In the phishing sector, attackers never stop innovating. Now, they’re using Unicode characters that may seem harmless but can deceive you and lead you straight to fake sites. One of the most recent tricks uses the Japanese character “ん” to make a URL appear legitimate from Booking.com, when in reality it points to a malicious domain that installs malware.
The campaign was detected by security researchers and leverages the Japanese hiragana character “ん” (Unicode U+3093). In some fonts, this symbol looks similar to “/n” or “/~”, making the address appear genuine at first glance.
For example, in a phishing email, you might see something like:
https://admin.booking.com/hotel/hoteladmin/
But the real link hides something like:
https://account.booking.comんdetailんrestric-access.www-account-booking.com/en/
The browser will display it as if you are browsing in a Booking.com subfolder, but the actual domain is www-account-booking[.]com, a fake site designed to steal your information.
Copy of phishing email shared by security researcher JamesWT (Source: BLEEPINGCOMPUTER – Security researcher JamesWT)
If you click, the site redirects you and downloads a malicious installer (MSI) from an external server. This file can contain infostealers or remote access trojans (RATs), tools that allow attackers to steal credentials, access your system, or spy on your activity.
Related titles: Do you know how to spot a phishing attack?
In another campaign, attackers sent emails impersonating Intuit but used a fake domain that replaced the lowercase “i” with a lowercase “L” (Lntuit). In lowercase, the difference is almost invisible.
On mobile devices, these emails look convincing, and the “Verify my email” button leads to a fraudulent domain. If accessed outside the email, the link may even redirect you to Intuit’s legitimate site—a tactic to avoid raising suspicion.
Phishing page as it appears in a web browser (Source: BLEEPINGCOMPUTER – Sergiu Gatlan)
These attacks rely on homoglyphs: characters that look visually similar to others but belong to different alphabets or character sets. Classic examples include Cyrillic letters that look like Latin ones or symbols from other languages that resemble common signs.
Although browsers and platforms have implemented measures to detect this, they are not always foolproof. Attackers keep finding ways to sneak these tricks into phishing campaigns.
Intuit phishing email from 'Lntuit.com' viewed on Mailspring for macOS (Sergiu Gatlan)
At TecnetOne, we recommend:
How Intuit phishing email appears on mobile (Sergiu Gatlan)
Phishing attacks are constantly evolving, and the use of “trap” characters like ん shows that cybercriminals know how to exploit even the smallest typographic details to trick you. At TecnetOne, we can help you implement solutions that detect these types of threats and train your team to recognize the signs of fraud before it’s too late.