Warning: Watch Out for This Japanese Character in Your Booking.com Email

Hackers are making use of deceptive-looking Japanese characters to confuse victims and infect Booking.com users with malware.

The phishing campaign, first spotted by Bleeping Computer, uses the Japanese letter “ん,” which can, particularly in some fonts, look pretty similar to a forward slash if you’re not paying close attention. Strange-looking links and URLs, which differ from the authentic website, are one of the best-known indications of a phishing attack. But using this technique allows scammers to get users to click on a link without noticing it isn’t the real deal.

According to screencaps shared on X by independent security researcher JAMESWT, the fake emails sent to victims contain completely legitimate-looking links. However, the hyperlink embedded in the link is fake and redirects them to a malicious copy of the Booking.com website. As the fake link uses these Japanese “ん” characters instead of the conventional English language characters for a forward slash, it can avoid detection.

This Tweet is currently unavailable. It might be loading or has been removed.

Unsuspecting users are then taken through a series of different webpages, before an MSI file is then used to spread malicious payloads such as infostealers or remote access trojans.

Homoglyphs—characters in certain alphabets which closely resemble letters in other alphabets—have been widely exploited by cybercriminals in recent years.

In February 2025, researchers at Trend Micro uncovered a phishing campaign targeting Ukrainian organizations which exploited the visual similarity between the Cyrillic letter “С” and the Latin letter “C” to spoof links. The Cyrillic alphabet, which is used in languages like Russian, Ukrainian, and Bulgarian, has many characters in common with English, but often with slight variations in form, sounds, and meanings.

In that campaign, these deceptive characters were used to trick users into clicking on fake Microsoft Word .doc files, covertly sneaking in the Cyrillic “С,” and triggering an exploit in the process.

But cybercriminals don’t even need to leverage exotic foreign languages for these types of homograph attacks to work. Another Bleeping Computer journalist recently spotted a phishing campaign targeting users of popular accounting tool Intuit. The hackers exploited the visual similarity between the lowercase letter “l” and the lowercase letter “i” to trick users into trusting phishing emails with the @lntuit.com ending.

Get Our Best Stories!

Your Daily Dose of Our Top Tech News

Sign up for our What’s New Now newsletter to receive the latest news, best new products, and expert advice from the editors of PCMag.

Sign up for our What’s New Now newsletter to receive the latest news, best new products, and expert advice from the editors of PCMag.

By clicking Sign Me Up, you confirm you are 16+ and agree to our Terms of Use and Privacy Policy.

Thanks for signing up!

Your subscription has been confirmed. Keep an eye on your inbox!

About Will McCurdy

Contributor

I’m a reporter covering weekend news. Before joining PCMag in 2024, I picked up bylines in BBC News, The Guardian, The Times of London, The Daily Beast, Vice, Slate, Fast Company, The Evening Standard, The i, TechRadar, and Decrypt Media.

I’ve been a PC gamer since you had to install games from multiple CD-ROMs by hand. As a reporter, I’m passionate about the intersection of tech and human lives. I’ve covered everything from crypto scandals to the art world, as well as conspiracy theories, UK politics, and Russia and foreign affairs.

Read Will’s full bio

Read the latest from Will McCurdy