Is the URL actually visited or contacted?

No. This tool performs pure structural analysis of the URL string in your browser. No DNS lookup, no HTTP request, and no third-party reputation API is contacted. The link is never opened.

How is the risk score calculated?

Each of the 15 heuristics carries a weight from 1 to 4 based on how strongly it signals phishing. Triggered heuristics are summed; the total maps to a band (1-3 Low, 4-7 Elevated, 8+ High). Higher-weight checks like raw IP hosts and embedded credentials dominate the score.

Can a legitimate URL get a high score?

Occasionally, yes. A real site on a new TLD with login keywords and a long query string can trip several low-weight checks. Read the individual findings — false positives usually come from a cluster of weak signals rather than a strong one like an IP host or punycode.

What is a homoglyph or punycode attack?

Attackers register domains using non-Latin characters that look like Latin ones (for example a Cyrillic 'a') or other lookalikes, encoded in DNS as 'xn--'. The result renders almost identically to a trusted brand. The checker flags any punycode or non-ASCII host.

Does a low score mean the link is definitely safe?

No. A careful attacker can craft a URL that trips none of these rules. Treat a low score as the absence of obvious red flags, not proof of safety. For anything involving login or payment, type the known address by hand.

Phishing URL Heuristic Checker

A phishing link’s job is to look trustworthy at a glance. This checker pulls a URL apart and tests it against 15 independent heuristics that real phishing campaigns tend to trip — all locally, without ever contacting the address.

How it works

The URL is parsed into its components (scheme, host, path, query) and each heuristic inspects one structural property. Every check carries a weight reflecting how strongly it indicates phishing, and the triggered weights are summed into a single score.

The highest-weight signals (4 points each) are the ones that are almost never innocent:

Raw IP host — a literal 203.0.113.5 instead of a domain name.
Punycode / IDN host — xn-- labels or non-ASCII characters that mimic a brand via lookalike glyphs.
Embedded credentials — a user:pass@host segment.

Mid-weight signals (2–3 points) include suspicious top-level domains, URL shorteners that conceal the destination, the @ redirect trick, brand names appearing outside the registered domain, deep subdomain nesting, and unusual ports. Low-weight signals (1 point) cover login/payment keywords, excessive length, many query parameters, heavy percent-encoding, insecure http, and hyphen-stuffed domains.

Worked example

Consider this link:

http://paypal.account-verify.example.top/login?session=...

It triggers several checks at once: the brand paypal sits in a subdomain while the registered domain is example.top (brand impersonation, 3), the .top TLD is high-abuse (2), the path contains login (1), and it uses insecure http (1). That cluster pushes it into the Elevated/High band — exactly the kind of URL you should never enter credentials into.

Tips and limitations

The registrable domain is the last two labels of the host. Everything to the left — no matter how reassuring — is controlled by whoever owns that domain. secure.login.yourbank.evil.com is on evil.com.
Heuristics are signals, not proof. A high score warrants caution; a low score is not a clean bill of health.
The single most reliable defence is to ignore the link entirely and navigate to the organisation’s known website by typing it yourself.