it ittools.net
Phishing

Phishing Check

One shared email intake, focused here on decision-making: phishing signs, risky links, consent lures, impersonation, and sender pressure.

Same input, different output

Email Inspector

Open the evidence-first view when you need the hop timeline, auth details, sender-domain posture, and transport context in depth.

Switch to Email Inspector
Current focus

Phishing Check

Use this view when the main decision is whether the message is trying to steal credentials, push payment fraud, or hide a risky action behind a trusted brand.

Open Email Inspector How to get raw headers
Paste the original message source or full headers. The same intake also powers Email Inspector, and the phishing rules now look for common lure patterns in multiple languages, not only English.

Choose a local raw message file if you do not want to paste the source manually.

Back to tools

Run the phishing check to populate suspicious sender clues, link risk, authentication failures, and extracted indicators.

Quick Answers

When to use Phishing Check

These short answers are intended for both human readers and answer engines.

When should I use Phishing Check instead of Email Inspector?

Use Phishing Check when the main question is whether the message is trying to steal credentials, push payment fraud, or hide a risky destination behind sender pressure.

What input gives the best phishing result?

The best input is the original raw message source or original full headers rather than a forwarded copy, screenshot, or manually retyped sender details.

Why do both pages still need headers?

Because good phishing triage still depends on who actually sent the message, how it traveled, and whether the visible identity is supported by SPF, DKIM, DMARC, and the hop chain.

When should I switch to Email Inspector?

Switch when you need to understand the routing evidence deeply, compare hops, inspect sender-domain posture, or explain why the message looks suspicious to another analyst.

How This Review Is Different

Phishing triage is more than fake-domain detection.

The workflow is written for fast quarantine, verify, or escalate decisions rather than broad deliverability analysis.

Trusted brands can still be part of the lure

Modern phishing often abuses real identity-provider pages, legitimate cloud domains, or redirect wrappers. That is why the page looks for consent lures and redirect-target abuse, not only obvious spoofed hosts.

Language patterns are evidence too

Urgency, account pressure, payment requests, and forced sign-in language can matter even when technical indicators are incomplete or partially hidden.

First pass, then escalation

The output is intended to support an immediate operational decision. A high-risk result should still be followed by full mail-security review or incident-response handling where appropriate.