Methodology

Each indicator in the professional feed shows a score from 0 to 99. It is a display severity, not a probability. It is derived primarily from the threat level the source feed assigned (critical, high, medium, or low), with a small deterministic spread so that items of the same level don't all render identically.

A higher score means the originating feed treated the indicator as more dangerous. It does notrepresent a model's confidence that a given visitor will be harmed, and it is not comparable across unrelated sources as a precise ranking. Treat it as “how loudly the feeds are flagging this.”

When you check a URL or domain, the result includes a confidence level:

• High — the domain is on our blacklist, or a live external feed (e.g. Google Safe Browsing, URLhaus) flagged the exact URL.
• Medium — we found secondary signals (lookalike heuristics, related reported URLs on the same domain) but no direct blacklist hit.
• Low— we have no corroborating signal. This means “unknown,” not “safe.” New phishing sites are often clean in every feed for hours after launch — trust your instincts.

A separate shared infrastructure result appears for legitimate platforms scammers abuse (e.g. docs.google.com). There the specific page matters, not the domain — we never advise blocking the whole platform.

We aggregate from public feeds (see the sources list). Indicators are deduplicated by exact value: a domain is one row no matter how many feeds report it, and each new sighting increments a times_reported counter and appends the reporting source. URLs are deduplicated by exact URL.

We do not apply a proprietary weighting or “reputation score.” A domain reported by more independent sources, or reported more often, is simply more corroborated — the raw counts and the source list are exposed so you can judge for yourself.

Legitimate shared-hosting apexes (Google product domains, web.app, IPFS gateways, URL shorteners, and similar) are kept on a do-not-block allowlist: they are excluded from the hosts/txt blocklist exports and flagged as shared infrastructure by the checker, while still visible in the json/csv exports with a do_not_block flag.

If you believe a domain is wrongly listed, email falsepositive@fightphishing.com with the domain and why. We review reports and add genuine platforms to the allowlist.

Indicators are retained indefinitely as a historical record of phishing activity; this is threat data, not personal data. We do not run third-party trackers and we store only anonymous, aggregate counters (e.g. total checks performed).

Phishing URLs sometimes contain a victim's personal information in the query string. We keep the original internally only for deduplication and matching, and redact emails, names, tokens, and account values everywhere a URL is displayed or exported.