Home / Features / Link Safety Tooltips
Free Feature

Link Safety Tooltips

Every link you hover gets an instant safety check. Green checkmark if it's safe. Yellow warning if something's off. Red alert if it's suspicious. No clicking required, no data sent anywhere — all checks run locally in your browser in under a millisecond.

example.com/inbox

Hover over the links above to see it in action — or watch the auto-demo

Three Levels of Link Safety

Safe
Small green checkmark. Link goes to a known, trusted domain or same-site page.
!
Caution
Yellow warning with details. One suspicious signal detected — review before clicking.
Danger
Red alert with multiple signals. Two or more suspicious indicators — avoid clicking.

What Does PhishClean Check on Each Link?

🌐

Punycode Domains

Detects internationalized domain names (IDN) that use lookalike characters to impersonate trusted sites. For example, xn--pple-43d.com looks like apple.com.

📍

Raw IP URLs

Flags links pointing to raw IP addresses instead of domain names. Legitimate sites almost never ask you to visit an IP address directly.

🔄

Text/URL Mismatch

Catches links where the visible text says one URL but the actual link goes somewhere else. A classic phishing technique.

🔓

HTTPS Downgrade

Warns when a link on a secure HTTPS page points to an insecure HTTP destination. This could expose your data in transit.

🔑

JWT Tokens in URL

Detects JSON Web Tokens embedded in link URLs. JWTs contain authentication data that should never be exposed in URLs.

Suspicious Parameters

Flags URLs with query parameters that look like authentication tokens, API keys, or session identifiers being leaked.

📥

Dangerous File Types

Alerts on links that download potentially dangerous files: .exe, .scr, .bat, .cmd, .msi, .ps1, .vbs, .jar, .apk, .dmg.

🌐

Excessive Subdomains

Flags domains with 5+ levels of subdomains, a technique used to make malicious URLs look like legitimate ones.

🔗

Shortened URLs

Detects links through URL shorteners (t.co, bit.ly, etc.) that hide the actual destination, and resolves the display text when possible.

How Does It Work?

1
You hover over a link. PhishClean waits 300 milliseconds to make sure you're actually pausing on the link, not just passing over it. This prevents unnecessary checks while scrolling.
2
Run all 8 checks locally. The link URL is analyzed entirely inside your browser. No network requests, no API calls, no data leaves your device. PhishClean checks the domain, protocol, path, query parameters, and display text.
3
Compare against trusted domains. Same-site links and links to known trusted domains (Google, GitHub, Amazon, Microsoft, etc.) get an immediate green checkmark. Third-party links go through the full signal analysis.
4
Show the result. Safe links get a small green checkmark next to them. Links with one suspicious signal show a yellow caution tooltip. Links with two or more signals show a red danger tooltip with all the details.
5
Cache the result. Once analyzed, the result is cached so hovering the same link again is instant. The cache holds up to 500 results and resets when you navigate to a new page.

URL Shortener Intelligence

URL shorteners like t.co, bit.ly, and tinyurl.com hide the real destination behind a redirect. This is normal for social media platforms — Twitter/X shortens every link to t.co — but it means you can't see where a link actually goes.

PhishClean handles this intelligently. When a link uses a known shortener, PhishClean looks at the visible text of the link. If the text contains the real URL (which Twitter usually shows), PhishClean analyzes the real destination instead of the shortener. If the real destination is hidden (no URL in the text), PhishClean flags it with a "Shortened URL — destination hidden" warning.

Supported shorteners: t.co, bit.ly, goo.gl, tinyurl.com, ow.ly, is.gd, buff.ly, dlvr.it, lnkd.in, rb.gy, cutt.ly, and shorturl.at.

Privacy by Design

The link tooltip feature is the purest example of PhishClean's privacy-first approach. Every single check runs as local JavaScript inside your browser. Here's what PhishClean does not do:

The entire analysis happens in a few lines of JavaScript running in your browser's content script. You can verify this yourself — the source code is on GitHub.

Frequently Asked Questions

Does the link tooltip slow down my browsing?
No. The tooltip uses a 300ms debounce so it only runs checks when you pause on a link. All analysis is local JavaScript with no network calls. Results are cached so hovering the same link twice is instant. The entire check takes less than a millisecond.
What checks does PhishClean run on each link?
PhishClean runs 8 checks on every link: punycode/IDN domain detection, raw IP address URLs, display text vs URL mismatch, HTTPS to HTTP downgrades, JWT tokens in URLs, suspicious query parameters (auth tokens, API keys), dangerous file extensions (.exe, .scr, .bat, .cmd, .msi, .ps1, .vbs, .jar, .apk, .dmg), and excessive subdomain detection (5+ levels).
Does PhishClean send my browsing data anywhere?
No. All link analysis runs 100% locally inside your browser. No URLs, no browsing history, no link data is ever sent to any server. PhishClean is privacy-first by design. You can verify this in the source code on GitHub.
Can I disable the tooltip for safe links?
The safe link indicator is already minimal — just a small green checkmark circle that appears briefly next to the link. It disappears as soon as you move your mouse away. For suspicious or dangerous links, the full warning tooltip is always shown to keep you protected.
Does it work on all websites?
Yes. The tooltip works on every website you visit — Google, Twitter/X, Reddit, news sites, email clients, banking sites, everything. It runs as a content script injected by the browser extension, so it has access to every page's links. The only exception is browser-internal pages (chrome:// or about: URLs).
How does PhishClean handle shortened URLs like t.co or bit.ly?
When a link uses a known URL shortener, PhishClean looks at the visible text of the link. If the text contains the real destination URL (as Twitter/X typically shows), PhishClean analyzes the real URL instead of the shortener. If no real URL is visible, it flags the link with a "Shortened URL — destination hidden" warning.

Related Protection

HTTPS Downgrade Detection
Catch insecure HTTP links on secure pages before they expose your data
JWT Token Leak Detection
Find authentication tokens accidentally exposed in URLs and headers
Phishing Attacks
How attackers create convincing fake pages to steal your credentials

See Link Safety Before You Click

PhishClean checks every link you hover — 8 signals, zero network calls, 100% local. Available on Chrome, Firefox, and Edge.

Install PhishClean Free