
It is possible to carry out a phishing attack with the use of the same method in punycode. Punycode in phishing is really a way a cyber criminal tricks computer users through the remote system they're interacting with, by taking advantage of the truth that a variety of characters look alike. For instance, an individual often visiting paypal.com might be attracted to follow the link [Сlickbank.com] (punycode: xn--lickbank-xjg.com/) in which the Latin C is changed using the Cyrillic С (which is actually the Russian sound for ‘s’. This type of punycode phishing is also called script spoofing. Unicode includes many writing systems, and for several reasons, characters which look alike, for example Latin O, Cyrillic О and Greek O, were not given exactly the same code. Their malicious or incorrect usage is really a possibility for security attacks.
Because punycode enables websites to make use of full names of Unicode characters, it is possible for users of IDNA to be exposed to phishing attacks. Through IDNA, it is possible to make a spoofed site that appears the same as another, including security certificate and domain name, but is in fact controlled by another person who is just trying to steal personal data.

A lot of web browsers have been including a lot of security features in order to combat the problem of punycode in phishing. Google Chrome always displays punycode for components mixing letters from many languages. For instance, there's not really a single language that consists of all characters present in http://søñdërzeiech?domæînistsuþer.p , therefore this is shown as punycode. In the same way, http://Сlickbank.com (having a Cyrillic "С") will show as punycode, even when Russian and English have been in the recognized languages. This is the way it is done even when the domain is under the TLD whose registry is always protecting against phishing attacks.
To be able to address concerns of the usability of punycode, Opera web browser makes use of a white-list for registrars of domain names which have regulations against possible exploits. Therefore, a white-listed TLD displays the Unicode name, while untrusted domain names only display the punycode name with the use of the xn-- prefix. The same measures are being taken by other browsers like Firefox and Internet Explorer.

The most recent versions of browsers, including usually warn of the possible punycode in phishing. They do this by showing the website in the browser bar using punycode rather than Unicode characters. If you work with IDNs, it's smart to look at the address bar after loading a webpage to ascertain if the website's address really shows as punycode. If that's the case, it is very likely that you have been forwarded to a phishing site.