2check.click

Phishing Detection Methodology

2check.click uses layered security signals to evaluate suspicious URLs, messages, emails, and QR codes. This page explains the signal categories it checks, how results are formed, and what the output means — without exposing the internal rules that attackers could use to evade detection.

  • Защита приватности
  • Без регистрации
  • Данные не собираются
  • Анонимный анализ
  • Образовательная платформа безопасности

Signals We Analyze

Every check evaluates signals across six broad categories. No single signal produces a verdict — multiple signals are combined, and their interactions matter as much as any individual indicator.

URL Structure

The raw shape of the URL can reveal obfuscation techniques that legitimate sites do not use.

  • Percent-encoding, double-encoding, and Unicode escapes used to disguise destination
  • Raw IP address in place of a domain name
  • Non-standard ports (e.g. :8080, :4443)
  • Dangerous or deceptive file extensions (.exe, .ps1, .iso, .html.zip)
  • Unusually long paths or query strings containing personal-data parameters

Domain Patterns

The domain itself — its structure, age, and top-level domain — often signals intent before any content is loaded.

  • Visually confusable characters (Cyrillic а vs Latin a, zero vs letter O)
  • Edit-distance typos of well-known brand domains (paypa1.com, arnazon.com)
  • High-risk top-level domains commonly abused in phishing campaigns
  • Newly registered domains with no established history
  • Free hosting subdomains associated with user-generated content abuse

Brand Impersonation

Attackers frequently embed brand names in URLs to create an appearance of legitimacy without owning the brand's real domain.

  • Brand name placed in a subdomain (paypal.attacker.com)
  • Brand name embedded in a long path (/secure/microsoft/login)
  • Domain registered with a brand name plus a risk suffix (amazon-support-verify.com)
  • Homoglyph substitution in the brand portion of a domain
  • Typosquatted variant of a brand domain (microsft.com, gooogle.com)

Message Urgency

Phishing messages rely on psychological pressure to override careful thinking. Specific language patterns are strongly associated with scam content.

  • Urgency and deadline language (act now, expires today, final notice)
  • Fake account threat language (suspended, locked, unusual activity)
  • Financial pressure phrases (outstanding balance, unpaid invoice, tax refund)
  • Delivery scam patterns (parcel held, customs fee required, delivery failed)
  • Personal information requests (verify your identity, confirm your details)

QR Destination Safety

A QR code is simply a link in image form. Once decoded client-side, the destination URL is evaluated with the same signal groups as any directly submitted link.

  • QR codes pointing to shortened or redirect-chain URLs
  • QR codes embedding brand impersonation domains
  • QR codes with encoded or obfuscated destination URLs
  • QR codes linking to domains with dangerous file extensions
  • QR codes routing through known IP logger services

Threat Intelligence Matches

Known infrastructure associated with phishing, tracking, and malware distribution is matched against a maintained reference set.

  • Known URL shortener services (66+ providers) that conceal destinations
  • IP logger and click-tracking services used to harvest visitor data
  • Free hosting platforms frequently abused for phishing page deployment
  • Redirect chain patterns that route through multiple intermediate domains
  • Open redirect parameters that allow arbitrary destination substitution

Risk Assessment

Signals from all applicable categories are combined into a single weighted score. The score maps to one of four risk levels, each carrying a plain-language short label used throughout the interface. Scoring weights are not published — publishing them would allow attackers to calibrate evasion.

Low RiskCleanScore 0 – 25

Signal evaluation found no significant indicators. Characteristics of the URL or message do not match patterns commonly associated with phishing or scam activity.

Medium RiskSuspiciousScore 26 – 55

One or more moderate signals detected. The input shares enough characteristics with phishing patterns to warrant caution. The result includes an explanation of which signals contributed.

High RiskRiskyScore 56 – 80

Multiple strong signals detected across more than one category. The input exhibits clear phishing or scam characteristics. Interaction is not recommended without independent verification.

Very High RiskDangerousScore 81 – 100

Converging signals from multiple categories indicate a high-confidence match against known phishing patterns. Likely a phishing attempt, credential harvesting page, or malware delivery vector.

Score ranges reflect the current engine version and may shift slightly between releases as detection rules are refined. The short labels (Clean, Suspicious, Risky, Dangerous) remain stable across versions.

Explainability System

Every result above Low risk includes a plain-language explanation. The goal is that a non-technical user reading the result understands not just the verdict, but why it was reached and what to do next.

Why We Flagged This

Each contributing signal is listed in plain English — no jargon, no reference to internal rule names. For example: "This domain closely resembles PayPal's official domain and may be trying to deceive users" rather than "typosquat detected, DL=1".

