Check Spoofed Unicode Text

Report an Issue

Help us improve by telling us what went wrong.

Embed this Tool

Customize and copy the embed code for your website.

Check Spoofed Unicode Text - Detect Homoglyph and Confusable Character Attacks

The Latin letter a and the Cyrillic letter a look identical on screen but have completely different Unicode code points. An attacker can register a domain like paypa1.com (with a digit one instead of a lowercase L) or apple.com using Cyrillic characters that are visually indistinguishable from Latin ones. This is called a homoglyph attack, and the Check Spoofed Unicode Text tool detects it instantly.

Understanding Unicode Spoofing

Unicode contains over 149,000 characters from dozens of writing systems. Many of these characters look alike. The Greek omicron (U+03BF) is visually identical to the Latin lowercase o (U+006F). The Cyrillic es (U+0455) looks just like the Latin s. Zero-width joiners, combining marks, and right-to-left override characters can further disguise malicious strings without changing their visible appearance.

Attackers exploit these similarities for phishing domains, fake usernames, impersonation in chat platforms, and bypassing content filters. A username that looks like an administrator's name but uses Cyrillic characters will pass most visual checks while failing string comparison - making it a vector for social engineering.

What This Tool Detects

Mixed-script text: A string that combines characters from multiple Unicode scripts (Latin + Cyrillic, Latin + Greek, etc.) is flagged immediately. Legitimate text rarely mixes scripts within a single word.

Confusable characters: The tool checks each character against the Unicode Consortium's official confusables table (maintained in UTS #39). If a character has a look-alike in a different script, it is highlighted with its true identity and code point.

Invisible characters: Zero-width spaces, zero-width joiners, zero-width non-joiners, and other invisible Unicode characters that can hide within text are detected and exposed. These are sometimes used to watermark text or bypass duplicate content detection.

Bidirectional control characters: Right-to-left overrides and marks can reorder displayed text so that what you read is not what the string actually contains. This has been exploited to disguise malicious filenames (a file that appears to end in .doc but actually ends in .exe).

Who Needs This Tool

Security analysts: Investigating phishing campaigns, verifying reported URLs, and auditing user-generated content for spoofing attempts.

Platform moderators: Detecting impersonation accounts that use homoglyph characters to mimic trusted usernames or brand names.

Developers: Validating user input in registration forms, domain name checks, and content management systems. Building spoofing detection into your app starts with understanding what spoofed text looks like - this tool provides that insight.

Journalists and researchers: Verifying the authenticity of URLs, email addresses, and social media handles cited in investigations. A single confusable character can mean the difference between a legitimate source and a phishing page.

Everyday users: Before clicking a link that looks suspicious, paste it into this tool. If it contains characters from unexpected scripts, you know not to trust it.

How To Use It

Paste any text - a URL, a username, an email address, a message - into the input field. The tool analyses every character, identifies its Unicode script and code point, and flags anything suspicious. Results are presented character by character so you can see exactly where the spoofing occurs and what the true identity of each character is.

Entirely Browser-Based

The Check Spoofed Unicode Text tool runs locally in your browser. The text you paste is never sent to any server, which matters when you are analysing potentially sensitive phishing URLs or confidential communications. No installation, no account, no cost - just reliable Unicode spoofing detection whenever you need it.