How 2check.click Works

2check.click checks suspicious links, messages, and QR codes for common phishing and scam indicators — entirely in your browser, with no account required and nothing stored on our end.

Privacy Focused
No Login Required
No Personal Data Collected
Anonymous Analysis
Educational Security Platform

The Analysis Process

Every check follows four steps, from the moment you submit something to the moment you see a result.

1
Submit your input
Paste a URL, type or paste a message, or upload a QR code image. No account, login, or browser extension is required. The input never leaves your device for processing — the analysis engine is shipped directly to your browser.
2
Input type is identified
2check.click automatically detects what you submitted and routes it to the right analyzer. Supported types include:
- URL — a web address, with or without https://
- SMS / chat message — a text message containing suspicious language
- Email text — the body of a phishing email pasted as plain text
- QR code — an image file or camera scan decoded client-side
- Mixed content — a message that contains both text and embedded URLs, analyzed together
3
Security signals are evaluated
The analyzer checks dozens of security signals simultaneously. For URLs, this includes:
- Domain patterns — lookalike brand names, typosquatting, homoglyph characters, suspicious TLDs
- URL structure — IP addresses, unusual ports, dangerous file extensions, redirect chains, encoding tricks
- Impersonation indicators — brand names in subdomains or paths designed to look like official sites
- Threat intelligence matches — known shortener services, IP logger domains, free hosting patterns
For messages, the analysis evaluates urgency language, fake account threats, financial pressure, and delivery-scam phrasing — even when no URL is present.
4
Results are explained in plain language
The result page shows a risk level, a plain-language explanation of what triggered it, and recommended next steps. Each result includes:
- Risk level — Low, Medium, High, or Very High
- Threat classification — what category of threat was detected, if any
- Why it was flagged — specific signals that contributed to the score, in plain English
- Recommended actions — what to do next, calibrated to the risk level

Risk Levels

Every result is assigned one of four risk levels, derived from a weighted 0–100 score. The label and short description tell you both the severity and what to do next.

Low RiskCleanScore 0–25

No significant signals found. The link or message shows no indicators commonly associated with phishing or scams. Standard caution still applies.

Medium RiskSuspiciousScore 26–55

One or more weak-to-moderate signals detected. The link or message has characteristics that overlap with known phishing patterns. Verify the source before acting.

High RiskRiskyScore 56–80

Multiple strong signals detected. The link or message exhibits clear phishing or scam characteristics. Do not click, do not provide any information.

Very High RiskDangerousScore 81–100

Highly confident match against known phishing patterns. Multiple converging signals indicate a likely phishing or malware distribution attempt.

Score thresholds may shift slightly between releases as detection rules are tuned. Short labels ("Clean", "Suspicious", "Risky", "Dangerous") appear on result badges throughout the interface.

Privacy and Data Handling

2check.click is designed around a simple principle: the links and messages you check are sensitive, and they should stay that way.

No login or account required
You can use every feature of 2check.click without creating an account, registering an email address, or providing any personal information.
No submitted content stored as personal data
The URLs, messages, and QR images you check are not stored, logged, or associated with any identifier. Each check starts and ends in your browser session.
Analysis is metadata-focused
The detection engine works from URL structure, domain patterns, and message-level signals — not from any personal context about you or your device. It evaluates the link, not the person checking it.
Optional anonymous analytics
Aggregate product analytics (tool usage counts, risk-level distribution) are collected without cookies, without IP storage, and without linking events to individuals. No URL or message content is ever included in analytics data.

What 2check.click Does Not Do

Being transparent about scope is part of being a trustworthy tool.

Does not guarantee every phishing attempt will be detected
Some phishing sites use clean-looking domains with no URL-level indicators. Analysis based on link structure alone cannot catch attacks that rely entirely on deceptive page content. See the Detection Accuracy page for a full breakdown of known gaps.
Does not replace professional security tools
2check.click is a pre-click triage tool for everyday users. It is not a substitute for enterprise endpoint protection, email gateway filtering, or incident response tooling.
Does not open unsafe websites on your behalf
The tool never navigates to, loads, or renders the destination of the URL you submit. The short-link resolver uses HEAD-only requests that never download page content. This is a hard architectural boundary, not a configurable option.
Does not require a browser extension
Everything runs in a standard browser tab. No extension installation, no system permissions, no persistent background process. Close the tab and nothing about the session persists.

Learn More

Detection Accuracy

Detection rates, test methodology, and an honest account of known limitations.

Threat Examples

Real-world phishing patterns across 7 categories, shown with fictional placeholder domains.

Report a Problem

Found a false positive, or a scam we missed? Reports go directly into rule tuning.

Frequently Asked Questions

How does 2check.click analyze a suspicious link?

The analysis runs entirely in your browser. 2check.click evaluates dozens of signals in the URL itself — domain structure, brand lookalike patterns, suspicious keywords, redirect chains, dangerous file extensions, and hidden or encoded content — then combines them into a single risk score with a plain-language explanation. The only network request made is an optional, SSRF-protected HEAD request to resolve shortened links — it never downloads or renders the destination page.

Does 2check.click open the website it is checking?

No. 2check.click never visits, loads, or renders the URL you submit. It analyzes the link structure and signals directly. For shortened links, a single HEAD request is made through a protected resolver to follow the redirect chain — but the destination page content is never fetched. This is a deliberate privacy and safety boundary built into the architecture.

Can I check SMS and email messages?

Yes. The message analyzer evaluates the text of SMS messages, emails, and chat messages for phishing language patterns — urgency cues, fake account alerts, financial pressure, delivery scam phrasing, and requests for personal information. You can analyze a message even if it doesn't contain a link.

Are QR codes analyzed safely?

Yes. QR code decoding runs entirely in your browser using jsQR — the image is never uploaded to any server. Once the code is decoded, the destination URL goes through the same client-side analysis as any other link. The QR code checker accepts both uploaded images and live camera scans.

Why can a suspicious result still be uncertain?

Phishing analysis based on URL structure alone cannot see the content of the destination page. A link can look clean while leading to a convincing fake login page, or it can look suspicious while belonging to a legitimate site with an unusual domain structure. The result is a risk signal to inform your judgment — not a guarantee. See our Detection Accuracy page for an honest breakdown of what the engine catches and where its known gaps are.

Ready to check something? Analyze a link or message — no account required.