Paste the body of any suspicious email below. We'll check it for phishing red flags, social engineering tactics, and spoofed links — without sending your content anywhere.
Phishing emails often display a trusted name (like "PayPal Support") but the actual email address is something completely different, like support@paypa1-secure.xyz. Always click on the sender name to reveal the full email address. If the domain doesn't match the company's official domain, it's almost certainly a phishing attempt.
The text of a link can say anything — "Click here to verify your PayPal account" — but the actual URL underneath might go to a completely different domain. On desktop, hover your mouse over the link (without clicking) to see the real destination in the bottom-left corner of your browser. On mobile, long-press the link to preview it. If the domain doesn't match what you expect, don't click.
Phishing emails almost always create a sense of urgency: "Your account will be suspended in 24 hours," "Verify immediately or lose access," "Unauthorized transaction detected." Legitimate companies rarely pressure you with tight deadlines or threaten account deletion in a single email. If you feel rushed, that's a red flag.
Emails that start with "Dear Customer," "Dear User," or "Dear Account Holder" instead of your actual name are a warning sign. Legitimate companies you have an account with know your name and use it. Generic greetings suggest the sender is blasting the same email to thousands of people — a hallmark of phishing campaigns.
No legitimate company will ever ask you to reply to an email with your password, Social Security number, credit card number, or bank details. If an email asks you to "verify your password" or "confirm your payment information," it is a phishing attempt — full stop. Real companies direct you to log into their official website through your own bookmark or by typing the URL yourself.
Unexpected attachments — especially .zip, .exe, .scr, .doc, or .pdf files — can contain malware. Even if the email appears to come from someone you know, verify with them through a separate channel before opening. Phishing emails disguise malicious files as invoices, shipping labels, or "important documents" to trick you into opening them.
The checker analyzes the email text you paste directly in your browser using JavaScript. It scans for urgency and threat language, credential requests, too-good-to-be-true offers, suspicious links with domain mismatches, generic greetings that suggest impersonation, grammar red flags like excessive capitalization and exclamation marks, and dangerous attachment mentions. All URLs found in the text are also checked for brand spoofing, suspicious TLDs, and other phishing patterns. Nothing is sent to any server — the analysis is entirely client-side.
No. The email text you paste is analyzed entirely inside your browser using JavaScript. It is never transmitted to PhishClean or any third-party server, and it is not stored in any database, cookie, or local storage. You can verify this yourself: open your browser's developer tools, switch to the Network tab, and paste an email. You will see zero outbound requests during analysis.
The most common signs include: urgency language pressuring you to act immediately, threats of account suspension or legal action, requests for passwords or financial information, generic greetings like "Dear Customer" instead of your actual name, links where the display text shows one domain but the actual URL goes to a different domain, too-good-to-be-true offers like prize winnings or free gifts, and unexpected attachments.
Do not click any links or download any attachments. Do not reply to the email or provide any personal information. Report it as phishing in your email client — most services like Gmail, Outlook, and Yahoo have a "Report phishing" option. If the email impersonates a company, forward it to their official abuse address (e.g., phishing@paypal.com). Delete the email afterward. If you already clicked a link or entered credentials, change your passwords immediately and enable two-factor authentication on all affected accounts.