info
HTTPS status
Whether the final destination uses HTTPS.
Why it matters
HTTPS protects the connection, but it does not prove that the website is legitimate.
What to do
Treat missing HTTPS as a caution signal. Even with HTTPS, verify the domain before entering credentials or payment details.
caution
Redirect hops
How many times a URL sends the browser somewhere else.
Why it matters
Redirects are common, but long chains can hide the final destination or add tracking layers.
What to do
Check the final domain and be more careful when a link jumps through several sites.
caution
Different final domain
The URL ends on a different domain from the one first entered.
Why it matters
A different final domain can be normal for campaigns, but it can also hide impersonation or short-link abuse.
What to do
Compare the final domain with the sender, brand, and action requested before you trust it.
high
Raw IP hostname
The destination uses an IP address instead of a readable domain.
Why it matters
Raw IP hosts can appear in temporary infrastructure and phishing pages.
What to do
Avoid entering credentials or payment details unless you can verify why an IP address is expected.
caution
Punycode or unusual encoding
The hostname contains encoded characters such as xn--.
Why it matters
Punycode is legitimate technology, but it can hide lookalike characters in domains.
What to do
Verify the destination through the official website when the encoded domain appears in a login, payment, or account link.
high
Brand lookalike pattern
The domain resembles a known brand with small changes.
Why it matters
Lookalike domains can trick users into trusting fake login, support, or payment pages.
What to do
Open the service directly from the official site or app instead of trusting the message link.
caution
Deep subdomains
The hostname has many nested labels before the main domain.
Why it matters
Long subdomain chains can make a fake destination look like it belongs to a trusted brand.
What to do
Read the base domain, not just the first words in the URL.
caution
Final/input base mismatch
The final base domain differs from the input base domain.
Why it matters
A mismatch can indicate that a link is hiding its real destination.
What to do
Check whether the final base domain matches the brand or sender you expected.
info
Suspicious URL structure
Unusual URL features such as dense separators, digits, or complex hostnames.
Why it matters
Structure alone rarely proves danger, but it can add context when combined with other signals.
What to do
Use the structure as a reason to slow down, then inspect the final domain and request manual review if the link affects work, money, or accounts.
caution
Email and domain pattern checks
Email senders are checked for domain, free-provider, disposable, number, and separator patterns.
Why it matters
Sender patterns can reveal throwaway accounts or possible impersonation, especially in payment or login requests.
What to do
Verify the sender through a separate channel before replying, paying, or clicking.
info
Higher-risk TLD pattern
Some email/domain checks add caution for TLDs that often appear in abuse patterns.
Why it matters
A TLD is not proof of risk, but it can be a weak signal when combined with impersonation, urgency, or redirects.
What to do
Do not judge by TLD alone. Combine it with domain, sender, and page context.