A developer at a well-known crypto project opened the website of their own tool to deploy a new contract. The URL looked normal. The page looked normal. The wallet connected, signed, and nineteen minutes later the treasury was empty. On close inspection, the Latin "a" in the domain had been replaced by a Cyrillic "а". Two codepoints with identical shapes and different identities.
Homoglyph and typosquatting attacks are cheap, industrialized phishing vectors. The attacker registers a domain that looks indistinguishable from a legitimate one, clones the target site with a scraper, and waits for someone to mistype the URL, click a mail link, or arrive via a search ad. Conversion per visitor is high because victims never realize they were redirected.
Which address-bar tricks really work
Typosquatting isn't a single trick; it's a family. Four variants catch almost every user at some point.
Homoglyphs. Letters from other writing systems look identical in many fonts: Cyrillic "а" and Latin "a", Cyrillic "о" and Latin "o", Greek "ο". Registered via Punycode, they're technically different domains rendered as visually identical characters.
Plain typos. amazoon.com, gooogle.com, paypa1.com (digit 1 instead of l), facebok.com. People who type fast hit these domains more often than owners realize. Squatters register hundreds of variants per target.
Subdomain trickery.apple.com.security-check.xyz or paypal.com.login-ref.ru. The familiar hostname sits at the front, but the real domain is the last segment before the path.
TLD swaps. Companies register .com and sometimes .net, but rarely every relevant TLD. Attackers grab .co, .shop, .io, .app and stand up a pixel-perfect copy. On mobile, where URLs are often truncated, TLDs barely register.
How typosquatter campaigns scale
Modern campaigns aren't manual. Attackers use DNS-twisting tools like dnstwist to generate hundreds of plausible variants of a target in seconds. They register whatever is cheap to acquire. Cloning the original site is done with a scraper that mirrors HTML, CSS, and assets one to one, sometimes as a live reverse proxy.
The reverse proxy variant is particularly nasty because the fake site shows the same content as the original, including the correct login form, a TLS certificate (from Let's Encrypt for the fake domain), and sometimes even functional sub-pages. The attacker relays your inputs to the real service in flight. This is called adversary-in-the-middle, and it's why SMS and TOTP 2FA don't stop it.
new lookalike domains registered per month
of those host active phishing kits
average time to first victim
Why people miss the warning signs
Half a decade of user research returns the same answer. People don't read URLs. They scan the brand name, see a padlock, and move on. This isn't a failure, it's just how high-frequency reading works.
Modern browsers make it worse by shortening URLs or, on mobile, showing only the domain. That's a readability tradeoff, but it hides exactly the subdomain and TLD variations attackers exploit. Chrome even experimented with showing just the registered domain and hiding the rest, which would have widened the gap further.
On top of that, many phishing links arrive through channels you basically trust. An email from your hosting provider, a push notification from your tax portal, a Slack message from your boss (spoofed). When the context looks right, almost nobody checks the URL.
Spotting a lookalike domain fast
If you've opened a link and you're unsure, you can sort out whether the domain is real in under a minute.
- 1
Highlight the domain in the address bar
The text is rendered in real typography, usually in a font that exposes homoglyphs better than the browser chrome does. - 2
Paste the URL into a text editor
A plain editor like Notepad or TextEdit shows raw characters. If the domain suddenly contains `xn--` or unusual glyphs, you've got a homoglyph attack. - 3
Check the TLD and any subdomains
The piece directly before the first slash is the real domain. Everything before it can be named anything at all. - 4
When in doubt, go through the main domain
Instead of following the link in the email, type the official domain into your browser yourself, or use a bookmark. The detour takes ten seconds and eliminates the attack.
Opening a suspicious link safely
Sometimes you need to open the link anyway, because you want to see who's behind it. That's the case for an isolated browser. You open the suspicious URL in an environment that knows nothing about you: no cookies, no stored passwords, no wallet extension. If it's an adversary-in-the-middle, they land in a session that has no real credentials to harvest.
Security teams have used this pattern for years in phishing triage. For individuals it works the same way. Important logins always go through a bookmark or password manager; suspicious URLs open in a disposable browser. For the triage method in detail, see Testing Suspicious Links Without Risk.
Ready to unlock desktop power on any device?
Try Browser.lol free and experience true mobile productivity.
Start Your Desktop BrowserNo downloads required • Works on any device
