⚠️ Phishing URL Checker
Spot the warning signs in a suspicious link. Paste a URL and this checker flags common phishing tells — all by analyzing the text in your browser. The link is never visited or sent anywhere.
🔍 Analyze a Link
⚠️ Educational only. This checker analyzes the text of the URL entirely in your browser — the link is never visited, fetched, transmitted, or stored on a server. A clean score is not a guarantee of safety, and a high score does not prove a site is malicious.
What is this Phishing URL Checker?
It scores a link against a set of documented phishing heuristics — patterns that legitimate sites rarely use but scammers often do. Each match adds risk points, producing an overall Low, Medium, or High rating and a list of the specific warning signs found.
Because it works purely on the URL text and never visits the link, it is safe to check even a link you strongly suspect is malicious. Treat the result as a prompt to slow down and verify — not as proof of safety or of guilt.
❓ Frequently Asked Questions
Does this actually visit the link?
No. The checker only inspects the text of the URL — its structure, characters, and keywords — entirely in your browser. It never opens, fetches, resolves, or transmits the link, so there is no risk of triggering the malicious page just by checking it.
What warning signs does it look for?
Documented phishing tells: a raw IP address instead of a domain, an '@' that can hide the real host, excessive length, many subdomains, suspicious top-level domains like .zip or .xyz, lots of hyphens, missing HTTPS, and credential-bait words such as login, verify, account, secure, or update.
Does a low score mean the link is safe?
No. This is a heuristic aid, not a verdict. Sophisticated phishing pages can score low, and legitimate sites can trip a rule. Always confirm the domain is exactly the one you expect before entering a password, and never trust a link from an unexpected message.
How can I avoid phishing in the first place?
Type important web addresses yourself or use a bookmark rather than clicking links in email; enable multi-factor authentication (ideally a hardware key); use a password manager, which will refuse to autofill on a look-alike domain; and be sceptical of urgency, threats, and too-good-to-be-true offers.