/ GUIDE — NETWORK SECURITY

How do you spot a fake WiFi name?

Look-alike and invisible characters can make a rogue network render pixel-identical to yours. Here’s why your eye can’t catch it — and what can.

You usually can’t spot a fake WiFi name by looking — and that’s deliberate. A homoglyph SSID uses Unicode characters that render identically to normal letters, so a rogue “CityCafe” spelled with a Cyrillic “а” looks pixel-perfect while being a different string to the computer. The reliable catch isn’t your eye; it’s reducing every nearby name to a canonical form and flagging two that look the same but aren’t.

A network that looks pixel-identical to yours — spelled with letters that aren’t.
YOUR NETWORK
C
i
t
y
C
a
f
e
BROADCASTING NEARBY
C
i
t
y
C
а
f
e
U+0430
Cyrillic а
SSID LOOK-ALIKEsame pixels, different bytes — one letter isn't Latin
/ THE TRICK

Confusables and characters that render as nothing

Unicode is full of characters that look like common Latin letters. An attacker substitutes one or more of them into a trusted SSID: a Cyrillic or Greek look-alike, an Arabic-Indic digit, an em-dash for a hyphen — or, more insidiously, an invisible zero-width character that renders as nothing at all.

AS DISPLAYED
H
o
m
e
_
W
i
F
i
ACTUAL BYTES
H
o
m
e
_
U+200B
W
i
F
i
A zero-width space renders as nothing — invisible to your eye, but a completely different network name to the computer.
INVISIBLE CHARACTERSsome look-alike tricks use characters that render as nothing at all

Either way, the name passes a human glance, and a distracted user taps connect — usually onto an evil-twin access point waiting behind the look-alike name.

/ DETECTION

How canonical comparison catches it

Since the eye is unreliable here, detection reduces every nearby network name to a canonical comparison key: drop invisible and zero-width characters, normalize the text, strip combining marks, map every Unicode digit to ASCII, and apply a curated confusables table for the substitutions normalization misses.

NETWORK ACityCafe
NETWORK BCityCаfe
REDUCE
zero-width · marks · digits · confusables
KEY citycafe
SAME KEY · DIFFERENT BYTES → MEDIUM
CANONICAL KEYdifferent bytes that reduce to the same key are the tell

When two networks produce the same canonical key but have different raw characters, that’s a look-alike. (Good detection deliberately does not case-fold — SSIDs are case-sensitive, and a capitalization difference isn’t an attack.)

/ WHY AWARENESS MATTERS

Catch it before you connect — and after

Detection here is mostly about awareness before you connect: being told a look-alike of your network is broadcasting nearby, including the invisible-character tricks no human eye would notice. And if you do connect to the impostor anyway, the evil-twin and ARP detectors take over.

1
BEFORE CONNECTLook-alike flaggedcanonical-form match — even invisible characters
2
IF YOU CONNECTEvil-twin + ARP detectorsBSSID, gateway MAC and live ARP capture take over
3
ACTIVE DEFENSEIdentity reset + tunnelfresh MAC/IP, then an encrypted tunnel
LAYERED DEFENSEawareness is the first line — if you connect to the impostor anyway, two more layers are waiting
/ THE TOOL

Catching it automatically

WifiThreatWatch canonicalizes every nearby SSID and warns you when a look-alike of your network appears — the confusable substitutions and invisible characters most software (and every human) would miss. It’s a medium-severity alert, and it’s free.

FREE FOREVERLook-alike SSID detection is free, for Windows.

Go deeper: how we detect look-alike SSIDs · detecting evil twins · the threats library

/ FAQ

Fake WiFi names: quick answers

How can I tell if a WiFi network name is fake?

You often can’t by eye — that’s the whole point of a homoglyph (look-alike) name. It uses Unicode characters that render identically to normal letters, so “CityCafe” spelled with a Cyrillic “а” looks pixel-perfect but is a different string. The reliable way to catch it is software that reduces every nearby SSID to a canonical form and flags two networks that look the same but are spelled with different characters.

What is a homoglyph attack?

A homoglyph attack uses characters that look like other characters to impersonate a trusted name. In WiFi, an attacker names a rogue network with look-alike code points — a Cyrillic “а” for a Latin “a,” an em-dash for a hyphen, or invisible zero-width characters — so the network name passes a human glance while being a completely different string to the computer. It’s usually paired with an evil-twin access point.

Can two WiFi networks have the same name?

Yes, legitimately — a mesh system broadcasts one name from several radios, and chain venues reuse names across locations. That’s why a look-alike is more subtle than a duplicate: the attacker doesn’t reuse your exact name (which would collide), they use one that renders the same but is spelled differently, so it sits beside yours without conflict.

Do invisible characters really work in WiFi names?

Yes. A zero-width space or other invisible format character can be spliced into a trusted name; it renders as nothing, so the SSID looks identical, but the underlying bytes differ. No human eye — and most software — would ever notice. Canonical comparison drops those invisible characters before comparing, which is exactly how you catch the trick.

Your eye can’t catch it.
Canonical comparison can.