1. Identical url as the real website. 2. Valid ssl certificate. You only figure out that it's not the real site if you navigate into the certificate and check the domain name in the technical details. No casual user does that and no user should be expected to do this.

This is serious, browsers should not support unicode in the address bar. It's going to be impossible to detect fake url's just by looking at the url, there is bound to be a unicode character that looks like a regular ascii character but isnt. Then the scammer can just replace it in the url and make anybody believe that you are on a real site.

Here is a picture of the problem: https://imgur.com/a/LZFfN