ThouShaltNotClick — Phishing Protection & Training

Catches phishing in Gmail and Outlook. Real-time link analysis, breach alerts, and in-context security training.

v1.9.99 - Content Filtering (optional, admin-controlled). Schools can block website categories for students (hard block) and staff (off / warn-and-proceed / hard block), with allow/deny overrides admins can add right from the browser. Enforcement is local — no browsing history is collected; only blocked-site events are recorded for the school's own administrators, and only when a school enables the feature and accepts the Content Filter Addendum. Off by default — existing users see no change. v1.9.90 - QR Code scanning, protection against shared-file and invite spam, more accurate trust scores, lighter on the browser, bugfixes. *New: Protection against "shared-file" and invite spam. Scammers increasingly abuse legitimate Google sharing — they share a Google Drive/Docs file or a Google Forms invite that hides a fake invoice, a "rate request," or a phishing link. These slip past normal spam filters because the email genuinely comes from Google. The extension now flags them: it spots the share/invite, checks whether the person who shared it is an outside, unverified sender, and scans the title for known scam patterns — then warns you before you open it. Files shared by your own colleagues or your organization's approved contacts are never flagged. *New: QR Code Scanner (anti-"quishing"). QR codes can hide malicious links, and you can't tell where one points just by looking. The extension now scans the current page for QR codes and reveals each code's real destination before you ever trust it: *Scan the visible page from the extension popup, or right-click a single QR code to check just that one. *Each code gets a numbered "Copy link" pin placed right on it, with the matching link listed in the popup — so on a page with several codes, you always know which is which. *Every detected link is automatically checked against malicious-site databases. *Works on real-world pages — codes delivered as images of any format, including cross-origin images and codes inside embedded frames. *Everything is decoded locally on your device. No images are uploaded. *More accurate trust scores. The on-page trust badge now uses the exact same scoring engine as our servers, so scores are consistent everywhere — and it now catches additional suspicious signals in message content it previously missed. Lighter on your browser. Community threat updates now refresh only when something actually changes instead of polling on a fixed timer — the same real-time protection with less background data and battery use. Forwarded-email warning. When you report a forwarded message as a community threat, the extension now warns you first, so a forwarded sender doesn't get flagged by mistake. Cleaner popup. The popup's tools are now grouped into a single, consistent "Tools" section (Quick Link Scanner and QR Code Scanner), so everything looks uniform — with room for more tools to come. v1.9.78 — faster protection, broader Outlook support, more privacy • Protection works the moment you install. Phishing badges now appear on your emails right away instead of waiting a few minutes after setup. • Now works on Outlook's new web address. Added support for outlook.cloud.microsoft — Microsoft's new unified Outlook-on-the-web domain — so badges, link analysis, and the Kindness Meter all work there too. • "Community Alert" now counts. Flagging a training/simulation email with Community Alert credits you the same as "Report Suspicious." • Minor fixes and polish. v1.9.74 — Major reliability + protection update 🛡️ Brand impersonation detection — catches phishing emails that mimic banks, retailers, and e-sign portals (DocuSign, Adobe Sign, etc). 🎯 Account-takeover guard — even verified-safe senders get scrutinized when an email shows scam-language patterns (gift cards, wire requests, payroll changes, urgency + dangerous action). 🔍 AI Analysis verdict persists across page refreshes — no re-analyzing every time you switch tabs. 🚨 Report Missed Phish — flag phishing emails the extension missed so admins + the platform can learn from them. ⏪ 5-second undo on Report Suspicious, Mark Safe, and Community Alert — click once, then "X in Ns — Click to undo" before it commits. ⚡ Welcome page fix — "Got it — let's go" now properly takes you to sign-in then your dashboard (previously the tab closed mid-flow). 🟢 Online Kindness Meter — green shield icon variants matching the website favicon. 🧹 Improvements — clearer "Session expired — click icon to sign in" messaging when JWTs rotate; exclusion list capacity raised past 270 domains; vault save-prompt cleanup; calendar-spam stub groundwork. 📊 Backend version tracking — admins can see which extension version each user is running, for support diagnostics. v1.9.64 — Major reliability + protection update 🚨 NEW: Account-takeover detection on verified senders. When a "trusted" sender's account is compromised and starts sending classic scams (gift card requests, wire fraud, urgency tactics), the trust badge no longer overrides to green — it surfaces a clear "verified sender + scam language detected — possible account takeover" warning. 