You are rushing to reach somewhere, and suddenly you receive a message, either as email, SMS or chat, asking you to click the URL for something. The URL may look like an authentic one from your bank. You will be surprised to know that what you see, may not actually be genuine. In fact, it is so hard to detect that it is extremely worrisome. The similar-looking URL may contain letters that use the Cyrillic alphabet (a script used by Russian and Slavic countries), thus hiding the original website under the pretext of your bank. Check the image below.
 
 
Here is one more example. You want to open whatsapp.com and find the URL available in a message. You open that readily available URL only to be redirected to a similar-looking but fraudulent website. The reason is two characters in the URL you opened are replaced by alphabets in the Cyrillic script. You wanted to visit whatsapp.com but instead ended with щhaтsapp.com. If you look carefully, the letters' w' and 't' are replaced by 'щ' and 'т' in the bogus URL.
 
 
Fake URLs with Cyrillic letters can be created by using a technique called homograph spoofing. Homograph spoofing involves using characters from different scripts, such as Cyrillic, that visually resemble characters from the Latin script. This technique is used to create URLs that appear similar to legitimate websites but lead to different destinations. It is important to note that such practices are often associated with phishing attempts and other malicious activities.
 
Hackers have also been using Armenian, Hebrew, Chinese and Greek letters that are similar to the original to create fake URLs. However, with its 11 lower-case characters that are identical – or very similar – to Latin letters and numbers, Cyrillic is the most preferred language for fraudsters or hackers. 
 
In 2017, security researcher Xudong Zheng successfully demonstrated homograph spoofing. He bought a domain containing foreign characters to resemble apple.com. He even obtained the security certificate for this domain. 
 
 
"From a security perspective, Unicode domains can be problematic because many Unicode characters are difficult to distinguish from common American standard code for information interchange (ASCII) characters. It is possible to register domains such as "xn–pple-43d.com", which is equivalent to "apple.com". It may not be obvious at first glance, but "apple.com" uses the Cyrillic "a" (U+0430) rather than the ASCII "a" (U+0061)," Mr Zheng wrote in his blog at that time.
 
Here is one more example of a fake URL using Cyrillic letters:
Legitimate URL: openai.com
Fake URL: ореnаі.com (hidden URL is xn--n-8sbn9ak9k.com, which gets converted as openai.com through ASCII, the most common character encoding format for text data.)
 
In the fake URL above, the Cyrillic characters 'o' and 'i' are used to replace the Latin characters 'p' and 'a', respectively, creating a visually similar but fake URL.
 
Until 1998, domain names were written only in Latin characters without diacritics. However, after that, domain names are allowed to be written in other scripts like Cyrillic, Chinese or Arabic, among others. This opened a new avenue for fraudsters to launch attacks through homograph spoofing.
 
Further, Unicode incorporates numerous writing systems, and, for several reasons, similar-looking characters such as 'O' in Latin (U+004F) and Cyrillic (U+041E) are assigned different codes. This creates a possibility for security attacks.  
 
While most web browsers are developing techniques to defeat homograph spoofing, hackers are busy creating and registering newer domains resembling existing, authentic web addresses. If your browser does not support the detection of homograph spoofing, see if any plugins are available for this. 
 
This brings us to the most critical question: how can one protect from homograph spoofing?
 
Here are some measures you can take...
1. Pay attention to the URL: Carefully examine the URL of a website before clicking on it or entering any sensitive information. Look for misspellings, extra characters, or unusual combinations of letters.
 
2. Hover over links: Hover your mouse cursor over a link to view the actual URL it leads to. In most web browsers, the destination URL will appear in the status bar or a tooltip. Verify that the displayed URL matches the intended website.
 
3. Type URLs manually: Instead of relying on links, manually type the URL of the website you want to visit in your browser's address bar. This reduces the risk of clicking on a malicious or spoofed link.
 
4. Enable browser security features: Modern web browsers often have built-in security features that can help detect and warn against potentially dangerous websites. Keep your browser up to date and enable features like anti-phishing and safe browsing.
 
5. Use security software: Use a reliable antivirus or internet security software that can help identify and block malicious websites. These tools often have built-in features to protect against phishing attempts.
 
6. Stay informed about the latest phishing techniques and common scams. Be wary of emails, messages, or pop-ups that ask for personal information or prompt you to click on suspicious links. 
 
By following these precautions, you can significantly reduce the chances of falling for fake URLs and protect yourself from potential phishing attempts or other malicious activities.
 
How To Report Cyber Fraud?
Do report cyber crimes to the National Cyber Crime Reporting Portal http://cybercrime.gov.in or call the toll-free National Helpline number, 1930. To follow on social media: Twitter (@Cyberdost), Facebook (CyberDostI4C), Instagram (cyberdostl4C), Telegram (cyberdosti4c). 
 
 
If the fraud is related to your bank account, you need to immediately send an email to the official email ID of your branch (you can find it on the bank's website or your passbook) with a copy to the bank's customer care. Even if you have called the official number for customer care, you must still send an email describing your conversation with the bank executive, along with the time, date, and duration of the call. This will be helpful if you face a liability issue with the bank.