Phishing URL Scanner — Detect Malicious Links Before You Click
Paste any URL. The scanner runs 12 heuristic checks on the URL string in your browser and returns a verdict — Clean, Suspicious, or Dangerous — with a per-check breakdown. The URL never leaves your machine.
🔗
🔒 The URL is analysed entirely in your browser. Zero outbound network requests — verifiable in DevTools.
What this tool does
The Phishing URL Scanner runs 12 heuristic checks against any URL you paste, returning a definitive verdict — Clean, Suspicious, or Dangerous — in under a second. The checks evaluate the URL string only: hostname structure, path patterns, character composition, TLD reputation, length, and known-bad indicators like IP-as-hostname or Punycode abuse. The result includes a per-check breakdown so you can see exactly which patterns triggered (or didn't), making it useful both as a safety check and as a teaching tool.
What is different about this tool: everything happens in your browser. The URL is never sent to any server, never logged, never compared against a remote threat-intelligence feed. You can verify this in your browser's DevTools Network tab — running a scan generates zero outbound requests. This privacy-first architecture is the trade-off: we don't have access to Google Safe Browsing or PhishTank, so our verdict is heuristic-only. For an authoritative threat-intel verdict, cross-check at Google Safe Browsing or urlscan.io after running ours. Use ours for instant private analysis, theirs for canonical verdict.
How it works under the hood
When you submit a URL, the scanner parses it into components (protocol, hostname, path, query) using the browser's built-in URL API, then runs 12 string-pattern checks against the components. Each check is a deterministic rule based on patterns observed in real-world phishing URLs.
The 12 checks. (1) HTTPS used — http-only URLs are flagged. (2) IP-address hostname — phishing sites sometimes use raw IPs to hide identity. (3) Hostname length — over 50 characters is unusual. (4) Subdomain count — over 4 levels is a phishing signal (e.g. paypal.com.verify.security.malicious.tk). (5) Brand-in-subdomain — known brand names (paypal, microsoft, google, amazon, apple, netflix, etc.) appearing as subdomains rather than as the registrable domain. (6) Suspicious TLD — .tk, .ml, .ga, .gq, .cf, .top, .xyz, .work historically have outsized phishing rates. (7) URL length — over 100 characters is suspicious. (8) Credential keywords in path — login, verify, secure, update, account, signin, confirm. (9) Excessive dashes/dots — over 3 in hostname suggests brand-impersonation. (10) URL shortener detected — bit.ly, tinyurl.com, t.co, goo.gl, is.gd, etc. (11) Punycode (xn-- prefix) — internationalised-domain encoding sometimes hides Latin lookalikes. (12) @ symbol in URL — the rarely-used basic-auth syntax that lets attackers craft URLs like https://paypal.com@malicious.com where the actual destination is everything after the @.
Scoring and verdict. Each check is weighted by phishing-correlation strength. The total score determines the verdict: 0-2 is Clean, 3-5 is Suspicious, 6+ is Dangerous. The thresholds are calibrated against published phishing-URL datasets to balance false positives against false negatives — too aggressive and legitimate enterprise URLs get flagged; too lenient and obvious phishing slips through.
What this scanner does NOT do. It does not visit the URL, does not render the page, does not check Google Safe Browsing or PhishTank, does not follow redirects (which would require a server-side fetch), does not check WHOIS or DNS records. These limitations are deliberate — every one of those would require sending the URL off your machine. URL-pattern heuristics catch around 70-85% of phishing URLs in published benchmarks; for the remainder, you need content-based analysis (urlscan.io, Bolster CheckPhish) or threat-intel feeds (Google Safe Browsing, PhishTank API).
No logging, no rate limit on the tool itself. Since nothing leaves your browser, there is nothing for us to log and no per-IP rate to enforce. Scan as many URLs as you want.
Five real-world use cases
Vet a link before clicking it from a suspicious email
An email arrives claiming to be from your bank, your shipping provider, or a service you use, and it contains a link asking you to verify, login, or update something. Before you click, paste the URL into the scanner. The 12 checks return a verdict in under a second — patterns like brand-name-in-subdomain (paypal-verify.suspicious-domain.com), IP-address hostnames, and excessive special characters get caught instantly. Even if the URL looks fine to you, the scanner often catches subtle phishing patterns the human eye misses (Cyrillic characters that look like Latin letters, doubled domain names, deceptive Punycode).
