Paste any suspicious URL below. We'll check it for phishing signals, domain spoofing, and token leaks — without sending your URL anywhere.
Phishing pages impersonate trusted brands by registering lookalike domains. We check for brand names embedded in unrelated domains — like paypal-secure.xyz or microsoft-login.tk. The real PayPal will always be paypal.com, not a hyphenated variant on a cheap TLD.
Certain top-level domains appear disproportionately in phishing campaigns. We flag URLs using TLDs like .xyz, .tk, .ml, .ga, .cf, .buzz, .top, and .loan. These are not inherently malicious, but phishing kits favor them because they are cheap or free to register.
Legitimate websites use domain names. Phishing pages sometimes use raw IP addresses (like http://192.168.1.1/login) to avoid domain registration records and takedown requests.
If a URL uses plain http:// for a domain that should be on HTTPS — especially one with a login form — that is a red flag. Attackers use HTTP to intercept credentials in transit.
Query parameters named token, auth, session, key, or jwt suggest sensitive data is being passed through the URL. These values get logged in browser history, analytics platforms, proxy servers, and referrer headers — all places an attacker can harvest them.
URLs with three or more subdomains (like login.secure.account.example.com) are often designed to push the real domain off the visible portion of your browser's address bar. The goal is to make you think you're on a trusted site when you're not.
Phishing URLs sometimes use percent-encoding (like %2F for a slash) or the @ symbol to obscure the true destination. A URL like https://google.com@evil.com actually goes to evil.com, not Google.
The checker parses the URL you enter and runs a series of pattern-matching checks directly in your browser using JavaScript. It looks for domain spoofing, suspicious TLDs, IP-based URLs, HTTPS downgrade signals, exposed tokens in query strings, excessive subdomains, and URL encoding tricks. Nothing is sent to any server — the analysis is entirely client-side.
Yes. The URL never leaves your browser. You can verify this yourself: open your browser's developer tools, switch to the Network tab, and paste a URL. You will see zero outbound requests during analysis. We built it this way because a phishing checker that collects URLs would be a privacy problem of its own.
This page analyzes a single URL you paste manually. The PhishClean browser extension runs automatically on every page you visit and catches threats this tool cannot — like password fields on suspicious pages, hidden iframes, JWT tokens in live URLs, hardcoded API keys in source code, authorization headers sent to third-party domains, and HTTPS-to-HTTP downgrade redirects.
No tool can guarantee a link is completely safe. This checker looks for known phishing patterns in the URL structure, but a phishing page can use a perfectly normal-looking URL. For real-time protection that also inspects page content, form behavior, and network requests, install the PhishClean extension.