PhishTank is operated by Cisco Talos Intelligence Group.

FAQ

About phishing

About PhishTank

Reporting phishes

Verifying phishes

PhishTank data and details

Personal Information

API Information

Cisco Talos Intelligence Group (Talos) information



What is phishing?

Phishing is a fraudulent attempt to get you to provide personal information, including but not limited to, account information. For more, see What is Phishing?

How do I tell a phish email from just regular spam?

Spam is unsolicited commercial email...which may include phishing attempts, but is often simply unwanted marketing. Phishing often has criminal intent. Spam isn't always, though it can be.

Does PhishTank want to hear about spam?

No. We are not fans of spammers, and there is some overlap with phishers, but there are many other people and communities focused on fighting spam. Spam submitted to PhishTank will be discarded.

What is PhishTank?

PhishTank is a free community site where anyone can submit, verify, track and share phishing data.

Does PhishTank cost anything?

PhishTank is free to everyone, both the website and the data (via the API).

Does PhishTank protect me from phishing?

PhishTank is not protection. PhishTank is an information clearinghouse, which helps to pour sunshine on some of the dark alleys of the Internet. PhishTank provides accurate, actionable information to anyone trying to identify bad actors, whether for themselves or for others (i.e., building security tools).

Who is behind PhishTank?

PhishTank is operated by Cisco Talos Intelligence Group (Talos).

Why does Cisco operate PhishTank?

Cisco is interested in having the best available information about phishing websites. However, phishing data is not a place to be competitive, and we believe that sharing this data freely (even with those who do not contribute) will benefit us all. PhishTank's mission is in line with both Cisco's business and its goal of making the Internet a better place.

Why do I have to register to report a suspected phish?

Registration helps make the data better. PhishTank needs to attribute reporting and validation to individual accounts, so the community can learn to judge each member's contribution. This small hurdle also reduces "noise" in the submissions. You are not asked for a lot of personal information: a valid email address is the only personally-identifiable information required. PhishTank needs to attribute reporting and validation to individual accounts, so the community can learn to judge each member's contribution.

How do I report a suspected phish via email?

Submissions via email are strongly encouraged, as more data is usually available. After completing the free registration, you can send emails to phish@staging.phishtank.com from your registered email address. It is important to include as much information as possible, including mail headers if possible. For that reason, we suggest redirecting any suspected phishes to PhishTank. To submit suspected phishes from other email addresses, use your individual phish reporting address, which is available from My Account page once you are signed in. We suggest adding your individual phish reporting address to your address book in every mail application you use, for all accounts.

Why is forwarding email not the best solution?

When you forward email, some information in the original phish is usually lost, whether mail headers or tell-tale images or even URLs.

How do I make sure the right information is included in a submission?

No matter how you submit a suspected phish, please try and include all relevant information. The more useful data you provide, the more likely the submission is to be correctly verified.

How do I report a suspected phish via the website?

Have the suspected phish handy, and visit Add a Phish. You must be signed in to submit a suspected phish.

I reported a suspected phish, but I don't see it listed. Where is it?

If a suspected phish does not include a URL, it is discarded and not tracked. Note: suspected phishing emails reported to phish@staging.phishtank.com are ignored unless they come from a registered email address.

How do I help verify a phish?

Go to the Verify a Phish page to see unverified submissions. Visit an individual phish detail page, examine the information available (including visiting the site itself), take a look, and pass judgment. You will need to be registered and signed in to vote. At the top right of the page, you can immediately click to another unverified phish.

How do I recognize a phish?

Review the example and guidelines shown at What is phishing?

How may I safely visit a reported phishing site?

Some phishing sites do more than collect information under false pretenses; they try to install badware/malware or otherwise attack visitors. That said, it's usually safe to visit these sites as long as precautions are taken, like making sure your browser's security settings are high. PhishTank does not encourage you to enter any personal information into a reported phishing site as part of your validation efforts.

How many people have to verify a phish for it to be marked as a phish?

The number of people required to verify a phish depends on the history of those voting. It will always be more than one.

How do I check an individual URL against the PT database?

Two options. First, enter the URL into the "Is it a phish?" field on the PhishTank home page. Second, use the API to programmatically check an individual URL or multiple URLs.

Where do you get your data?

You! We also prime the pump with external feeds where possible.

Any software to install?

No, PhishTank is a web service only. No software to install.

Does PhishTank work with my existing anti-virus software?

Yes. PhishTank is a website and web service (API) for getting information about phishing sites. It's not a piece of software, and it doesn't run on your computer. PhishTank doesn't endorse any specific security software, but we're all for anything which helps protect us online. Security should be a layered approach.

Do you share your phishing data?

Yes, both on the website and via the API.

Who uses PhishTank data?

Several organizations and companies use the PhishTank data. See some prominent ones on the Friends of PhishTank page.

Do you offer RSS feeds?

Yes. There are many feeds, including a personal activity feed, available from the My Account page.

How do I report a "false positive," where PhishTank wrongly labels a site as a phishing site?

False positives -- where a site is labeled as a phishing site incorrectly -- are very damaging. Go to the Phish detail page for the site in question, click on the link "Something wrong with this submission?" and follow instructions. These reports will be taken seriously.

How is PhishTank different from the Anti-Phishing Working Group?

The Anti-Phishing Working Group is an industry group which collects phishing reports and distributes the reports to its paying members. We applaud their efforts; there is no single solution to fighting phishing and the Internet Bad Guys. (Don't worry, that site is just a demo run by Cisco.) However, we would encourage the APWG to share their learnings with the rest of the anti-phishing community. Data provided by individuals to APWG is not available to the Internet community at large, only to paying members of the organization.

If I report my phish to (name your favorite toolbar, browser, website here), will it be automatically reported to PhishTank?

Not at this time. We are open to working with anyone who's collecting and verifying phishing data to make it available to all. Please contact us.

Do you share my personal information?

The sharing of any personal information except username is at the member's control. PhishTank is a community site, where the members are identified (and celebrated) for their contributions. The username is public, and the actions of the member are public, both on the website and via the API. If you choose, you may publish your email address and other personal information on the site as part of your profile. By default, only username is public. We encourage you to read our privacy policy.

How do I turn off email acknowledgement of submissions?

Visit the My Account page and change the Email Updates preference.

How do I put information about my PhishTank activity on my website or blog?

Visit the My Account page for details.

What is an API?

API stands for Application Programming Interface. You can read the Wikipedia definition, or simply know that the point of an API is to give computers a way to pull what they need from another computer (i.e., PhishTank website) without any human intervention.

How do I get an API key?

Complete the free registration, and confirm your email address. Your API key will be displayed on the API page.

Is there a usage limit?

We do limit the number of requests per hour that can be made to the API. Please see the Developer section of the site for more information on limits.

Is it OK to use the API for both commercial and non-commercial uses?

Yes, it is OK.

Why is a site marked by PhishTank as a phish not blocked by Talos?

A judgment from the PhishTank community about a suspected phishing site is one factor in the decision about whether a site is blocked for Cisco Security customers. Talos generates and receives intelligence from hundreds of sources. All sources are taken into account when rendering a verdict on Cisco security products.

Why is Talos blocking a phish site that PhishTank doesn't list or has not yet verified?

As noted, Talos gets feeds from hundreds of sources. The output of all of those sources is not made available to PhishTank at this time.

What are the future plans for PhishTank?

Talos has plans for PhishTank (a complete rewrite of the system from the ground up.) No timeline is assigned to this rewrite for the site, however, we look forward to providing further capability to PhishTank users in the future.