IDN homograph (Punycode)

Internationalized Domain Names that use non-ASCII characters to spoof brand names.

IDNs allow domains in non-Latin scripts (.中国, münchen.de). Punycode is the ASCII encoding used to register them — xn--mnchen-3ya.de.

Phishing exploits this by registering names whose Unicode form is visually indistinguishable from a target brand, like xn--80ak6aa92e.com which renders as "apple.com" in some browsers.

Modern browsers apply heuristics to display Punycode (the ugly xn-- form) rather than the rendered Unicode when they detect a likely homograph, but the protection is incomplete.

Related terms

Homoglyph attack

Replacing a character in a domain with a visually identical one (often a Unicode lookalike) so the URL passes a glance test.

Typosquatting

Registering domain names that look like a known brand to catch users who mistype or skim. The infrastructure layer of phishing.

Got a URL you're unsure about?

Paste it into our free scanner — verdict in seconds, 10+ threat-intel sources.

Scan a URL →