All Tools VerseSpoofed Unicode text uses look-alike characters from other alphabets to imitate normal letters, so a Latin a can be swapped for a Cyrillic one that looks identical but is a different character. Attackers use this to fake domain names, usernames, and brand names. This guide explains how the trick works, how to detect homoglyphs, and a free tool to check suspicious text.
In this guide
What spoofed text is
Unicode contains thousands of characters, and many from different scripts look almost or exactly alike. The Latin letter o, the Cyrillic o, and the Greek omicron can be visually identical but have different code points. Text that swaps real letters for these look-alikes, called homoglyphs, is spoofed: it reads normally to a human but is technically a different string. The code point basis for this is in our text encoding guide.
How homoglyph attacks work
An attacker registers a domain or creates a username that looks like a trusted one but uses a foreign look-alike for one letter. To the eye it is the real brand, but it points somewhere else entirely. The same trick hides banned words from filters, since a moderation system checking for a Latin spelling misses the mixed-script version. The danger is precisely that the difference is invisible.
How to detect it
The reliable way is to inspect the actual characters rather than trust your eyes. The spoofed Unicode checker scans a string and flags characters that come from unexpected scripts or that are known look-alikes, so a single Cyrillic letter hiding in a Latin word stands out. Listing the code points, as our code points guide shows, confirms exactly what each character is.
Where the risk shows up
Homoglyph spoofing turns up in phishing links, fake login pages, impostor social accounts, fraudulent invoices, and content that dodges keyword filters. Anywhere a name or address is trusted by sight, a look-alike character can break that trust. Security teams, moderators, and anyone verifying a link or sender should be aware that two identical-looking strings can be different.
How to protect yourself
Treat any unexpected link or sender with suspicion, even one that looks correct, and verify it by checking the characters rather than the appearance. Browsers and registrars apply some protections, such as showing the raw form of mixed-script domains, but they are not complete. Running questionable text through a checker before acting on it is a quick, reliable safeguard.
Free tools used in this guide
Frequently asked questions
What is spoofed Unicode text?
Text that swaps normal letters for look-alike characters from other scripts, so it reads normally but is technically a different string.
What is a homoglyph?
A character that looks the same as another but has a different code point, such as a Cyrillic o that looks like a Latin o.
Why are homoglyph attacks dangerous?
Because the substituted character is invisible to the eye, so a fake domain or username can look exactly like a trusted one.
How do I detect spoofed text?
Inspect the actual characters with a spoofed Unicode checker, which flags letters from unexpected scripts and known look-alikes.
How can I protect myself?
Verify suspicious links and senders by checking the characters rather than the appearance, and run questionable text through a checker first.