: it normalizes look-alike characters (the number 1 and capital I become a lowercase l, zero becomes the letter O, and common Cyrillic look-alike letters map back to their Latin twins), then compares the result against the official domains of roughly 100 widely impersonated brands: banks, payment and e-commerce services, shipping companies, big tech, government sites, crypto services, and streaming platforms.

An exact match to one of those official domains gets a "verified" note. A match after normalization is flagged HIGH, with an amber banner naming the exact trick, for example: Looks like paypal.com, the second "l" is a capital i. Near-miss spellings like paypall.com, which use no look-alike characters, are spotted by a separate typo-tolerant comparison (short domains allow no typos, medium-length ones allow one, long ones allow two) and flagged as a MEDIUM "possible lookalike" caution. Each brand's real regional domains, like paypal.de, are on the official list, so they aren't flagged.

Around the lookalike check, it also shows whether Google Safe Browsing (Google's list of reported dangerous sites) has flagged the domain, how many security vendors flag it on VirusTotal, community abuse reports, and the domain's creation date. If the domain is under 90 days old, the banner adds a "Registered N days ago" line as a supporting clue, never a verdict on its own.

What can't it do?

Honesty matters more than comfort here, so four limits worth knowing:

"Not flagged" is not the same as "safe." Every result is a signal for your judgment, not a verdict. IP Tracker names the tricks it can see. It can't click for you, and it won't promise a site is safe.

The letter-swap trick beats your eyes, not your habits. When a message arrives with urgency attached, slow down and look at the domain character by character, or get a second opinion that does.

To summarize:

Stay sharp! 😎