Free Phishing & BEC Email Analyzer
Paste a suspicious email and get an advisory phishing-risk score with a plain-language checklist of exactly which warning signs fired. It detects lookalike domains, deceptive links, urgency and secrecy pressure, credential requests, and payment-redirect (business-email-compromise) patterns. It's free and instant, runs locally during your request, and the email is never stored. It's a companion to our Fake Recruiter Check.
What this phishing analyzer checks
- Sender mismatch — a From name that claims a brand its actual domain doesn't match.
- Lookalike domains — typosquats a keystroke away from a real brand, plus punycode/homoglyph tricks.
- Deceptive links — link text that shows one destination while the real link points somewhere else, raw-IP links, and URL shorteners.
- Manipulation language — urgency, secrecy, and pressure phrasing.
- Credential & payment traps — requests to confirm a password or identity, and BEC signals like changed bank details, wires, or gift cards.
Analyze an email
Paste the full email — ideally including its headers and the raw HTML body, which is where deceptive links hide. Everything stays in your request; nothing is saved.
Frequently asked questions
- Is the email I paste stored anywhere?
- No. It is analyzed in memory during your request and then discarded — nothing is written to disk or a database. The analysis is local and makes no outbound connections.
- What is a typosquat domain?
- A domain registered to look almost identical to a real one — like
paypa1.comormicrosofte.com— differing by a character or two. The tool measures that edit distance against a list of commonly-impersonated brands and flags near-matches. - What is BEC (business email compromise)?
- A scam where an attacker poses as a colleague, executive, or vendor to redirect a payment — for example by announcing "our bank details have changed" or requesting gift cards. The tool flags the language patterns these messages rely on.
- Does a high score mean it's definitely phishing?
- No. The score is advisory — it summarizes how many and how strong the warning signs are. Use it alongside your own judgement, and when in doubt, verify the sender through a channel you already trust.
- Why paste the raw HTML?
- Deceptive links live in the HTML: the visible text can say
paypal.comwhile the underlying link goes somewhere else entirely. Pasting the raw source lets the tool compare the two.