How PhishNet works
When you open an email in Gmail, PhishNet intercepts the content before you interact with it and runs a real-time threat analysis.
The scan flow
- You open an email. The PhishNet extension detects this and extracts the email — sender address, display name, subject, body text, and any links.
- The content is sent for analysis. PhishNet's backend evaluates the email against a range of threat signals (see below).
- A result is returned in seconds. The extension renders a panel inside Gmail showing the threat level, a short explanation, and action buttons if the email looks dangerous.
What gets analysed
PhishNet evaluates each email across several dimensions:
- Sender reputation — is the sending domain known, recently registered, or flagged in threat-intel feeds?
- Display-name spoofing — does the sender claim to be someone they're not?
- Urgency language — does the email pressure you to act immediately?
- Business email compromise (BEC) patterns — does the email follow the structure of wire-fraud or credential-harvesting attacks?
- Link inspection — do links in the email lead to suspicious destinations?
- Attachment signals — does the email carry attachment types commonly used in phishing kits?
Threat score
Every scan produces a score from 0 to 100. PhishNet maps that score to three levels:
| Badge | Score range | Meaning |
|---|---|---|
| ✅ Safe | 0 – 39 | No significant threat signals detected |
| ⚠️ Suspicious | 40 – 79 | One or more signals present — treat with caution |
| 🚨 High risk | 80 – 100 | Strong indicators of phishing or fraud |
Emails scoring 80 or above trigger auto-quarantine if you (or your admin) have that setting enabled.