🤖 IMPROVED: AI Email Analysis now shows specific failure reasons ("Daily AI limit (10/day)", "Sign in to use AI", "Session expired") instead of generic "Failed". When AI scores under 30, the email is queued for your admin's review rather than silently dropped. 📋 NEW: Trust-badge override when AI flags a sender the heuristic missed. If our AI says 8/100 but the local engine said 99/100, the badge updates to match AI's verdict so you don't see a misleading green score. 🚨 IMPROVED: Heuristic engine catches more scams. New invoice/renewal scam detection (fake McAfee/Norton/Geek Squad/PayPal charges), spam-folder cap (emails in Gmail Spam or Outlook Junk never display >50/100), invoice phone-callback detection. 🛡️ NEW: "Trusted by colleagues" badge when your coworkers have collectively marked a sender as safe — crowd-sourced positive reputation, org-scoped only. ⏳ NEW: Offline-friendly buttons. When our API is briefly unreachable, Report/Mark Safe/Alert clicks now show "Saved — will send" and auto-retry every 5 minutes instead of losing the action. 🔐 NEW: Session-expired UX. If your auth session ages out mid-action, the button shows "Session expired — click extension icon to sign in" instead of a cryptic "Invalid token" error. Plus a "!" badge appears on the toolbar. 🧐 IMPROVED: 10-second "undo" on Report Suspicious / Report Safe / Community Alert buttons. Misclicks are cancellable in-flow. 🐛 FIXED: Community Alert button bug (was throwing "analysis is not defined" on click). 📅 COMING SOON: Calendar spam auto-decline (Google + Microsoft Calendar integration in next major version). 🎨 New extension icon matching our website favicon (green shield). What's New in v1.9.51 Renamed to "Phishing Protection & Training". Description updated to reflect current feature set. Password Manager will be deployed in a future update. What's New in v1.9.47 Better detection of a rising scam: emails pretending to give away high-value items ("estate downsizing", "free piano in memory of my late father", etc.). These often hook a reply and then demand shipping/handling payment. Also calibrated the warning tone — emails in the "Use Caution" range no longer show "DANGER" prose. The trust score speaks for itself. "Quick report" buttons in Gmail injection. What's new in v1.9.39 Adds SMS as an MFA option for Vault Master Password entry. Various bugfixes. What's new in v1.9.23 Fixes the Quick Link Scanner — pasting a URL into the popup's scanner now correctly authenticates with our backend and shows the safety verdict. Previously the result would briefly flash and disappear without showing anything. Updated Sandbox Link Checker URL to sandbox.thoushaltnotclick.com What's new in v1.9.20 Major update accumulating improvements since v1.9.2. Sign in with Microsoft is now available in the extension popup, alongside Google SSO and email/password. Faster phishing detection on Gmail and Outlook. Password vault upgraded to Argon2id key derivation for stronger encryption. Have I Been Pwned breach checks on a smarter background schedule. Vault auto-fill more reliable across login forms. Sandbox iframe analyzer hardened. Defense against impersonation token sync to keep platform-admin sessions clean. ThouShaltNotClick adds a quiet layer of protection inside Gmail and Outlook — analyzing every link, every sender, and every header, then warning users in plain language before a click can do harm. Phishing protection A clear trust badge appears in the email header, with green for safe, yellow for caution, and red for danger. Each warning explains why a message looks suspicious — never just a score — so users learn what to watch for over time. Hover any link to see where it actually leads, even when the visible text says otherwise. A one-click report sends suspicious emails to your administrator for verification, helping protect everyone in your organization. Password manager The built-in vault stores passwords with strong client-side encryption — a zero-knowledge design where only you can decrypt your data. Saved logins autofill on supported sites, and the extension can offer to save new credentials when you sign in. Personal email addresses can be checked against known data breaches so you know when to rotate a compromised password — using a privacy-preserving check that never sends the password itself. Site safety The extension icon shifts color based on the current page — giving you an at-a-glance read on whether the site you're on has been flagged. When new threats are reported and verified by an administrator at one organization, protection updates for everyone using the extension. Built for organizations who care about their people ThouShaltNotClick was built specifically for Catholic schools and faith-based organizations — and works equally well for any team that needs phishing protection without enterprise complexity or pricing. Administrators can enroll an entire staff in minutes, and managed Chromebook deployment is supported. Privacy Your passwords and vault contents are encrypted on your device before they reach our servers. We cannot read them. Email content is analyzed locally; no message body is sent to our servers unless you explicitly request a deeper analysis. We do not collect browsing history. Get started Sign in with your existing ThouShaltNotClick account, or create one free at https://www.thoushaltnotclick.com. Created by a Catholic — accessible to all.