Link Security Analysis
How TextScore checks your URLs for phishing patterns, suspicious redirects, and trust signals.
Every link in your text is a trust signal. Clean links build credibility. Suspicious links get your content flagged, filtered, or blocked. TextScore scans each URL against multiple risk patterns and gives you a per-link safety breakdown.
URL Shorteners
The Problem
Shortened URLs (bit.ly, t.co, tinyurl.com) hide the real destination. Spammers and phishers use them constantly, so platforms treat them with suspicion. A legitimate link behind a shortener still looks like a risk to automated filters.
What TextScore Flags
- Known shortener domains: bit.ly, tinyurl.com, goo.gl, ow.ly, t.co, is.gd, buff.ly
- Custom shorteners with unusually short paths
- Redirect chains (a shortener pointing to another shortener)
How to Fix
Use the full destination URL. If it is long, most platforms handle that gracefully. On X, links are automatically wrapped in t.co regardless of what you paste - you do not need to shorten them yourself.
Suspicious TLDs
Top-level domains (the part after the last dot) carry trust signals. Some TLDs have high abuse rates because they are cheap or have loose registration rules.
High-Risk TLDs
- .tk, .ml, .ga, .cf, .gq: Free registration domains. Heavily abused for phishing.
- .xyz: Low cost, high spam volume. Legitimate sites exist here but filters are aggressive.
- .top, .work, .click, .link: Frequently used in spam campaigns.
- .zip, .mov: Newer TLDs that look like file extensions. Often used in social engineering.
How to Fix
If you control the domain, consider registering a .com, .org, or .net alternative. If you are linking to a third-party site on a suspicious TLD, verify the site is legitimate and consider adding context about why you are linking there.
Homograph Attacks
Homograph attacks swap standard Latin characters with visually identical characters from other alphabets. The URL looks real to your eyes but points to a completely different server.
How It Works
- The Cyrillic "a" (U+0430) looks identical to the Latin "a" (U+0061)
- "paypal.com" vs "paypal.com" - the second uses a Cyrillic "a"
- The Greek omicron "o" (U+03BF) looks like the Latin "o" (U+006F)
- These are called IDN homograph attacks or punycode attacks
What TextScore Does
TextScore scans each URL for mixed-script characters. If a URL contains characters from multiple Unicode blocks (Latin mixed with Cyrillic, for example), it gets flagged as a potential homograph attack. This is almost never legitimate.
Other URL Risk Patterns
IP-Based URLs
URLs that use raw IP addresses instead of domain names (like http://192.168.1.1/login) are almost always suspicious. Legitimate websites use domain names. An IP-based URL is a strong signal of phishing or a temporary malicious server.
Embedded Credentials
URLs can contain usernames and passwords in the format http://user:[email protected]. This is a legacy feature that phishers exploit. The "user:password@" part makes the URL look like one domain while actually pointing to another. For example, http://[email protected] actually goes to malicious-site.com, not Google.
Excessive Subdomains
URLs like "login.secure.account.verify.example.com" stack subdomains to look official. Real companies rarely use more than one subdomain. TextScore flags URLs with three or more subdomain levels.
How Scoring Works
Each link receives a risk assessment. A single suspicious link in your text triggers a warning. Multiple risky links, or a link matching more than one risk pattern, will push your content into the Poor range. Clean, direct links to reputable domains keep your score in Good.