Threat Classification

When signals align with a known scam category — delivery scam, brand impersonation, credential harvesting, government lure — the result names the category. This gives users a concrete mental model of the threat pattern they are looking at.

Potential Impact

The explanation states what harm could result from interacting with the link or message — credential theft, payment fraud, malware installation, or personal data harvesting — calibrated to the specific signals detected.

Recommended Actions

Each risk level maps to a specific recommendation: ignore and delete (Low), verify independently (Medium), do not interact (High / Very High). Recommendations reference the official domain of any impersonated brand where applicable.

Privacy and Safety

The methodology is designed around a hard constraint: the content you submit is sensitive, and the analysis must not require you to trust 2check.click with it.

  • No login or account required

    The full analysis pipeline is available without creating an account, providing an email address, or registering in any way.

  • No submitted content stored as personal data

    URLs, messages, and QR images you submit are not logged, stored, or associated with any identifier. Each check begins and ends in your browser session.

  • Analysis focuses on metadata and security signals

    The engine evaluates structural and pattern-based signals — domain shape, keyword presence, encoding techniques — not the personal context of the submitter or the content of destination pages.

  • No live malicious links in educational examples

    All domain names shown on this site in phishing examples use a safe fictional placeholder. The Threat Examples page never displays real malicious URLs — only the patterns they follow.

Known Limitations

URL-level analysis has structural limits that cannot be resolved without visiting the destination — which 2check.click deliberately never does. These limitations are documented openly.

  • Content-only phishing can be hard to detect

    A phishing site hosted on a clean, unrelated domain with no brand references or suspicious keywords in its URL is invisible to structural analysis. The deception lives entirely in what the page shows — which 2check.click never loads.

  • Newly registered clean domains may have limited signals

    A brand-new domain with a neutral name looks identical to a legitimate new business at the URL level. Without page content or behavioral history, structural analysis has little to evaluate.

  • Social engineering can work without technical indicators

    Phishing that uses relationship context — a message that appears to come from a known contact linking to a credible-looking shared document — may carry no URL-level signals at all. The deception depends entirely on the recipient's trust in the apparent sender.

  • Automated tools cannot replace user judgment

    2check.click is a pre-click triage aid. A Low result means no significant indicators were found — not that the link is definitively safe. When in doubt, navigate directly to the organization's official site rather than using the link provided.

Learn More

How It Works

Step-by-step walkthrough of the analysis process, risk levels, and privacy model.

Detection Accuracy

Validation methodology, current detection rates, and an honest account of known gaps.

Threat Examples

Interactive gallery of real-world phishing patterns across 7 categories.

Report a Problem

Found a false positive or a missed threat? Reports go directly into rule tuning.

Frequently Asked Questions

Does 2check.click reveal its scoring formula?

No. Publishing scoring weights would allow attackers to engineer URLs that score just below detection thresholds. Instead, 2check.click publishes the categories of signals it checks and the plain-language reasoning behind each result — enough transparency to build trust without handing attackers a calibration guide. Detection rates and known gaps are documented on the Detection Accuracy page.

Why does the result show a risk level instead of a simple yes or no?

Phishing is not binary. Many URLs share characteristics with phishing without being definitively malicious, and confirmed phishing pages are often hosted on clean-looking domains with no URL signals at all. A risk level communicates both confidence and severity, giving users better context for their decision than a binary safe/unsafe label. The four levels — Low, Medium, High, Very High — reflect increasing signal strength, not just a yes/no classification.

What signals are used to detect phishing?

Six broad signal categories are evaluated: URL structure, domain patterns, brand impersonation, message urgency language, QR destination safety, and threat intelligence matches. Each category is described in detail in the Signals We Analyze section above, and realistic examples of these patterns in action are shown on the Threat Examples page.

Can attackers evade automated checks?

Yes. Attackers can register clean-looking domains with no brand references in the URL, use newly registered domains with no suspicious history, and rely entirely on deceptive page content that only a browser rendering the page can see. These structural limitations are documented openly on the Detection Accuracy page. Awareness of these gaps is what makes the tool honest rather than misleading.

Why are limitations shown publicly?

Because a tool that overstates its capabilities causes harm. If users believe a link checker catches everything, they stop applying their own judgment — exactly when judgment matters most. Documenting known gaps helps users calibrate how much weight to put on a result and makes the tool genuinely useful, even in cases where it cannot give a definitive answer. If you encounter a gap not listed here, report it.

Have a question about how a specific result was reached? Report a problem or get in touch.

Want to see the methodology in action?

Analyze a suspicious link →