Not only domains that consist exclusively of ASCII characters can be (ab)used to attract users to forged websites. This is also true for Internationalized Domains (IDNs). At first glance the domains of such websites look like known original domains. But they were registered by third parties exclusively to imitate the original. The goal of such attempted fraud - also called "phishing" - is to spy confidential information such as passwords.
The risk to become a phishing victim is not more severe for IDNs than it is for domains whose names include only ASCII characters. A typical method to fool the user is to replace the original "o" by "0", "1" by "l" or a lower-case "l" by an upper-case "i".
The developers of the IDN standard were well aware of the existence of identical glyphs (character displays) in different scripts (Latin, Cyrillic, Greek etc.) when they created the specification, and the IDN RFCs 3490 and 3491 expressly make reference to them. To facilitate the unique identification of characters and to impede their replacement, DENIC allows exclusively Latin characters to be used. Thus, no sets of characters with identical appearance will be accepted for .de domains, but at best similar ones.
You can take quite a few measures to protect against phishing attempts. Below you will find a list - not claiming to be exhaustive - of the most important ones.
- Always use encrypted connections to pass on sensitive information. Reveal it only to identified, trustworthy partners.
- Be suspicious if e-mails, blogs etc. request you to "urgently" visit pages you do business with (e-banking etc.).
- Rather follow established bookmarks instead of links in e-mails. Avoid using HTML-coded mails.
- Take warning messages about insecure, unknown or altered certificates serious.
- Consult the Federal Agency for Security in Information Technology (BSI) at regular intervals so that you are always up-to-date.
As regards .de domains, IDNs present a useful enrichment and by incorporating language-specific characters they foster .de's function as a country code Top Level Domain. The advantages clearly outnumber potential security risks, which would persist even if without IDNs.