Reading scan results
PhishNet displays a result panel for every email you open. Here's how to read it.
Threat level badgeโ
The badge at the top of the panel shows the overall verdict:
| Badge | Meaning |
|---|---|
| โ Safe | No significant threat signals. The email looks legitimate. |
| โ ๏ธ Suspicious | One or more signals were detected. Read carefully before clicking links or replying. |
| ๐จ High risk | Strong phishing or fraud indicators. PhishNet recommends not interacting with this email. |
Confidence scoreโ
Below the badge is a confidence score (0โ100) โ how certain PhishNet is about the verdict. This maps to the same thresholds described in How PhishNet works: 0โ39 is Safe, 40โ79 is Suspicious, 80โ100 is High risk. A high-risk email at 97 is more concerning than one at 82. A suspicious email at 45 might just be an unusual-but-legitimate sender.
Signal flagsโ
When PhishNet detects a specific threat pattern, it shows a flag explaining what it found:
| Flag | What it means |
|---|---|
| Display-name spoofing | The sender's display name suggests a trusted person or brand, but the actual email address doesn't match |
| Suspicious domain | The sending domain is recently registered, typosquatted, or flagged in threat-intel feeds |
| Urgency manipulation | The email uses high-pressure language to push you into acting immediately |
| BEC pattern | The email follows the structure of a business email compromise or wire-fraud attack |
| Risky links | One or more links in the email point to suspicious destinations |
| Suspicious attachment | The email carries an attachment type commonly used in phishing kits |
Quarantined emailsโ
If an email has been moved to quarantine (automatically by policy or manually by you), you'll see a Quarantined banner instead of the normal scan panel. You can restore it from there if you believe it's safe.