Phishing attacks are getting sneakier, and sometimes all it takes is a single Unicode character to fool even a trained eye. One of the newest phishing techniques involves swapping the regular / (slash) with a similar-looking Unicode character.
Visually? Everything looks normal.
Under the hood? The link is not what you think.
Let’s take a look 👇
🔍 Phishing with Unicode: Slash Lookalikes
Attackers exploit Unicode to mimic legitimate URLs by swapping out the slash / with homoglyphs — characters that look the same but are actually different.
| Character | Unicode | Description | Hover Link |
|---|---|---|---|
| / | U+002F | Solidus (Normal Slash) | https://booking.com |
| ∖ | U+2216 | Set Minus (Backslash-like) | https://booking.com |
| ⁄ | U+2044 | Fraction Slash | https://booking.com |
| ∕ | U+2215 | Division Slash | https://booking.com |
| ⧸ | U+29F8 | Big Solidus | https://booking.com |
| / | U+FF0F | Fullwidth Solidus | https://booking.com |
| ︐ | U+FE10 | Presentation Form for Vertical Comma | https://booking.com |
| 〳 | U+3033 | Vertical Kana Repeat Mark Upper | https://booking.com |
| ㇓ | U+31D3 | CJK Stroke-like Character | https://booking.com |
| ん | U+3093 | Hiragana Letter N (used in phishing) | https://booking.com |
| ׃ | U+05C3 | Hebrew Punctuation Sof Pasuq | https://booking.com |
| ܁ | U+0701 | Syriac Supralinear Full Stop | https://booking.com |
| ᜵ | U+1735 | Philippine Single Punctuation | https://booking.com |
| ፡ | U+1361 | Ethiopic Wordspace | https://booking.com |
| • | U+2022 | Bullet | https://booking.com |
| \ | U+FF3C | Fullwidth Reverse Solidus (Backslash) | https://booking.com |
| ᠆ | U+1806 | Mongolian Todo Soft Hyphen | https://booking.com |
| ⁂ | U+2042 | Asterism | https://booking.com |
| ⸻ | U+2E3B | Two-Em Dash | https://booking.com |
| ⹝ | U+2E5D | Oblique Hyphen | https://booking.com |
| … | U+2026 | Ellipsis | https://booking.com |
🛡️ Why This Matters
Phishing pages crafted this way can:
- Bypass visual inspection
- Evade some automated filters
- Trick users into trusting a malicious link
Hovering over links or inspecting the full URL is no longer enough unless you're looking for non-standard characters.
This phishing method has been spotted in the wild, including in a campaign targeting Booking.com customers:
📰 Read the full breakdown here:
👉 Booking.com phishing campaign uses sneaky character to trick you
🎬 Watch the analysis by John Hammond:
👉 YouTube: John Hammond Explains the Unicode Phishing Trick
Stay sharp and stay safe. Just because a link looks right, doesn’t mean it is.
💬 Have you seen similar techniques in the wild? Share below!