We leverage cutting-edge technology to analyze millions of URLs from various sources around the world. Our advanced detection engine is designed to identify active phishing URLs and extract valuable threat intelligence, including network and geographical locations, phishing kits and phishing targets. To provide comprehensive data to our clients, we are continuously expanding our global visibility and exploring new data sources.
We specialize in phishing detection and do not function as an aggregator. Our primary focus is on providing comprehensive threat intelligence to our users.
We have developed autonomous systems that use a custom knowledge framework to determine the likelihood of a URL being a phishing page. The advantage of these autonomous systems lies in their ability to operate seamlessly and efficiently without any human intervention. This not only saves valuable time and resources but also ensures a rapid response to new phishing threats.
Through extensive datasets and continuous evaluation, we fine-tune the knowledge framework to maintain a high level of accuracy in distinguishing between legitimate and phishing URLs.
We have implemented a thorough vetting process for every URL that is identified as a phishing attempt before it is added to our phishing feeds. Our vetting process includes various methods and uses information such as: an internally curated list of trusted domains, DNS, ASN, SSL information, and trusted data from SOC teams. While our system is designed to reduce false positives, it is still possible for occasional ones to occur.
Timely. As soon as we detect new phishing URLs, we publish it within 5 minutes. This means you get immediate access to all the intelligence and information about threat actors and compromised data
Accurate. We take a careful and conservative approach to intelligence. We prioritize accuracy and strive to avoid providing incorrect or misleading information. For instance, if we are uncertain about something, we leave that data point blank rather than making an educated guess. Additionally, we use a multi-stage vetting process to minimize the risk of false positives.
Relevant. We understand that sifting through vast amounts of data can be time-consuming and costly. That's why we focus solely on live and active phishing URLs that pose an immediate threat to your customers and users. With our data, you can be confident that you're taking the necessary steps to protect your business without wasting valuable time and resources.
Fully Automated. We have an automated system that does not require human input, verification, or validation. This allows us to rapidly scale up (process more data), deliver data efficiently, and provide global coverage.
Our focus is on delivering the most relevant and timely information regarding phishing threats. To ensure the highest quality and accuracy in our products, we adhere to the following practices.
Reporting New and Active Phishing URLs: Our products cover newly discovered and currently active phishing URLs. By prioritizing these URLs, we provide valuable insights into the latest tactics employed by cybercriminals. This proactive approach enables organizations and individuals to stay one step ahead in safeguarding against phishing attacks.
Unique URL Reporting: We maintain an in-house tracking system to avoid redundancy and optimize the usefulness of our offerings. Within any given 14-day period, we do not duplicate the reporting of any URL.
Exclusion of Inactive Phishing URLs: As part of our commitment to providing actionable information, we do not report dead or inactive phishing URLs. These URLs no longer pose an immediate threat as they have been identified, taken down, or rendered ineffective. By excluding them from our reports, we streamline the information to concentrate on URLs that actively require attention.
By implementing these practices, we ensure that our reports deliver the most relevant, up-to-date, and actionable intelligence on new and active phishing URLs.
Our phishing detection engine is built to identify and capture phishing content, regardless of the impersonated brand. Our brand identification feature serves as an additional layer on top of this engine, allowing us to automatically associate the phishing URL with its targeted brand when possible for more accurate reporting and analysis. As part of our ongoing efforts in brand identification, our system continually improves its ability to recognize a wider range of brands. We provide a monthly list of the brands we have successfully identified, which can be found here.
Phishing Feed: Designed for immediate action against emerging phishing threats
OpenPhish Database: Designed for those that want easy query capabilities and batch analysis
We also offer custom data sets. Please contact us with your requirements.
The feed and database tiers are priced on an annual subscription basis with a flat fee structure.
We've put together a list of common use cases and recommended which of our offerings would be the best fit for each one. If you don't see your specific use case listed, just reach out to us with a brief description, and we'll be happy to make a recommendation for you.
Inquire about the OpenPhish Database, if you're looking to:
Inquire about the Phishing Feed, if you're looking to:
Inquire about either offering, if you're looking to:
We don't offer an API to determine if a URL is phishing, but we've developed an open-source Python module that acts as an offline API. With this module, you can query our database locally and check your own URLs (e.g., from SMS or firewall logs) without any restrictions or privacy concerns.
Yes, we offer a 14-day free trial.
We do not have a direct comparison to other providers. However, since the number of active phishing URLs is finite, you will likely encounter URLs from our phishing feed in other data providers and vice-versa. You can refer to the Interisle study from 2022 discussing the coverage gap problem and why organizations need more than one source of information. Disclosure: we are one of the providers of data to Interisle.
Our main objective is to offer the necessary data to you and make it available in standard formats that can seamlessly integrate with other software and services.
If you're struggling with phishing emails that slip through your current defenses, our Premium feed might be just what you need. We suggest taking a closer look at the types of emails that are getting through, since many of them tend to be spam, scam, or malware. If none of the missed emails contain phishing URLs, then our feed may not be the right fit for your needs.
We offer multiple convenient methods for sharing URLs with us. You can choose from the following three options:
To explore any of these options and learn more about sharing URLs with us, please get in touch with our team at contact@openphish.com
Although False Positives are extremely rare, we take them very seriously. We conduct regular scans on our feed to identify any abnormalities, and study reports from customers, security operation centers (SOCs), and brand owners.
Once confirmed as a false positive, we remove the URL from all of our products, submit a verdict flip to VirusTotal and publish the URL to our false positive feed.
Email us at support@openphish.com with the URL in the email. Please ensure that you escape the URL to prevent it from getting blocked. Additionally, we kindly request that you provide us with any relevant contextual details.
Note that confirmed phishing URLs at the time of discovery are not removed.