A non-technical colleague forwards you a link asking 'is this safe to click?' Instead of guessing, run it through the scanner and screenshot the verdict + per-check breakdown. The scanner's check-by-check output gives you a defensible answer — you can show exactly why the URL was flagged (or why it was clean despite looking strange). For an organisation, this builds a pattern of evidence-based decision-making around suspicious links instead of intuition-based judgements that vary by who you ask.
Pre-flight check on shortened URLs before sharing or visiting
Someone DMs you a `bit.ly/abc123` link. You don't know what's behind it. The scanner flags shortener URLs as a moderate-suspicion indicator and prompts you to expand first. Use a URL expander (or urlscan.io which follows redirects safely in a sandbox) to get the actual destination, then re-scan that destination URL. Many phishing campaigns rely on people not bothering to expand shorteners — this two-step process kills that vector entirely.
https://bit.ly/3xK9pQz
Bulk URL audit during incident response or threat hunting
You've got a list of 50 URLs from your SIEM that fired a low-confidence phishing alert. Run each one through the scanner to get a quick triage classification — the obvious phishing URLs (high suspicion score with multiple checks tripped) go to the top of your investigation queue, the borderline ones (1-2 checks tripped) get a deeper look, the clean ones get parked. This isn't a replacement for your real security stack but it's a fast first-pass that lets a small team triage a large list quickly.
Security awareness training and team education
You're running an internal phishing-awareness session. Pull up the scanner, paste in 5 example URLs (3 obviously phishing, 1 borderline, 1 legitimate), and walk through each verdict with the team. The check-by-check breakdown teaches people what specifically to look for in URLs — concrete patterns rather than abstract advice like 'be careful'. Within 15 minutes, your team has a mental checklist of what makes a URL suspicious. This is the most effective format we've found for non-technical staff.
Common mistakes & edge cases
Treating a 'Clean' verdict as proof the URL is safe
URL-pattern analysis catches around 70-85% of phishing URLs. The remaining 15-30% are sophisticated phishing using compromised legitimate domains, novel obfuscation techniques, or content the URL itself doesn't reveal. A 'Clean' verdict from this scanner means 'no obvious URL-pattern indicators tripped' — not 'this is definitely safe'. For high-stakes decisions (clicking a link claiming to be from your bank), pair the URL scanner with content-based analysis (urlscan.io) and your own judgement about whether you initiated the request.
Treating a 'Suspicious' verdict as proof the URL is malicious
False positives are real. Legitimate enterprise URLs often look weird — long checkout URLs, password-reset links with cryptographic tokens, multi-subdomain SaaS environments. A 'Suspicious' result on a domain you initiated a request with (you clicked 'Forgot Password' and the reset email arrived 30 seconds later) is usually safe to act on. A 'Suspicious' result on a domain you didn't initiate contact with should be treated as malicious until proven otherwise.
Not expanding shortened URLs before scanning
Pasting a `bit.ly` URL directly into the scanner gives you limited information — the scanner can flag the shortener but can't see the destination. Always expand shortened URLs first using a URL expander service or urlscan.io's redirect-following feature, then scan the actual destination. Phishing campaigns rely heavily on shorteners precisely because most people don't bother to expand them.
Confusing this scanner with a content-based analyser
This tool analyses the URL string. It does NOT load the page, does NOT render JavaScript, does NOT compare visual similarity to known brands, does NOT check the page's content against known phishing-kit signatures. For those capabilities, use urlscan.io (renders the page in a sandbox), Bolster CheckPhish (visual similarity), or your enterprise URL filtering vendor. URL-pattern scanning is one layer of phishing defence, not the whole stack.
Pasting URLs you've actually clicked already to retrospectively check
Once you've clicked a suspicious URL, the time-sensitive question changes from 'is this dangerous?' to 'what damage might already be done?' The scanner can confirm in retrospect that the URL was suspicious, but at that point you should be focused on damage control: don't enter credentials, close the tab, clear cache and cookies for the domain, change passwords on any account where you've reused credentials, enable 2FA. The scanner result is now informational — the action is to assume you've been targeted and respond accordingly.
Forgetting that 'urgent' framing is the actual phishing signal
URL patterns are useful but the strongest phishing signal is psychological — urgency framing in the message that delivered the URL. 'Your account will be suspended in 24 hours.' 'Unusual sign-in detected — verify now.' 'Your package is held — click to release.' These framings short-circuit careful URL evaluation by triggering scarcity/loss responses. If a message creates urgency around clicking a link, that itself is a near-certain phishing indicator regardless of how the URL looks. The scanner catches URL patterns; you have to catch psychological patterns.
