Think you've been scammed or hacked right now?

Get help

Online safety help

A safer way to check suspicious links and emails.

Paste anything suspicious — Cactus figures out what it is and gives you a clear verdict, in plain language.

Checking an email's content instead? Check an email New here? Start here → 🌵 The Daily Scam

Free Bilingual (EN/FR) No signup Privacy-first Never asks for payment

Choose a check

Links & messages

Link check

Paste a URL to scan it for phishing, lookalike domains, and risky redirects.

Phishing email check

Check a suspicious email for phishing links, urgency tactics, and spoofed senders.

Scam Text Checker

Paste a suspicious text or message to spot scam signs.

QR code check

Decode a QR image and inspect the link inside before you visit it.

Batch check

Scan up to 20 links at once and get a risk score for each.

Site & domain security

SSL/TLS check

Inspect a site's certificate, protocol, and overall security grade.

Email spoofing check

See whether a domain is protected against spoofing with SPF, DKIM, and DMARC.

Security headers

Grade any website's HTTP security headers - HSTS, CSP, and more - and see what's missing.

Look-alike domains

Find the typo and look-alike domains that could impersonate a brand - and which are live.

Certificate search

Discover a domain's subdomains and every TLS certificate ever issued, from public CT logs.

WHOIS lookup

Look up a domain's registration: registrar, age, expiry, status locks, DNSSEC, and nameservers.

DNS lookup

See a domain's DNS records — A, MX, TXT, NS, CAA and more.

IP Reputation

Look up who owns an IP and whether it's on spam/abuse blocklists.

File hash check

Paste a file's hash (MD5/SHA-1/SHA-256) and get VirusTotal's multi-engine verdict. The file never leaves your device.

Your accounts

Password check

Check whether a password has appeared in known data breaches - privately, without it leaving your device.

Email breach check

See whether your email address has appeared in a known data breach - and which ones.

Password generator

Create a strong random password or memorable passphrase - entirely in your browser.

Photo metadata remover

See the GPS and camera data hidden in a photo, then download a clean copy. In your browser.

See all tools

Practice & stay current

The Daily Scam

A new real-or-scam challenge every day. Keep your streak alive.

Security Checkup

Get your personal security score and a fix-first plan in 3 minutes.

Scam Radar

What scammers are circulating right now, from live threat data.

Spot the Scam quiz

Ten realistic messages — can you tell scam from real?

Scam of the week

Marketplace scam

The fake rental listing scam

A below-market rental listing, a "landlord" who is out of town and can't show the unit, and pressure to send a deposit by e-Transfer to hold it. The apartment isn't theirs to rent - moving season is prime time for this one.

Read this week's alert See all scam alerts

1. Paste a link or email

Copy a URL or the body of a suspicious message and paste it into Cactus.

2. Get a score

Cactus looks for common warning signs — lookalike domains, urgency wording, known unsafe matches — and gives a confidence percentage.

3. Learn what to do

You get plain-language reasons and a recommended next step before you click.

Frequently asked questions

Is Cactus Security free to use?

Yes. Every tool on Cactus is free and bilingual, with no account or sign-up required. If you find it useful, you can support the project with a small donation.

How do I check if a link is safe?

Paste the URL into the link checker. Cactus inspects it for phishing signs, lookalike domains, suspicious redirects, the domain's age, and matches against threat-intelligence sources, then gives a clear safety score.

What should I do with a suspicious email?

Don't click any links or download attachments. Paste the email into the email checker, which analyzes its links, urgency wording, and sender headers, and explains the risks in plain language.

What is phishing?

Phishing is a scam where attackers impersonate a trusted person or company to trick you into clicking a malicious link, entering a password, or sharing personal information. Cactus helps you spot these attempts before you act.

Does Cactus store the links or emails I check?

Cactus processes each check on the server to produce your result and doesn't require an account. See the Privacy page for exactly what each tool sends to third parties and what is kept.

Run into a term you don't know? Browse the plain-language security glossary