TORPEDO - TOoltip-poweRed Phishing Email DetectiOn

TORPEDO is an add-on helping users to detect phishing e-mails. It exists as an add-on for browsers (Chrome, Firefox)  as well as for the Thunderbird e-mail client.

What is phishing?
Phishing is a method fraudsters use to defraud or harm you. To achieve their aims, phishers send messages (e-mails) purporting to come from someone you can trust. The e-mail usually copies a legitimate e-mail's layout and format so that it is hard to detect the treachery. Phishing messages usually contain one more links that appear to be legitimate but are actually red herrings. The phisher wants you to click on this dangerous link without thinking about it too much. If you click on these links you might download malware onto your device or you will be redirected to a website that looks exactly like the legitimate one. Phishing websites are usually an almost undetectable copy of the original. If you provide your credentials to this website, the phisher will gain access to your secret password and probably use it to log into the legitimate website and carry out actions that could harm you (e.g. charge items to your credit card). Technical measures cannot detect all phishing e-mails in order to divert them before they arrive in your inbox so you will inevitably receive some of these e-mails from time to time. If you want to be certain about whether an e-mail is a phish you have to check the link (the URL, or web page address) very carefully. This will help you to judge the legitimacy of the link and help you to protect yourself when technical measures have failed to prevent the phishing attempt. Phishers are clever enough to hide the real destination of the link so that just looking at the link is often insufficient – you have to examine the real destination, not just look at the displayed destination (these are often different because the phisher's intention is to deceive).

If you have been deceived and have clicked on the link you might then realize that you have been connected to a phishing server. In this case you should close the browser immediately and let IT support know, just in case some bad software has been downloaded onto your computer.

How does TORPEDO work?
TORPEDO helps to expose malicious links in phishing e-mails so that you can expose their attempts to deceive you. TORPEDO displays the destination URL (web address) in a dialog box (a tooltip box) when you hover over a link with your mouse. The tooltip highlights the so-called domain of the link because this is the only relevant part to be used when you decide whether the web address is legitimate or not.

For example, if you receive an e-mail that, at first glance, seems to be sent by amazon but the actual destination is:, this is definitely a phishing e-mail because amazon uses the domain and in this example the domain is "". Because it is sometimes difficult to check the domain, TORPEDO gives extra information (when you click on the question mark) and tips to guide examination of the URL. The tooltip frame is colored to provide an extra signal. There are four different colors depending on the potential security risk (green, blue, grey, red).

A green frame means the domain (highlighted part) is classified as low-risk by the developers of TORPEDO, and used daily by many web users.

If the frame is grey the domain should be checked carefully before you click on it, because the link could be dangerous. TORPEDO delays down activation of the link to give you time to check it. You have to wait three seconds before activation. You can click on "more information..." for more information any time you see one of these warnings.


A blue frame means that you have indicated that the URL is to be low-risk, because, since you installed TORPEDO, you have clicked on a link in e-mails with the same domain at least twice.


The frame is red, when incongrueties occur - for instance, when the URL displayed in the e-mail does not match the actual target URL and when the domain is unknown to TORPEDO. You need to be especially careful in this case and check the domain carefully, because the link might be dangerous.


You can tailor TORPEDO via the settings. You can customize the activation delay, setting how much time you need to check the domain before the link is activated. You can also decide if this should also go for the domains classified as low-risk.


You can also decide whether TORPEDO's list of low-risk domains is correct. You can also personalize your low-risk domains: these will be activated immediately.


Furthermore, you can decide whether you want to use the predefined list of domains that the developers of TORPEDO have classified as trusted. Also you can edit your personal list of domains ("User-Domains"). This list consists of domains that you have clicked at least twice.



  • Browser: You can download TORPEDO for Chrome here. For Firefox, please use this link.
  • Thunderbird: You can download TORPEDO directly in Thunderbird.
  • If you are interested in the source code of this add-on, you can find it at GitHub (GitHub Thunderbird).


Contact us

For questions or comments regarding the App do not hesitate to contact Marco Ghiglieri (marco.ghiglieri(a-t)

The Add-on was developed in cooperation between three research groups: 

  • Division of Cybersecurity Alberday University, Dundee
  • Privacy and Security Group Karlstad University
  • SECUSO Group Darmstadt University



User experiences of TORPEDO: TOoltip-powered phishing email DetectiOn
Melanie Volkamer, Karen Renaud, Benjamin Reinheimer, Alexandra Kunz
In: Computers & Security, February 2017 

TORPEDO: TOoltip-poweRed Phishing Email DetectiOn
Melanie Volkamer, Karen Renaud und Benjamin Reinheimer
In: 31st International Conference on ICT Systems Security and Privacy Protection - IFIP SEC 2016, Juni 2016. 


List of trustworthy classified domains,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,


A A A | Drucken Print | Impressum Impressum | Sitemap Sitemap | Suche Search | Kontakt Contact | Website Analysis: More Information
zum Seitenanfangzum Seitenanfang