I grew up between two alphabets, Latin and Cyrillic, so this trick feels almost personal to me. Some fake domains hide a number 1 where a letter l should be. The sneakiest ones hide nothing you can see at all: every letter looks right, because one of them is borrowed from a different alphabet. Let's unmask it together.

Domains aren't limited to English letters anymore

Web addresses were originally restricted to plain English letters, digits, and hyphens: a basic character set called ASCII. That changed with internationalized domain names (IDN for short), a system that lets people register addresses in Cyrillic, Greek, Arabic, Chinese, and dozens of other scripts. And that's a good thing! Most of the world doesn't write in English.

But it came with a side effect. Some letters in other alphabets are drawn exactly like Latin ones, and "exactly" here means pixel-for-pixel identical in most fonts.

Can you spot the twins?

The lookalike tricks most people have heard of are visible if you slow down and look:

Realpaypal.comthe brand's registered domain
Fakepaypa1.comthe second "l" is the number 1

You can catch that one with a careful eye. Swaps like amaz0n.com (a zero standing in for the letter o) or netfIix.com (a capital i posing as the letter l) are harder, but they're still there to be seen.

Now try to compare the Latin letter a with the Cyrillic letter а. You can't. They render identically, even though your computer treats them as two completely different characters. Cyrillic а, е, о, р, с, and х all look like their Latin twins a, e, o, p, c, and x in most fonts. A domain that swaps one Latin letter for its foreign twin is called a homograph: a different address that looks identical to the real one. No amount of squinting helps, because there is nothing to see. 😅

Punycode: the disguise has a tell

Under the hood, the internet's addressing system still runs on ASCII. So every internationalized domain has a second, plain-ASCII spelling called punycode, an encoding that always begins with xn--. The pretty non-Latin name is what fonts draw on your screen; the xn-- form is what the network actually uses.

The famous demonstration: in 2017, a security researcher registered "apple.com" spelled entirely in Cyrillic letters as a proof of concept, to show that browsers would display it indistinguishably from the real thing. It was a warning shot from a researcher, not an attack. But the registration went through, and this is what that name really was:

Realapple.comthe brand's registered domain
Fakexn--80ak6aa92e.coma researcher's demo: "apple" written in all-Cyrillic letters, unmasked to its punycode form

Same pixels on screen as apple.com. Entirely different domain.

Do browsers save you? Partially.

After demonstrations like that one, major browsers tightened their display rules. When a name mixes alphabets suspiciously, or, like the Cyrillic "apple", is spelled entirely in lookalike characters from another script, many browsers now refuse to draw the pretty version and show the raw xn-- form in the address bar instead. Land on a Cyrillic "apple" in such a browser and the address bar reads xn--80ak6aa92e.com: an obvious tell that something is off. The exact rules vary by browser, though, so treat this as a helpful habit of modern browsers, not a promise.

And that unmasking mostly lives in the address bar. Email clients, chat apps, and social feeds often render the decorated form in sender addresses and link text with no warning at all. The place you're most likely to meet a homograph, an urgent-looking email, is exactly the place least likely to reveal it. Surprise, surprise.

The address bar only shows its tell after you click. A sender address or a link preview inside an email can still wear the disguise. Judge the domain before you click, not after.

How do you check a domain by hand?

Three checks, no tools required beyond a search engine:

  1. Look for xn--. If you're already on the site, check the address bar. A domain starting with xn-- contains non-Latin characters: normal for a truly international site, a red flag when the name is pretending to be a famous English-language brand.
  2. Copy the domain (don't retype it) and paste it into a punycode converter. Search "punycode converter"; several free ones exist. If a name that looks like plain English converts to something starting with xn--, at least one of its letters comes from another alphabet.
  3. Retype the domain yourself and compare with find-in-page. Type paypal.com by hand into a note or document and paste the copied version next to it. Then use your browser's find function (Ctrl+F or Cmd+F) to search for the version you typed. Your typed version is plain ASCII for sure; if the search highlights one of the two names and skips the other, at least one character in the copied name comes from somewhere else.

What does IP Tracker check today? And what can't it yet?

Paste a suspicious sender address or domain into IP Tracker (a free Chrome extension, 25 checks a day, no account needed) exactly as it appears, and it pulls out the domain and normalizes lookalike characters: number-for-letter swaps, the capital-i-for-l trick, and the common Cyrillic twins above. If the normalized name matches one of roughly 100 widely impersonated brands (banks, payment services, shipping, big tech, and similar), you get an amber banner that names the specific trick, in plain words. If the domain is the brand's real one, including official regional siblings like paypal.de, you get a "verified" note instead. And a spelling that sits a typo or two away from a listed brand (the allowance scales with the name's length) is flagged more gently, as a "possible lookalike" caution.

Two honest limits. First of all, the brand list is about 100 brands, not every brand; a lookalike of a small local company won't ring that particular bell. Second, IP Tracker doesn't yet decode punycode: pasting the xn-- spelling won't be recognized as a brand lookalike. The team is working on that.

Have an xn-- string? Convert it first (step 2 above), then paste the readable form it decodes to. The visible form, the way a name appears in a sender address, is what the lookalike check reads today.

The lookalike scan isn't the only signal. IP Tracker also checks the domain against Google Safe Browsing (Google's list of reported dangerous sites, which often lags behind brand-new phishing pages), shows how many security vendors on VirusTotal flag it, and surfaces community abuse reports. If the domain was registered less than 90 days ago, the banner adds a "Registered N days ago" line: a supporting clue, never a verdict on its own, since plenty of honest sites are new too.

None of this blocks anything, and a clean result is not a promise. "Not flagged" is not the same as "safe"; a brand-new homograph may not be on anyone's list yet. What the checks give you is a second opinion with the trick spelled out, so the letter you couldn't see becomes one you can.

To summarize:

Stay curious, and trust the checks more than your eyes on this one! 🤓