Phishing Detector (Text & Image)
Two-mode phishing detector. Paste a suspicious message and get a phishing score with explanations, or upload an image (screenshot, poster) to decode the QR code and analyze the destination URL — all in your browser.
How to Use the Phishing Detector
- Choose Text mode for emails, SMS, WhatsApp messages, or any pasted body of text.
- Choose Image mode to drop a screenshot or photo of a QR code (poster, sticker, suspicious receipt). The browser's BarcodeDetector decodes the QR locally.
- Read the bilingual explanation for every signal: urgency, threats, credential requests, brand impersonation, etc.
- If the message contains URLs (or the QR contains one), the same engine that powers the URL Scanner runs on each link and surfaces typosquatting, homoglyphs, and abused TLDs.
- The risk score combines text patterns and the worst URL found. A high score means stop and verify by an independent channel.
How the Detector Works
Phishing operates by hijacking trust signals: a familiar logo, an urgent tone, a believable sender, a link that looks right at a glance. Defending against it is mostly about slowing the victim down enough to notice the inconsistencies. This tool encodes that 'noticing' as a checklist — a battery of regex- and URL-parser-based heuristics that flag the same patterns a trained eye would. Text mode catches the linguistic markers: urgency phrasing ('verify within 24 hours'), threat phrasing ('your account will be suspended'), explicit credential requests, generic greetings, lottery/prize hooks, advance-fee templates, support-team impersonation, fake shipping notices (DHL/FedEx/Correos), tax-authority spoofs (IRS/HMRC/AEAT), and crypto wallet drainers. Each pattern is bilingual (English + Spanish) because phishing kits are translated and reused across languages. Image mode targets quishing — QR-code phishing. Attackers print QR codes on stickers and physical mailings; the QR resolves to a credential-harvesting page, but the user can't see the URL until they scan. This tool decodes the QR with the browser's native BarcodeDetector API (Chromium-based browsers), then runs the destination URL through the same risk engine: typosquatting against 40+ major brands, Cyrillic/Greek homoglyph detection, abused TLDs (.tk, .top, .xyz), Punycode, IP-as-host, credential trick (user@host), excessive subdomains, URL shorteners, and credential-keyword stacking ('login', 'verify', 'secure', 'account' in the path). Everything runs locally. The text never leaves the browser; the image is loaded with createImageBitmap and decoded via BarcodeDetector — no upload, no cloud OCR. The score is heuristic: high scores are a strong signal to stop and verify, low scores are not a safety guarantee.
Frequently Asked Questions
No. Text analysis runs entirely in JavaScript in your tab. Image analysis loads the file into an ImageBitmap and decodes it with the browser's built-in BarcodeDetector API. There is no API call, no upload, no telemetry. You can verify by watching the Network tab — there are no outbound requests.
BarcodeDetector is a Web API supported in Chromium-based browsers on desktop (Chrome, Edge, Brave, Opera) and on Android. Firefox and Safari do not implement it as of mid-2026. If your browser doesn't support it, you can still type the URL from the QR (use any phone QR scanner) into the Text mode or the URL Scanner tool — the same checks apply.
Absolutely. Skilled phishing avoids these markers: no urgency, no threats, just a plausible-looking link. Heuristics catch the bulk of mass campaigns; targeted attacks (spear phishing, BEC) often slip through. Always verify by an independent channel — call the company on a number from their official website, not the one in the message.
Quishing is QR-code phishing. Attackers paste stickers with malicious QR codes over legitimate ones (parking meters, restaurant menus, charging stations) or print them on fake invoices/letters. Mobile QR scanners often show only a shortened preview before opening, so users don't see the real destination. This tool decodes the QR locally and analyzes the URL the same way a security researcher would — without you needing to open it on your phone first.