Check Spoofed Unicode Text Online
Detect Unicode confusables and homoglyphs from Cyrillic, Greek, Armenian, and Hebrew that imitate Latin letters. Free, client-side, instant.
Paste text to find confusable Unicode characters — the Cyrillic, Greek, Armenian, Hebrew, or special-form look-alikes that phishing attacks hide inside domains and messages.
Highlighted preview
Confusable code points are wrapped in yellow highlight.
Script mix
Detected confusables
How to Use Check Spoofed Unicode Text Online
- Paste the text - a URL, an email address, a username, or any string you suspect. The sample shows a fake PayPal with a Cyrillic "а" in the middle.
- Read the verdict: green "clean" when no confusables are found, amber "spoofed" when at least one look-alike from another script is present.
- Scan the highlighted preview: every flagged code point is wrapped in a yellow `` so you can see exactly where the fake characters are, visually identical to their Latin neighbours.
- Check the script mix: which scripts appear in your text and how many characters from each. Non-Latin scripts are flagged with a warning row.
- Read the detected confusables list: each row shows position, the character, its Unicode code point, its script, and the Latin letter it imitates.
- Press
Ctrl+Enter(⌘+Enteron Mac) after a paste to force a fresh scan. - Copy the report or Download a timestamped `.txt` for the security ticket - the download also embeds the original input.
Frequently asked questions
Is my data uploaded anywhere?
No. Every character lookup happens in your browser. Text you paste never touches the network – there is no fetch, no XHR, no analytics on content.
What are Unicode homoglyphs?
Characters from different scripts that share a visual shape. The Latin “a” (U+0061) looks identical to the Cyrillic “а” (U+0430), but they are different code points. Browsers, fonts, and humans see the same glyph; computers do not.
Why are homoglyphs dangerous?
An attacker can register a domain like раypal.com where the first two letters are Cyrillic. Browsers display it as PayPal; the TLS certificate is legitimate; victims hand over credentials. Same trick works for usernames, invoice emails, and copy-pasted support addresses.
Which scripts does the tool cover?
The built-in confusables table includes Cyrillic, Greek, Armenian, Hebrew, IPA/Phonetic, and Roman-Numeral lookalikes. The script-mix card covers a broader set (Arabic, Hiragana, Katakana, CJK, Emoji) so you can see what other scripts appear even when they are not homoglyph attempts.
What counts as the “Latin” script here?
Code points U+0041-U+005A (A-Z) and U+0061-U+007A (a-z). IPA and Latin-Phonetic extensions are tagged separately because several of them are used in homoglyph attacks despite being technically Latin.
Is all non-Latin text suspicious?
No – multilingual content is legitimate. The tool flags confusables that imitate Latin letters. Plain Cyrillic, Greek, or Hebrew sentences show up in the script mix without being flagged unless a character from the confusables table is present.
Does it check for zero-width or invisible characters?
The current pass focuses on visible look-alikes. Zero-width joiners, right-to-left overrides, and other invisible control characters are a separate attack class – use a dedicated “invisible character detector” for those.
Can this prevent phishing?
It helps you spot an attack that would otherwise be invisible, but it is one signal among many. Always verify domains, check certificates, and treat unexpected messages with scepticism.
Can I use this to protect my brand?
Yes – paste a domain you care about and variations attackers might register, or feed in user-submitted URLs to screen them. The detailed list shows exactly which code points to search for when policing suspicious registrations.
Does it work offline?
After the page loads, yes. HTML, CSS, and JS are self-contained – disconnect Wi-Fi and keep checking.