Free tool
Phishing URL Checker
Paste any link and get an instant, browser-only phishing analysis: lookalike domains, homoglyphs, brand combosquats, IP hosts, sneaky TLDs and more, each red flag scored and explained. The link is never opened or sent anywhere.
Structural red-flag analysis runs in your browser. We also run a live threat-intelligence check via urlscans.com — the URL string is sent to that service, but the link itself is never opened by you.
What the checker looks for
Phishing URLs almost always carry structural tells. The checker scores the link against the same signals a SOC analyst would eyeball:
- Brand outside the real domain —
apple.find-device.supportputs "apple" in the subdomain, but the registered domain isfind-device.support. - Homoglyph / IDN characters — non-ASCII letters or
xn--punycode that mimic a brand. - Combosquats —
paypal-secure.com,microsoft-verify.net: the brand plus a reassuring keyword. - IP-address hosts, @-credentials, low-trust TLDs, shorteners, and missing HTTPS — each a known abuse pattern.
Reading the result
The risk score weights each finding by severity. A high score means multiple strong signals stacked up; a low score means none of the common structural tricks were present, which is reassuring but never a guarantee. Treat the explanations as the real output: they tell you why a link is risky so you can make the call yourself. For the patterns behind these checks, see typosquatting, homoglyph attacks, and lookalike domains.
Frequently asked questions
How does the phishing URL checker work?
It runs two layers. First, structural heuristics parse the link in your browser — IP-address hosts, homoglyph/IDN characters, brand names placed outside the real registered domain, combosquats (brand-secure, brand-login), low-trust TLDs, URL shorteners, embedded @ credentials, and missing HTTPS. Second, a live threat-intelligence check against urlscans.com tells you whether the URL is already known to be malicious. Each finding is scored and explained.
Is it safe to paste a phishing link here?
Yes — the tool never opens or visits the link, so it can't infect you. The structural analysis happens in your browser. The URL string (not your click) is sent to urlscans.com for the live threat-intelligence verdict; it isn't stored by this site. If you'd rather keep the URL entirely local, the structural red-flag analysis still works on its own.
Does a low score mean the link is safe?
No. A low score means the URL didn't trip common structural red flags, but a careful attacker can register a clean-looking domain. Always confirm you're on the genuine site (type the address yourself) before entering a password or payment details.
What is a homoglyph or IDN phishing domain?
An internationalized domain name (IDN) can include non-Latin characters that look identical to Latin ones — for example a Cyrillic 'а' or a dotless Turkish 'ı'. A domain like docusıgn.net can render almost exactly like docusign.net while pointing somewhere else. Browsers show these as punycode (xn--…); this tool flags both.
How do I check a shortened link without clicking it?
Many shorteners let you preview the destination by adding a '+' to the end of the link (for bit.ly) or using their preview page. This tool flags shorteners so you know to expand them; never trust a shortened link from an unexpected message.
Related free tools
Awareness
Phishing Quiz
Realistic email, SMS, QR-code, voice and social scenarios. Guess phishing or legitimate, then see which red flags gave each one away.
Breach & exposure
Data Breach Checker
Enter a company domain to see if it's appeared in known data breaches and dark-web leaks — which breaches, when, and exactly what data was exposed.
Email investigation
Email Header Analyzer
Paste raw headers to reveal the real sender path, hop delays, and SPF / DKIM / DMARC results — straight in your browser.
One link is manual. Thousands is a platform.
PhishEye continuously discovers lookalike and typosquat domains targeting your brand, then ships evidence and takedowns automatically.