1
+16UrgencyAccount threat
Check the account directly
Open the service from a bookmark or typed address, not the email.
Threats are commonly used to pull people into fake login pages.
Browser-only phishing tool
Phishing Email Checklist
Score a suspicious email from non-secret signals only: sender mismatch, urgency, links, attachments, sensitive requests, grammar, and context. No email body, passwords, links, codes, or private details needed.
Do not paste email text, sender addresses, URLs, passwords, 2FA codes, payment details, attachments, or account identifiers into this page. Use the categories only.
Phishing risk
66/100
Suspicious. The score rises as social engineering signals stack up.
Risk
66/100
Suspicious
High signals
0
18+ point checks
Secret fields
0
No private input
Risk export
Copy or export the category-only checklist. It intentionally contains no email body, links, sender address, passwords, codes, payment details, or account identifiers.
Phishing email risk checklist Privacy note: This checklist never needs the email body, sender address, links, attachments, passwords, 2FA codes, payment details, or private account data. Risk level: 66/100 (Suspicious) Sender mismatch: Not sure Urgency: Account threat Links and domains: Not sure Attachment: No attachment Payment or password request: Verify personal details Grammar and tone: Slightly off Context: Unexpected but possible Scored checklist: 1. [+16] Urgency: Check the account directly - Open the service from a bookmark or typed address, not the email. 2. [+12] Sender mismatch: Pause until the sender is verified - Ask the sender through another channel whether they sent it. 3. [+12] Links and domains: Do not click to investigate - Use safe preview tools or ask the sender through another channel. 4. [+12] Payment or password request: Do not send private details by email - Use the official service or a known support number instead. 5. [+8] Context: Confirm why it arrived - Check the official account, order, ticket, or invoice system. 6. [+6] Grammar and tone: Compare with a real message - Look at an older trusted email from the same sender or service. 7. [+0] Attachment: No attachment risk found - Continue with the other checks. Recommended next steps: - Pause before acting. Verify the message from a trusted channel outside the email. - Open full sender details and compare the domain against a trusted source. - Do not click email links. Type the known website address or use a bookmark. Related Passlock tools: - Breach response checklist: https://passlock.to/tools/breach-response-checklist - 2FA recovery checklist: https://passlock.to/tools/two-factor-recovery-checklist - Password policy generator: https://passlock.to/tools/password-policy-generator - Secure note template: https://passlock.to/tools/secure-note-template - Passkey readiness checklist: https://passlock.to/tools/passkey-readiness-checklist Generated locally by https://passlock.to/tools/phishing-email-checklist
Recommended next steps
- Pause before acting. Verify the message from a trusted channel outside the email.
- Open full sender details and compare the domain against a trusted source.
- Do not click email links. Type the known website address or use a bookmark.
Related tools
Breach response checklistUse this if you clicked, signed in, or exposed anything.2FA recovery checklistMake backup codes, authenticators, and hardware keys recoverable.Password policy generatorDefine safer password, 2FA, sharing, and recovery rules.Secure note templateDocument private recovery steps without pasting secrets here.Passkey readiness checklistPlan where passkeys can reduce phishing risk.
Scored checklist
2
+12Sender mismatchNot sure
Pause until the sender is verified
Ask the sender through another channel whether they sent it.
Uncertainty should slow down any sensitive action.
3
+12Links and domainsNot sure
Do not click to investigate
Use safe preview tools or ask the sender through another channel.
Clicking can expose you to fake pages or malicious downloads.
4
+12Payment or password requestVerify personal details
Do not send private details by email
Use the official service or a known support number instead.
Identity details can be used for takeover or fraud.
5
+8ContextUnexpected but possible
Confirm why it arrived
Check the official account, order, ticket, or invoice system.
Unexpected messages need an independent source of truth.
6
+6Grammar and toneSlightly off
Compare with a real message
Look at an older trusted email from the same sender or service.
Small inconsistencies are useful context when paired with other signs.
7
+0AttachmentNo attachment
No attachment risk found
Continue with the other checks.
No attachment removes one malware delivery path.
Do I paste the email here?
No. Use only broad categories. Do not paste email bodies, sender addresses, links, passwords, 2FA codes, payment details, or account identifiers.
What makes an email high risk?
Risk rises when sender mismatch, urgency, lookalike links, unexpected attachments, money requests, password requests, and odd context stack together.
What if I already clicked?
Stop using the message, switch to a trusted device, change exposed passwords, review sessions, and use the breach response checklist.
Passlock for Mac · $14 lifetime
Done. Now lock it down for real.
The browser is fine for one-off checks. The app keeps your passwords, passkeys, and notes locked behind your Mac — offline by default, no cloud account, no subscription.
- Master lock for your whole vaultLock everything behind one Mac-native gate when you step away.
- 4 lock types, including Touch ID & passkeysPick the unlock method per item — password, Touch ID, passkey, or master.
- Offline & native macOS KeychainNo subscription, no cloud account, no sync server reading your secrets.
See all featuresOne-time payment · macOS 14+ · Works offline
Passlock
Vault
All items
Bank · login
support@bank.com
iCloud
you@icloud.com
GitHub
@you
Email · personal
you@kitze.io
Master lock activeOffline · iCloud Keychain