Frequently Asked Questions
Paste it into the scanner above. The tool runs 12 URL-pattern checks in your browser and returns a verdict in under a second — Clean, Suspicious, or Dangerous — with a breakdown of exactly which checks triggered. Patterns the scanner catches include misleading subdomains (paypal-verify.example.com), credential-bait keywords in the path, IP-address-as-hostname, excessive dashes, character substitution attacks, and 12 other indicators that distinguish phishing URLs from legitimate ones.
Yes — the scanner never visits the URL. All 12 checks are pure string analysis on the URL itself, performed entirely in your browser using JavaScript. Nothing is sent to our server, no fetch is attempted against the suspicious domain, and the URL is not logged anywhere. You can verify this in your browser's DevTools Network tab — running a scan generates zero outbound requests.
No, and we're explicit about why: those services are server-side APIs that would require sending the URL off your machine. This tool prioritises privacy and zero-network-request architecture. If you want a definitive verdict from a real-time threat-intel feed, cross-check at Google Safe Browsing or urlscan.io after running our heuristic check. Use ours for instant private analysis; use theirs for authoritative verdict.
The strongest single indicator is a hostname that contains a brand name as a subdomain or path component rather than as the registrable domain — for example `paypal.example-login.com` or `microsoft.com.malicious-site.net`. Other high-signal patterns: IP address used as hostname, excessive subdomains (over 4 levels), URL length above 100 characters, credential keywords in the path (`login`, `verify`, `update`, `secure`), Punycode (xn-- prefix indicating internationalised domain abuse), suspicious TLD (.tk, .ml, .ga, .gq, .cf — historically high phishing rates), and Unicode confusables (Cyrillic 'а' visually identical to Latin 'a').
Mostly yes, but not always. Clicking the link reveals it to your browser, which loads the page — and a malicious page can serve drive-by exploits targeting unpatched browser vulnerabilities, render fake login forms designed to harvest credentials if you're inattentive, drop tracking cookies, or attempt clickjacking. In 2026 the practical risk of pure browser drive-by from a single click is low if your browser is updated, but it's never zero. The safest practice is don't click — analyse the URL, then decide whether visiting carries useful information value (it usually does not).
False positives happen. Legitimate sites sometimes use long URLs (e-commerce checkout flows), credential keywords (a real password-reset link will contain `reset` or `verify`), or many subdomains (enterprise SaaS like `app.eu-west-1.production.company.com`). The scanner returns a heuristic score, not a verdict — a 'Suspicious' result on a known-legitimate domain means "this URL has unusual structure for what it claims to be," not "this is fake." Use judgement: if you initiated the request (you clicked Forgot Password and the email arrived 30 seconds later from a domain you trust), treat suspicious-looking URLs as legitimate. If you didn't initiate it, treat them as malicious.
Heuristic URL analysis catches around 70–85% of phishing URLs in published benchmarks, depending on the rule set. The tool is more accurate at catching low-effort phishing (cheap domains, obvious keyword stuffing) and less accurate at catching sophisticated phishing (compromised legitimate domains hosting attacker content). For high-confidence detection of sophisticated phishing, combine URL heuristics with content-based detection (urlscan.io renders the page, urlscan-style services compare visual similarity to known brands) and threat-intelligence feeds (PhishTank, Google Safe Browsing).
Don't enter any credentials or download any files. Close the tab. Clear your browser cache and cookies for the domain. If you entered credentials before realising, change that password on every account where you've reused it (use the Password Breach Checker to verify exposure), enable 2FA on the affected accounts, and watch the associated email for follow-up phishing or notification of unauthorised access for the next 30 days. If your work device, also report to your IT/security team — they need to know to monitor for downstream activity.
They obscure the destination, which is why phishers favour them. The scanner flags `bit.ly`, `tinyurl.com`, `t.co`, `goo.gl`, `is.gd`, and 8 other common shorteners as a moderate-suspicion indicator. To see the real destination before clicking, use a URL expander (unshorten.it, checkshorturl.com) or simply paste the shortener URL into urlscan.io which auto-follows redirects safely. Never trust a shortened URL on its own — always expand first.
Multiple places, depending on what was being impersonated. For Gmail-delivered phishing, forward the email to reportphishing@google.com. For Microsoft-impersonating phishing, submit to https://www.microsoft.com/wdsi/filesubmission. For general phishing URLs, submit to PhishTank (community-curated database) and to APWG (Anti-Phishing Working Group) at reportphishing@apwg.org. If the impersonated brand has a security.txt file at https://thatbrand.com/.well-known/security.txt, send to the contact listed there — most major brands take phishing reports seriously and will request domain takedown.