CHECKLINK AI
Signal dictionary

Risk Signal Library

Plain-English explanations of the signals CheckLink uses to review suspicious links.

info

HTTPS status

Whether the final destination uses HTTPS.

Why it matters

HTTPS protects the connection, but it does not prove that the website is legitimate.

What to do

Treat missing HTTPS as a caution signal. Even with HTTPS, verify the domain before entering credentials or payment details.

caution

Redirect hops

How many times a URL sends the browser somewhere else.

Why it matters

Redirects are common, but long chains can hide the final destination or add tracking layers.

What to do

Check the final domain and be more careful when a link jumps through several sites.

caution

Different final domain

The URL ends on a different domain from the one first entered.

Why it matters

A different final domain can be normal for campaigns, but it can also hide impersonation or short-link abuse.

What to do

Compare the final domain with the sender, brand, and action requested before you trust it.

high

Raw IP hostname

The destination uses an IP address instead of a readable domain.

Why it matters

Raw IP hosts can appear in temporary infrastructure and phishing pages.

What to do

Avoid entering credentials or payment details unless you can verify why an IP address is expected.

caution

Punycode or unusual encoding

The hostname contains encoded characters such as xn--.

Why it matters

Punycode is legitimate technology, but it can hide lookalike characters in domains.

What to do

Verify the destination through the official website when the encoded domain appears in a login, payment, or account link.

high

Brand lookalike pattern

The domain resembles a known brand with small changes.

Why it matters

Lookalike domains can trick users into trusting fake login, support, or payment pages.

What to do

Open the service directly from the official site or app instead of trusting the message link.

caution

Deep subdomains

The hostname has many nested labels before the main domain.

Why it matters

Long subdomain chains can make a fake destination look like it belongs to a trusted brand.

What to do

Read the base domain, not just the first words in the URL.

caution

Final/input base mismatch

The final base domain differs from the input base domain.

Why it matters

A mismatch can indicate that a link is hiding its real destination.

What to do

Check whether the final base domain matches the brand or sender you expected.

info

Suspicious URL structure

Unusual URL features such as dense separators, digits, or complex hostnames.

Why it matters

Structure alone rarely proves danger, but it can add context when combined with other signals.

What to do

Use the structure as a reason to slow down, then inspect the final domain and request manual review if the link affects work, money, or accounts.

caution

Email and domain pattern checks

Email senders are checked for domain, free-provider, disposable, number, and separator patterns.

Why it matters

Sender patterns can reveal throwaway accounts or possible impersonation, especially in payment or login requests.

What to do

Verify the sender through a separate channel before replying, paying, or clicking.

info

Higher-risk TLD pattern

Some email/domain checks add caution for TLDs that often appear in abuse patterns.

Why it matters

A TLD is not proof of risk, but it can be a weak signal when combined with impersonation, urgency, or redirects.

What to do

Do not judge by TLD alone. Combine it with domain, sender, and page context.

This library explains current scanner signals. Planned signals are documented separately on the Trust Signals page.
Inspect redirectsCompare lookalike domainsInspect email headers

Need context beyond one signal?

Signals are clues. Manual review can help when redirects, business context, login pages, or payment links make the decision higher stakes.