What we actually check

📅 Domain age

How long the website’s address has been registered. Scam sites are usually brand-new, set up, used briefly, then abandoned.

Every web domain has a registration date, the day someone first claimed it. We pull this from public WHOIS records.

Real businesses have history. They’ve been around for years, sometimes decades, on the same address. Scams burn through new domains fast: they get reported, taken down, and the operators register a fresh one. So a “Nike sale” site registered eleven days ago is a flag, not a deal.

We treat recently registered domains as caution territory. The newer the domain, the higher the risk, unless it's on our trusted list. Established sites that have been around for a significant period are usually fine on this signal.

Signals you might see

Established domainBrand-new domainVery new domainRecently registeredDomain age unavailableEstimated domain age (CT)Estimated domain age (Wayback)

📚 Web history

Whether the site has been around long enough to leave any web trail, such as search results, archive snapshots, and links.

Sites that have existed for a while leave footprints. Google indexes them. The Wayback Machine archives snapshots. Other sites link to them. Reviews show up. A site with zero detectable web history is either brand-new or deliberately obscure.

Combined with new-domain age, no web history is a strong “freshly minted scam” signal. Real businesses, even small ones, have at least a Google trail by the time they’re taking customer payments.

We flag domains with no detectable indexing, no archive snapshots, and no inbound links, particularly when the domain claims to be an established brand.

Signals you might see

Web history foundNo web history found

🌐 Domain popularity

Whether the domain shows up in global popularity rankings of the busiest websites. Useful for catching impersonators of well-known brands.

Real brands generate measurable traffic. They appear in popularity indices that aggregate visit counts, DNS queries, and inbound links from across the public internet. We check whether the domain is in the global top hundred thousand on the Tranco list, a free, daily-updated composite ranking.

Being absent from this list is not suspicious by itself; most legitimate small businesses are not in the top hundred thousand and that is fine. The signal becomes meaningful only in combination: a domain that claims to be a known brand, or that was registered recently, but has zero detectable global presence is the signature of an impersonator or a throwaway.

When the domain is in the index we surface it as a positive trust signal. When it is not and we have other corroborating concerns, we tell you specifically what the combination implies.

Signals you might see

Established web presenceNo public presenceNew domain with no measurable popularity

🛡️ Google Safe Browsing

Whether Google’s threat list has flagged this site as known phishing or malware.

Google maintains a continuously-updated list of websites known to host phishing pages, malware, social engineering scams, and unwanted software. Every Chrome and Firefox user is protected by it, and that’s where the big red “Deceptive site ahead” warning comes from.

A Safe Browsing match is one of the strongest signals you can get. If Google has put a site on this list, real users have been fooled or harmed there, and Google’s automated systems have confirmed it.

When we get a match, we tell you exactly what type was reported: phishing, malware, unwanted software, or social engineering.

Signals you might see

Google Safe BrowsingGoogle Safe Browsing match

🚨 Reported scam database

Whether this domain appears on community-reported scam lists like PhishTank.

Several public, community-driven databases collect user-reported scam URLs. PhishTank is the biggest. We cross-reference every domain against these lists.

A blocklist match means a real human reported this site as a scam, and (in PhishTank's case) other humans verified the report. It’s a strong, evidence-based signal. Somebody got phished or nearly phished, and they took the time to report it.

When we get a hit, we tell you which list matched and roughly when it was reported.

Signals you might see

User-reported scamKnown scam blocklist

🧪 Fraud intelligence scan

A third-party fraud intelligence check that scores how risky a URL looks based on phishing, malware, and abuse signals.

IPQualityScore (IPQS) runs its own threat model on URLs and domains using abuse telemetry, historical fraud patterns, and network signals. It can flag phishing or malware behavior and assign a risk score from 0 to 100.

A high IPQS score does not prove a scam by itself, but it is useful corroboration when combined with other checks like domain age, impersonation patterns, and blocklist hits.

