LIVE NEWSROOM · --:-- · May 30, 2026
A LIBRARY FOR SECURITY RESEARCHERS

TOOLS  /  URL CHECKER

Phishing URL Checker

Aggregates URLhaus, Google Safe Browsing (when configured), and 7 heuristic indicators. Never visits the URL with a real browser — safe to use on suspicious links.

    What it does

    Phishing URLs are the most common initial-access vector in real-world breaches (per Verizon DBIR, ~36% of breaches start with a phishing email). Our checker queries multiple independent threat-intelligence sources — URLhaus (abuse.ch’s curated malicious-URL feed), Google Safe Browsing (when configured), and a 7-indicator heuristic engine — and aggregates the verdicts. We never load the URL in a real browser; analysis is metadata-only, so the page is safe to use on links you’d never click yourself.

    Advertisement

    How to use it

    1. Paste a URL (must start with http:// or https://).
    2. Click "Scan URL" — results return in 2–10 seconds depending on source response times.
    3. Read the top-level verdict: CLEAN / SUSPICIOUS / MALICIOUS, with a numeric score.
    4. Review each source verdict — URLhaus, Safe Browsing, and the heuristic indicators are scored independently.
    5. If suspicious, share the scan URL with your SOC team using the unique /scan/{id}/ shareable link.

    Common use cases

    Triage suspicious links in user reports When an employee reports a suspicious email, paste the link here before deciding to click or report further.
    Vet shortened URLs Bitly, t.co, lnkd.in — we follow redirects in the heuristic engine to flag dangerous landings.
    Pre-incident-response screening During phishing-campaign investigation, batch-check 10–20 URLs from indicators-of-compromise reports before pivoting to deeper analysis.
    Bug bounty / external attack surface Check whether external researchers’ reported URLs are already known-malicious in third-party feeds.
    Advertisement

    Frequently asked questions

    Is it safe to scan a URL I think is malicious? +
    Yes. Our scanner only sends the URL to threat-intel APIs (URLhaus, Safe Browsing) — it does not visit the URL with a real browser. No JavaScript executes. The URL string is processed as data.
    What does "score 22" mean? +
    Internal heuristic score. ≥ 50 = MALICIOUS, 20–49 = SUSPICIOUS, < 20 = CLEAN. Each indicator (suspicious TLD, brand impersonation, IP-in-URL, etc.) contributes weighted points.
    Why does Safe Browsing say "not configured"? +
    Google Safe Browsing requires a free API key. We’ll enable it sitewide once registered. URLhaus and the heuristic engine work without any keys.
    Can I share a scan result? +
    Yes — every scan generates a permanent /scan/{id}/ URL that displays the same verdict. Forward to your SOC channel as evidence.
    How often is URLhaus updated? +
    URLhaus auto-feeds from honeypots and analyst submissions — typical lag from real-world phishing campaign to URLhaus listing is 6–24 hours.

    Related tools

    Related coverage on Ciphers Security

    You may also like

    Free for everyone, no signup required. Tool runs at /tools/url-checker/ — bookmark or share.

    Scroll to Top