Phishing Email Analyzer
Paste a suspicious email and get an instant phishing risk score. Checks spoofed senders, deceptive links, lookalike domains, urgency tactics, and dangerous attachments — 100% in your browser.
Building something secure?
I ship production-ready SaaS apps in 6 weeks — built secure from day one by someone who knows how attackers think. Or get a pen test if you already shipped.
The Warning Signs This Tool Looks For
Phishing succeeds by looking legitimate while hiding a few tells. This analyzer checks the ones that matter most:
Link deception — the strongest signal. A link that says "paypal.com" but actually points to a different domain is almost always malicious. The tool compares the visible text against the real destination for every link, and also flags raw IP-address links, punycode domains (which hide lookalike characters), URL shorteners (which hide the destination entirely), and domains that are one or two characters off a known brand (typosquatting).
Sender inconsistencies — when Reply-To or Return-Path points to a different domain than the From address, your reply or the bounce goes somewhere other than the apparent sender. Combined with a display name that impersonates a brand (especially from a free mailbox like gmail.com), this is a classic spoofing setup.
Manufactured urgency — "act within 24 hours," "your account will be suspended," "unauthorized activity detected." Phishing pressures you to act before you think. The tool counts these phrases and weights them.
Credential requests — legitimate organizations never ask you to confirm your password, full card number, or SSN by email. Any email that does is a major red flag.
Dangerous attachments — executables and scripts (.exe, .scr, .js, .hta) and macro-enabled documents are primary malware vectors.
Why Analyze Phishing In Your Browser
There is a chicken-and-egg problem with most phishing-analysis tools: to check whether an email is dangerous, you have to send the dangerous email somewhere. If that somewhere is a cloud service, you have just forwarded a potential threat — and possibly leaked whatever real information the email references about you.
Running the analysis in your browser removes that problem entirely. The email you paste is processed by JavaScript on your own machine and never transmitted. You can analyze the most sensitive, targeted phishing attempt — one that includes your real name, your company, your account details — without any of it leaving your device.
This local-first approach also means the tool works offline, has no rate limits, requires no signup, and cannot itself become a data-breach risk. The optional AI explanation runs the same way: a small model loaded into your browser, explaining the findings without ever seeing them on a server.
Frequently Asked Questions
Common questions about the Phishing Email Analyzer
Yes — completely. The entire analysis runs in your browser using JavaScript. The email text is never sent to our servers or anyone else. You can verify this by opening the tool, disconnecting from the internet, and analyzing an email offline. This is exactly why a browser-based analyzer is the right tool for suspicious emails: a cloud service would require you to upload the very thing you are worried about.
It applies deterministic security rules to the email: it compares link text against the actual link destination (the single strongest phishing signal), detects raw-IP and punycode links, finds lookalike/typosquatted brand domains, checks whether Reply-To and Return-Path match the sender, spots display-name impersonation of known brands, scores urgency and credential-harvesting language, and flags dangerous attachment types. Each finding adds to a weighted risk score. The optional AI step only explains these findings — it never changes the verdict.
The Email Header Analyzer focuses on email authentication — SPF, DKIM, and DMARC — from the structured headers. The Phishing Email Analyzer takes the full email (headers and body) and analyzes the parts attackers actually use to deceive you: the links, the language, brand impersonation, and attachments. Use both together for a complete picture; this tool links to the header analyzer for the authentication side.
Do not click any links, open any attachments, or reply. If the email claims to be from a company you do business with, verify independently — type the company's real website address yourself or call a number from your account statement, never one from the email. Report the email to your IT/security team and to the impersonated company (most have a phishing@ address). Then delete it. A high score here is a strong signal, but when in doubt, treat it as malicious.
No automated tool can. This catches the common, high-confidence signals that most phishing shares — but sophisticated, targeted attacks (spear phishing) may use clean infrastructure and personalized language that no heuristic flags. A low score means "no obvious red flags," not "guaranteed safe." Always combine tool output with judgment: were you expecting this email? Does the request make sense? Is it creating pressure to act fast?
In most email clients, look for "Show original," "View source," or "View message details." In Gmail: open the email, click the three-dot menu, choose "Show original." In Outlook: open the message, File > Properties shows headers, or use "View source." That gives you the complete email including headers, which lets the analyzer check sender authentication clues. If you only have the visible body, the link and language analysis still works.
Explore More Tools
Continue with these related tools