Phishing URL Checker

The Phishing URL Checker analyzes any URL for indicators of phishing activity. It performs multiple security checks to determine whether a URL is legitimate or potentially malicious, returning a risk score and detailed breakdown of risk signals found.

Accessing the Tool

Navigate to Tools → Phishing URL Checker in the sidebar. The tool is available to all users, including guests, with different rate limits depending on your authentication status.

How It Works

Paste any URL into the input field and click Check URL. The tool runs the URL through a series of security checks and returns results within seconds. Each check contributes to an overall risk score between 0 and 100.

The following checks are performed on every URL submission:

• SSL/TLS Certificate Validation — Verifies that the site has a valid SSL certificate, checks the certificate issuer, and flags expired, self-signed, or mismatched certificates
• Redirect Chain Analysis — Follows all redirects from the initial URL to the final destination, flagging excessive or suspicious redirect chains often used to obscure the true landing page
• Blacklist Checks — Queries known phishing and malware blacklists to determine if the URL or its domain has been previously flagged as malicious
• Domain Age Verification — Looks up the domain registration date. Newly registered domains are a strong indicator of phishing, as attackers frequently spin up fresh domains for short-lived campaigns
• Suspicious Pattern Detection — Analyzes the URL structure for common phishing patterns including misleading subdomains, excessive hyphens, IP-based URLs, homoglyph characters, and brand impersonation in the path

Understanding the Risk Score

The Phishing URL Checker returns a risk score from 0 to 100, where higher scores indicate a greater likelihood of phishing activity.

• 0–20 (Low Risk) — No significant phishing indicators detected. The URL appears legitimate, though you should still exercise caution when sharing credentials.
• 21–50 (Moderate Risk) — Some suspicious signals were found. Review the detailed findings before proceeding. The site may be legitimate but has characteristics common to phishing pages.
• 51–80 (High Risk) — Multiple phishing indicators detected. It is strongly recommended that you do not visit this URL or enter any personal information.
• 81–100 (Critical Risk) — The URL is almost certainly a phishing attempt. It may be listed on known blacklists, use a recently registered domain, and display multiple structural red flags.

Risk Signals

Below the risk score, the results page displays individual risk signals with their severity. Each signal includes a description of what was found and why it contributes to the overall score. Common signals include:

• Invalid or missing SSL certificate — The site does not use HTTPS or has certificate errors
• Domain registered within the last 30 days — Freshly registered domains are a hallmark of phishing campaigns
• URL contains brand name in subdomain — A common tactic where attackers place a trusted brand name in a subdomain (e.g., paypal.login.malicious-site.com)
• Excessive redirect chain — Multiple redirects are used to evade detection and tracking
• Listed on phishing blacklist — The URL or domain has been reported and confirmed as malicious by a threat intelligence provider
• IP address used instead of domain name — Legitimate sites rarely use raw IP addresses in their URLs

Use Cases

The Phishing URL Checker is useful in a variety of scenarios:

• Investigating suspicious links found in emails reported through your abuse desk
• Verifying URLs shared in DMARC forensic reports before opening them
• Training employees to recognize phishing indicators
• Checking URLs flagged by the Brand Protection feature
• Validating links before sharing them with your organization