Analyze any URL for phishing, suspicious patterns, and security risks. Detects login keywords, suspicious TLDs, encoded characters, brand impersonation, and more
Before you click a suspicious link, paste it here. This analyzer inspects the URL structure for common phishing patterns, homoglyph and punycode attacks, suspicious subdomains, and known-bad TLDs. It won't visit the URL, it analyzes the string itself.
Initializing in your browser…
Analyze password security with 10 criteria checks, entropy calculation, crack time estimation, character breakdown, warnings, and improvement suggestions
Check if a website has valid SSL/TLS certificate. Verify HTTPS connection and get tools for detailed certificate analysis
Build a personal knowledge base with [[bidirectional links]], tags, backlinks, search, note metadata, and import/export. Implements Zettelkasten method
A "your account is locked" email links to the URL below and you want a sober breakdown before anyone in the team clicks it.
URL pasted
http://paypa1-secure-login.account-verify.ru/login?next=update
Risk findings
⚠ Lookalike brand: "paypa1" substitutes 1 for l (typosquat) ⚠ Not HTTPS: credentials would be sent in clear text ⚠ Real domain is account-verify.ru, not paypal, brand is only a subdomain ⚠ Credential keywords: "secure-login", "verify" Verdict: High risk, classic phishing structure
The analyzer inspects the URL lexically, it never visits the link. It separates the true registrable domain (`account-verify.ru`) from the deceptive subdomain, flags homoglyph/typosquat tricks like "paypa1", and notes the missing TLS. This is structural phishing detection, so treat it as a strong warning, not a substitute for a live threat-intel blocklist.
Before you click a suspicious link, paste it here. This analyzer inspects the URL structure for common phishing patterns, homoglyph and punycode attacks, suspicious subdomains, and known-bad TLDs. It won't visit the URL, it analyzes the string itself.
The URL Safety Analyzer parses a pasted link entirely in your browser with the native URL() constructor (prepending https:// first if no http/https/javascript/data scheme is present) and runs a weighted rule engine that produces a risk score from 0 to 100. Each signal adds points: a homograph or Punycode hostname adds 40, encoded-character obfuscation adds 20, more than two subdomains adds 15, a known URL shortener adds 15, a suspicious top-level domain adds 15, plain HTTP instead of HTTPS adds 10, a URL longer than 200 characters adds 10, and each matched suspicious pattern adds its severity times 10. The total is capped at 100 and mapped to a verdict of 'Safe' (score 0), 'Caution' (1-49), or 'High Risk' (50 or above), with each warning color-coded by severity (yellow for 1, orange for 2, red 'Critical' for 3).
Its strongest signal is homograph and IDN-spoofing detection, which it performs two ways. It scans the raw text you typed against a built-in map of 18 Cyrillic lookalikes (the lowercase а, е, о, р, с, х, у and the uppercase А, В, Е, К, М, Н, О, Р, С, Т, Х) that mimic Latin letters, and it separately checks whether the browser-normalized hostname contains the 'xn--' Punycode prefix - so a domain like аpple.com written with a Cyrillic 'а' is flagged even after it is converted, and the warning prints the actual Punycode hostname so you can compare it to the brand you expected. The regex pattern bank also flags login/secure/verify/confirm keywords (severity 2), executable and archive endings such as .exe/.zip/.scr and double extensions like .pdf.exe (severity 3), raw IPv4 addresses used as hosts, javascript: and data: schemes, scam and urgency words (free, winner, prize, urgent), cryptocurrency terms (wallet, bitcoin, airdrop), .ru/.cn/.ir/.kp country TLDs, and 16 major brand names (paypal, amazon, microsoft, netflix, steam, roblox and others) that prompt you to verify domain authenticity. It also recognizes 26 shortener domains by name, including bit.ly, tinyurl.com, t.co, amzn.to and youtu.be, and breaks the URL into protocol, hostname, path, and decoded query parameters in a side panel.
Because the entire analysis is static string inspection done client-side, it never fetches the URL, follows a shortener's redirect, or queries any reputation service such as Google Safe Browsing - so a 'Safe' result means no structural red flags were found, not that the destination is trustworthy, and a bit.ly link is always flagged precisely because its final target cannot be resolved without visiting it. The tool keeps the last 10 analyses in memory for the session (showing the five most recent in a sidebar) and only offers an 'Open in New Tab' link when the verdict is 'Safe', using rel=noopener noreferrer. This makes it a lightweight pre-click triage step for inbound links rather than a definitive verdict; pair it with the visible Punycode hostname as your manual homoglyph check.
Check links from emails before clicking, especially those claiming to be from banks, shipping companies, or IT departments.
Verify shortened or unfamiliar URLs shared in team chat channels.
Demonstrate how phishing URLs mimic legitimate domains using character substitution and subdomain tricks.
No. It only analyzes the URL string. No HTTP requests are made to the target.
No tool can guarantee 100% detection. This catches structural patterns, but always exercise judgment with unfamiliar links.
This runs as client-side JavaScript. Keys, tokens, payloads, and other inputs never leave your device.