When “PaypaI.com” Isn’t PayPal
A Personal Encounter with a Homograph Attack
- 3 minute read
It was just another ordinary morning in the office. Coffee in hand, I sat down, signed in to LinkedIn, and started scrolling through my feed, catching up on updates, industry chatter, and the usual flood of posts that stack up overnight (because, unfortunately, sleep still exists, and it tends to make us miss things).
As I scrolled, I noticed a pattern: post after post from different people, all talking about homograph attacks. Each sounded eerily similar: “Can you spot the difference?” “At first glance…” “Can you tell which one’s fake?”
They all echoed the same message, generic, copy-paste warnings that lacked any real story or context. It felt like everyone had asked ChatGPT to write their LinkedIn post for them. None had that personal touch, no real moment of “I almost fell for it.” Well, allow me to give you one.
The Email That Looked Too Legit to Fail
It was one of those rare sunny days in the Netherlands when I received an email from “PayPal.” Subject line: “Payment Failed – Your Lenovo ThinkPad Order Could Not Be Processed.”
At first, I barely raised an eyebrow. The email had landed in my spam folder, but hey, spam filters get it wrong sometimes. And the sender? It said paypal.com. Clearly legitimate… right?
The message was perfectly formatted: professional layout, the right fonts, a crisp logo, and a polite but firm tone. It even included the details of the “order,” a failed payment notice, and, of course, an attached invoice.
Before opening the invoice, I did the sensible thing: I double-checked the sender. Everything looked fine. The domain was paypal.com. No odd spelling, no typos.
Then doubt crept in.
Wait… I hadn’t ordered a ThinkPad.
Maybe it was a system error, I’d bought something from Lenovo last year. Could their system have glitched? I checked my bank account. Nothing. PayPal account. Nothing. Lenovo purchase history. Still nothing.
Everything looked clean. Yet that email kept gnawing at me.
The Moment of Realization
So, I went back to the email and copied the sender’s address into a Word document, right next to a manually typed paypal.com. They looked identical, perfectly identical.
But something still felt off.
I launched a sandbox, opened a secure browser, and pasted the sender’s URL. Then it hit me.
What looked like paypal.com was actually written in a Cyrillic alphabet (Spelled like RauRal), ending with a Latin “l.” Visually identical to the real PayPal address, but technically an entirely different domain, which when pasted into a browser’s URL would show as: xn--l-7sba6dbr.com
Browsers display it that way because they convert non-Latin letters into something called Punycode, a special format that turns foreign characters into ASCII (the basic letters and numbers the internet can understand).
So, whenever a domain mixes alphabets, your browser translates it into this coded version — revealing that it isn’t the real site after all.
That’s how deep these tricks go. It’s not just about typos or extra letters, it’s entire alphabets being mixed together to fool your eyes.
There goes the little hobbitses, yes.. playing their nasty trickses.
Understanding Homograph Attacks
What I had encountered was a textbook example of a homograph attack, a form of phishing where attackers register domains that look identical to trusted ones by exploiting Unicode characters.
In short, not every letter you see online is the same letter your eyes think it is. For example:
apple.com vs аpple.com (the second one uses a Cyrillic “a”)
microsoft.com vs microsоft.com (the “o” replaced with a Greek omicron)
paypal.com vs paypaI.com (the “L” swapped with a capital “i”)
These domains pass visual inspection but lead to malicious websites designed to harvest credentials or distribute malware. Attackers can even secure SSL certificates for these domains, making them appear secure with that reassuring little padlock.
Lessons Learned
That day, curiosity and caution went hand in hand, and saved me from a costly mistake. It reminded me that even the most vigilant among us can be fooled by what looks legitimate.
Homograph attacks thrive on trust in the human eye. We’re conditioned to glance, not to scrutinize.
Here’s what helps defend against them:
Hover before you click. Check the real destination URL in a safe sandbox browser.
Copy and paste manually. When in doubt, type the domain yourself instead of clicking links.
Use email security filters and sandboxing. Especially for attachments and invoices.
Educate your team. Awareness training still remains one of the strongest defenses.
Closing Thought
Homograph attacks are not new, but they’re evolving, quietly blending into the everyday digital noise. So next time you see someone post, “Can you spot the difference?”, remember that behind that cliché lies a genuine threat that nearly fooled me, too. Because in cybersecurity, seeing isn’t always believing.
One morning at work, I opened LinkedIn with my coffee and saw many people posting about “homograph attacks.”
Every post looked the same: “Can you spot the difference?” “Which one is fake?”
No one shared a real story. So here’s mine.
The Email That Looked Real
It was a sunny day in the Netherlands when I got an email from “PayPal.”
Subject: “Payment Failed – Your Lenovo ThinkPad Order Could Not Be Processed.”
At first, it seemed normal. The sender looked like paypal.com, and the email design looked official — logo, layout, fonts, all correct.
Even the tone was professional. It came with an invoice attached.
But I hadn’t ordered a ThinkPad. That felt strange.
I checked my bank, my PayPal account, and my Lenovo history. Nothing.
Still, I couldn’t shake off the feeling that something was wrong.
The Discovery
I copied the sender’s email address into Word, next to a manually typed paypal.com.
They looked exactly the same. hmm..
So I opened a sandbox and tested the sender’s link safely.
That’s when I saw it: the domain used a Cyrillic letter instead of a Latin one.
It looked like paypal.com, but it wasn’t. It was paypaI.com with a capital “i” instead of an “L”.
Visually identical, but technically an entirely different domain, which when pasted into a browser’s URL would show as xn--l-7sba6dbr.com.
Browsers display it like that because they convert non-Latin letters into something called Punycode.
It’s a special format that turns foreign characters into basic ASCII so the internet can understand them.
That translation exposes when a domain secretly uses lookalike characters.
That tiny difference could have cost me my credentials or money.
What Is a Homograph Attack?
A homograph attack happens when attackers use similar-looking characters from other alphabets to create fake domains.
For example:
apple.com vs аpple.com (the first letter is Cyrillic)
microsoft.com vs microsоft.com (different “o”)
paypal.com vs paypaI.com (capital “i” instead of “L”)
These domains look real but take you to malicious sites that steal data or install malware.
Even the padlock icon in your browser can appear, because attackers can get valid SSL certificates.
How to Protect Yourself
Hover over links before clicking to see the real destination.
When in doubt, type the website address yourself in a sandboxed browser.
Use email filters and sandbox tools for suspicious attachments.
Train your staff. Awareness prevents most attacks.
Final Thought
Homograph attacks are quiet but dangerous. They rely on our trust in what we see.
I was lucky to check twice before clicking. Next time you get an email that looks right, take a second look.
In cybersecurity, what you see isn’t always what’s real.
Need expert help protecting your environment?
Get Started