Free Phishing & BEC Email Analyzer

Paste a suspicious email and get an advisory phishing-risk score with a plain-language checklist of exactly which warning signs fired. It detects lookalike domains, deceptive links, urgency and secrecy pressure, credential requests, and payment-redirect (business-email-compromise) patterns. It's free and instant, runs locally during your request, and the email is never stored. It's a companion to our Fake Recruiter Check.

What this phishing analyzer checks

  • Sender mismatch — a From name that claims a brand its actual domain doesn't match.
  • Lookalike domains — typosquats a keystroke away from a real brand, plus punycode/homoglyph tricks.
  • Deceptive links — link text that shows one destination while the real link points somewhere else, raw-IP links, and URL shorteners.
  • Manipulation language — urgency, secrecy, and pressure phrasing.
  • Credential & payment traps — requests to confirm a password or identity, and BEC signals like changed bank details, wires, or gift cards.

Analyze an email

Paste the full email — ideally including its headers and the raw HTML body, which is where deceptive links hide. Everything stays in your request; nothing is saved.


Frequently asked questions

Is the email I paste stored anywhere?
No. It is analyzed in memory during your request and then discarded — nothing is written to disk or a database. The analysis is local and makes no outbound connections.
What is a typosquat domain?
A domain registered to look almost identical to a real one — like paypa1.com or microsofte.com — differing by a character or two. The tool measures that edit distance against a list of commonly-impersonated brands and flags near-matches.
What is BEC (business email compromise)?
A scam where an attacker poses as a colleague, executive, or vendor to redirect a payment — for example by announcing "our bank details have changed" or requesting gift cards. The tool flags the language patterns these messages rely on.
Does a high score mean it's definitely phishing?
No. The score is advisory — it summarizes how many and how strong the warning signs are. Use it alongside your own judgement, and when in doubt, verify the sender through a channel you already trust.
Why paste the raw HTML?
Deceptive links live in the HTML: the visible text can say paypal.com while the underlying link goes somewhere else entirely. Pasting the raw source lets the tool compare the two.