Why check suspicious URLs?
Phishing is the top cyber attack vector worldwide. In 2024, the Anti-Phishing Working Group (APWG) recorded over 4.7 million phishing attacks, a record. Each attack starts the same way: a link that looks legitimate but leads to a credential-harvesting page.
One click is enough. The FBI's IC3 estimates phishing caused over $2.9 billion in losses in 2023 alone. Attackers clone bank login pages, cloud service portals, and delivery tracking sites with pixel-perfect accuracy.
Three reasons to check a link before clicking:
- Personal protection : A single phishing link can expose passwords, credit card numbers, and two-factor codes in seconds
- Organizational protection : 74% of data breaches involve a human element, often a clicked phishing link (Verizon DBIR 2024)
- Proactive verification : Site owners should regularly verify their domain isn't falsely flagged, which blocks visitors and damages reputation
How to use the phishing URL checker in 3 steps
Step 1: Enter the suspicious URL
Paste the suspicious link into the input field. The tool accepts three formats:
- Full URL:
https://suspicious-site.com/login - Bare domain:
suspicious-site.com - IP address:
192.168.1.1
The input is normalized automatically: whitespace stripped, converted to lowercase, URL fragments removed. No data is stored after the check.
Step 2: Launch the check
Click Check. The tool queries 4 threat intelligence sources simultaneously, each with its own timeout. Results typically return in under 3 seconds.
Step 3: Review the report
The report displays:
- Global verdict: Clean, Suspicious, Malicious, or Inconclusive
- Risk score: From 0 (no risk) to 100 (critical)
- Per-source details: Status, threat types, response time
- Diagnostics: Errors, warnings, and coverage information
How do threat intelligence databases work?
Threat intelligence databases collect and classify malicious URLs through four channels: user reports, automated sandbox analysis, honeypot networks, and partnerships with security vendors. No single database catches everything. Combining multiple sources dramatically increases detection rates.
| Source | Specialty | Coverage |
|---|---|---|
| URLhaus (abuse.ch) | Malware, botnets, C2 | Free, real-time updates |
| Google Safe Browsing | Phishing, unwanted software | Protects 5 billion+ devices daily |
| PhishTank | Phishing only | OpenDNS community-verified |
| VirusTotal | Multi-engine (70+ AV) | 500 requests/day (free tier) |
URLhaus excels at catching new malware campaigns within hours of emergence. Google Safe Browsing provides the broadest coverage; it powers warnings in Chrome, Firefox, and Safari. PhishTank relies on community verification, adding a human review layer. VirusTotal runs every URL through 70+ antivirus engines, catching threats that single-vendor databases miss.
Risk score calculation
The risk score (0-100) is weighted by each source's reliability:
| Source | Weight | Rationale |
|---|---|---|
| Google Safe Browsing | 40 | Most comprehensive database, few false positives |
| VirusTotal | 30 | Aggregation of 70+ engines |
| URLhaus | 20 | Malware specialist, highly reactive |
| PhishTank | 15 | Community-driven, phishing-focused |
The floor is 20 when at least one source flags the URL. The ceiling is 100 when all sources agree the URL is malicious. A single-source flag does not guarantee the URL is dangerous; it signals further investigation is warranted.
| Score | Level | Interpretation |
|---|---|---|
| 0 | None | No source flags the URL |
| 1-29 | Low | Flagged by a minor source |
| 30-59 | Medium | Flagged by at least one reliable source |
| 60-84 | High | Flagged by multiple sources |
| 85-100 | Critical | Consensus among major sources |
Real-world use cases
Case 1: Banking phishing email
Scenario: An email arrives from "your bank" with urgent language, "Verify your account immediately or it will be suspended." The sender address looks almost right.
What the tool reveals: Paste the URL into the checker. If Google Safe Browsing and PhishTank both flag it, the risk score jumps to at least 55 (High). Threat types display as "phishing" and "social_engineering."
What to do: Do not click the link. Report the email as phishing to your provider. Navigate to your bank's website by typing the address directly in your browser. Banks never ask for credentials via email.
Case 2: Shortened link in a text message
Scenario: You receive an SMS: "Your package could not be delivered. Update your information: bit.ly/xyz." Package delivery scams are among the fastest-growing phishing categories. APWG reports a 40% increase since 2022.
What the tool reveals: First, expand the shortened URL using an unshortener service to reveal the final destination. Then paste that destination into the checker.
What to do: If the final URL is flagged, delete the text immediately. Legitimate delivery services never request payment or personal data via SMS links.
Case 3: False positive on your domain
Scenario: Visitors report that their browser warns them your site is dangerous. You've checked your code, and nothing malicious exists. False positives happen: Google Safe Browsing flags roughly 0.1% of safe sites at any given time.
What the tool reveals: Enter your domain to identify exactly which source flags it. Click the source's reference link to see the specific reason.
What to do: Submit a delisting request to the flagging source (Google has a dedicated review form). Also run a security scan on your server to rule out injected scripts, hidden redirects, or compromised plugins.
FAQ - Frequently Asked Questions
Q: How do I check if a link is phishing?
A: Paste the URL into the input field and click Check. The tool queries URLhaus, Google Safe Browsing, PhishTank, and VirusTotal simultaneously. Within seconds, you get a verdict (Clean, Suspicious, Malicious) and a risk score from 0 to 100.
Q: What data sources power this tool?
A: Four complementary threat intelligence feeds. URLhaus (abuse.ch) specializes in malware distribution URLs. Google Safe Browsing protects over 5 billion devices from phishing and unwanted software. PhishTank provides community-verified phishing reports. VirusTotal aggregates results from 70+ antivirus engines into a single scan.
Q: Is the result 100% reliable?
A: No phishing detection tool achieves 100% accuracy. A "Clean" verdict means no source currently flags the URL. It does not guarantee safety. Newly created phishing pages take minutes to hours before any database detects them. Always combine tool results with common sense: check the sender, inspect the domain spelling, and avoid entering credentials on unfamiliar pages.
Q: Can I check a domain without a full URL?
A: Yes. Enter a bare domain (e.g., example.com) or an IP address (e.g., 93.184.216.34). The tool detects the input type automatically and queries every compatible source.
Q: What does the risk score mean?
A: The score weights each source by reliability: Google Safe Browsing contributes up to 40 points, VirusTotal 30, URLhaus 20, and PhishTank 15. Scores above 85 indicate critical risk with multi-source consensus. Scores between 30 and 59 mean at least one reliable source has flagged the URL.
Protect yourself now
Received a suspicious link? Paste it above and get a verdict in seconds. Bookmark this page for quick access the next time an email or text message looks off. Share it with colleagues. Most phishing succeeds because the recipient had no easy way to verify the link before clicking.
Related tools
| Tool | Purpose |
|---|---|
| IP Blacklist Checker | Check if your IP is listed on email blacklists |
| Domain Blacklist Checker | Check if your domain is blacklisted |
| Mail Header Analysis | Analyze headers of a suspicious email to trace its origin |
| Page Crawl Checker | Analyze crawl behavior of a web page |
Useful resources
- Google Safe Browsing - Protection service against dangerous websites
- URLhaus by abuse.ch - Malicious URL database
- PhishTank - Collaborative phishing verification
- Anti-Phishing Working Group (APWG) - International coalition against phishing