How cyrillic letters can be used for advanced phishing

A Nigerian prince who desperately wants to pass on his wealth to you but needs 500$ for the transaction fees is probably one of the most well known scams out there. Although you could argue that this is "only" a scam and not a phishing email it is nevertheless malicious and you should never reply… Except if your name is James Veitch:

Also well known and very popular are phishing attempts in the area of online banking. You receive an email that looks like it came from your bank, telling you that your account has been suspended, your card has been blocked, or that "unusual activity" has been detected. Or a combination of the Nigerian prince and online banking:

Usually, these phishing attempts rely on bad spelling, scary wording, fake logos, suspicious attachments, and domains like:

secure-login-bank-verification-please-click-now.ru

or

bank-of-americaa.com

Subtle as a brick through a window. But phishing has evolved. Attackers have learned that humans are very good at recognizing patterns and very bad at noticing tiny character differences while half-asleep on a Monday morning.

And this is where Cyrillic letters enter the room wearing a fake moustache.

Wait, what does Cyrillic have to do with phishing?

Cyrillic is the writing system used by languages such as Russian, Ukrainian, Bulgarian, Serbian, and many others. It is completely legitimate, useful, and absolutely not evil.

The problem is not Cyrillic.

The problem is that some Cyrillic letters look almost identical to Latin letters. A good example is the letter "a":

Lattin "a" = Cyrillic "а"

Lattin "a" = Cyrillic "а"

Those two characters may look the same. But to your computer, they are not the same character at all. They have different Unicode code points. One is the Latin lowercase "a"; the other is the Cyrillic lowercase "а". Unicode explicitly deals with these kinds of "confusable" characters, and security standards include mechanisms for detecting mixed-script and visually similar identifiers but it can still turn into a big problem.

Meet the evil twins

Cyrillic <=> Latin
"А" <=> "A"
"а" <=> "a"
"В" <=> "B"
"С" <=> "C"
"с" <=> "c"
"Е" <=> "E"
"Н" <=> "H"
"М" <=> "M"
"О" <=> "O"
"о" <=> "o"
"Р" <=> "P"
"р" <=> "p"
"г" <=> "r"
"Т" <=> "T"
"Х" <=> "X"
"х" <=> "x"

Cyrillic <=> Latin
"А" <=> "A"
"а" <=> "a"
"В" <=> "B"
"С" <=> "C"
"с" <=> "c"
"Е" <=> "E"
"Н" <=> "H"
"М" <=> "M"
"О" <=> "O"
"о" <=> "o"
"Р" <=> "P"
"р" <=> "p"
"г" <=> "r"
"Т" <=> "T"
"Х" <=> "X"
"х" <=> "x"

Now imagine receiving an email that says:

Please log in at раypal.com to verify your account.

I think you get my point.

A quick technical explanation

This technique is known as an IDN homograph attack. "IDN" stands for Internationalized Domain Name, which allows domain names to contain non-Latin characters. That is important because the internet should not be limited to English and ASCII characters. ICANN (Internet Corporation for Assigned Names and Numbers) describes IDNs as domain names consisting of Unicode characters, while the DNS still works with ASCII-compatible labels that often begin with xn--, commonly known as Punycode.

In normal life, this is great. People should be able to use domain names in their own language and script.

In phishing life, this gives attackers a new box of fake moustaches.

The "xn — " clue

Behind the scenes, internationalized domain names are converted into an ASCII-compatible format called and the paypal example from above ends up looking like this when called in a browser:

xn--pypal-4ve.com

Sometimes, the browser also display a warning when entering a fake domain:

So how do you protect yourself?

A few simple habits already make these attacks much harder.

First: do not click login links in emails. If your bank, payment provider, cloud service, or favorite online shop tells you something dramatic, open your browser and type the address yourself. Or use a bookmark. Yes, it takes five seconds longer. But so does putting on a seatbelt, and that has also proven to be a decent idea.

Second: use a password manager. This is one of the best protections against fake domains. A password manager does not care if раypal.com looks like paypal.com to your tired human eyes. It checks the actual domain. If it suddenly refuses to fill in your password, do not argue with it.

Third: watch out for Punycode domains. If a link suddenly contains something like:

xn — pypal-4ve.com

that does not automatically mean it is evil, but it does mean you should slow down and check carefully. Especially if the website came from an email that screams urgency.

Fourth: do not blindly trust the padlock. HTTPS only means that the connection to the website is encrypted. It does not mean that the website is legitimate. A phishing site can have a certificate too. A scammer in a nice suit is still a scammer.

Fifth: enable multi-factor authentication. It will not make you invincible, but it makes stolen passwords much less useful. Where possible, use app-based authentication, passkeys, or hardware security keys instead of only SMS codes.

And finally: keep your browser updated. Modern browsers already include protections against suspicious internationalized domains and lookalike URLs. But those protections only help if your browser is not from the same historical period as Internet Explorer 6.

Final thoughts

Cyrillic letters are not dangerous. Unicode is not dangerous. Internationalized domain names are not dangerous.

The danger comes from attackers abusing visual similarities to trick people into trusting the wrong website.

So the next time an email asks you to urgently verify, unlock, approve, confirm, reactivate, or "kindly do the needful," take a breath.

Do not trust the logo. Do not trust the panic. Do not blindly trust the padlock.

Check the domain, use a password manager, and when in doubt, go to the website manually.

Because sometimes the difference between "secure login" and "bad day" is just one tiny letter wearing a fake moustache.