A new homograph attack is quietly bypassing old phishing defenses. Instead of sloppy fakes, scammers now use near-identical characters to build URLs that look legitimate even to users who double-check before clicking. And right now, they’re going after Booking.com customers.

Homograph attack swaps in deceptive characters

Cybersecurity researchers have tracked a phishing campaign that uses the Japanese hiragana character “ん” to mimic familiar elements in URLs. It looks like a slash, a lowercase “n,” or even a tilde. Most people won’t notice the difference, especially at a glance.

For example, this malicious link appears safe:
https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/
But the lookalike characters redirect users to a fake Booking.com page, where malware gets delivered in the background.

Scammers target Booking.com logins

These phishing emails don’t feel suspicious. They’re styled like real Booking.com messages and direct users to login forms that appear authentic. Still, clicking through hands control to bad actors.

Instead of visiting the actual site, users unknowingly launch malware. The installer may deploy an infostealer that grabs passwords and financial data. In other cases, it installs a remote access trojan, letting attackers take control of the system entirely.

This isn’t just about bad design, it’s about calculated deception.

Homograph attack tactics go beyond travel

This isn’t the first phishing scam aimed at Booking.com users. Earlier this year, scammers sent fake security CAPTCHAs to trick people into downloading malware. But it doesn’t stop there.

Other attacks now use the same homograph trick against different companies. For instance, some fake Intuit emails lead to domains like Lntuit.com, where a lowercase “L” replaces a capital “I.” In certain fonts, there’s no way to spot the difference unless you’re really looking.

Signs a URL might be faked

Even though these scams look cleaner, they still leave clues. If a link feels slightly off, or you’re being pushed to log in urgently, pause and inspect the details.

Here are warning signs to watch for:

• URLs with strange characters that mimic slashes or letters
• Domains with small spelling differences or character swaps
• Sites that look real but ask for credentials too quickly
• Security prompts that feel out of place
• Emails urging fast action with no clear reason

Homograph attack strategies are evolving fast

Attackers know that users are getting better at spotting phishing attempts. That’s exactly why these URLs look so clean. Instead of sloppy tricks, scammers are now using font tricks, language swaps, and character substitutions to blur the line between fake and real.

So far, this method is slipping past both users and filters. And as more character sets get supported online, the potential for abuse only grows.