We surface IPQS threat flags, unsafe verdicts, parked-domain indicators, and the fraud score bucket so you can see whether the concern is mild, elevated, or severe.

Signals you might see

IPQS threat flagIPQS unsafe verdictParked domainHigh fraud risk scoreElevated fraud risk scoreModerate fraud risk score

🔒 HTTPS, TLS & redirects

Whether the site uses encryption, when the certificate was issued, and whether it silently redirects you elsewhere.

HTTPS is the padlock in your browser bar. It means traffic between you and the site is encrypted. Every legitimate site has it now; certificates are free. We also check when the certificate was issued (a brand-new one combined with other flags is suspicious) and whether the site is silently redirecting you to a different domain.

HTTPS alone isn’t a security guarantee. Scammers happily use it because it’s free. But the absence of HTTPS, especially on anything claiming to take payment or logins, is a hard fail. A very recently issued certificate on a domain claiming to be an established retailer is suspicious. A redirect that takes you from “nike-uk.shop” to a totally different domain is a major flag.

We flag missing or broken HTTPS, recently issued certificates, absent security headers, and redirects to a different domain than the one you typed.

Signals you might see

HTTPS activeNo HTTPSRedirects to different domainTLS handshake failedVery recent TLS certificateRecent TLS certificateMissing security headers

🛰️ Infrastructure signals

What’s behind the domain, its hosting and nameservers, and whether they look real or disposable.

Every site lives on some hosting infrastructure. We look at the nameservers (who runs the DNS), the IP addresses (where the site is actually served), and the network they’re on. Some patterns are dead giveaways, like domains parked on registrar default nameservers, sites served from anonymizing networks, or domains with no resolvable web hosting at all.

Real businesses host on real services such as Cloudflare, AWS, Shopify, and GoDaddy hosting. Scams often use anonymized networks or simply don’t have proper hosting set up because their lifespan is days. This is back-end signal that’s hard to spoof.

We flag parking-oriented nameservers (the domain isn’t actively hosted), no web-host IP records (nothing serves a website at this domain), and anonymized hosting networks with poor abuse-handling reputations.

Signals you might see

Parking-oriented nameserversNo web host IP recordsAnonymized hosting network

📧 Email & business setup

Whether the domain is set up to send and receive email like a real business, or has none of the usual infrastructure.

Real businesses configure email. They set up MX records (where mail is delivered), SPF or DMARC records (so their messages don't get marked as spam), and so on. Throwaway scam domains usually skip all of this. They're built to host one page for a few days, not run a business.

It's not a slam-dunk on its own. Some legitimate hobby sites and static landing pages have minimal email setup. But if a domain claims to be an established retailer and can't receive customer emails, something's off.

We flag domains with no MX records, no SPF or DMARC, or a setup that exists only as a defensive measure with no real mail server behind it.

Signals you might see

Email records configuredNo email infrastructureNo mail recordsFree webmail contact

🚩 Domain pattern

Telltale signs in the domain’s structure: sketchy extensions, too many hyphens, suspicious words.

Beyond impersonation, certain patterns in a domain itself suggest fraud. Some top-level domains (.zip, .top, .xyz, .tk) are heavily abused by scammers because they’re cheap, fast to register, and often unmoderated. Multi-hyphen names like “secure-login-verify-account.com” are vanishingly rare on legitimate sites. URL paths containing words like “verify-now” or “update-payment” almost never appear on real businesses.

These patterns aren’t proof on their own. There are perfectly legitimate sites on .xyz, and some businesses use hyphens, but they shift the prior. Combined with other flags, they tilt the verdict.

We flag sketchy TLDs from known abuse lists, domains with excessive hyphens, unusually long domains, phishing-keyword paths and queries, and suspicious structural prefixes.

Signals you might see

Sketchy TLDHyphen overloadVery long domainPhishing keywordSuspicious domain prefixSuspicious URL path patternSensitive query parametersEncoded redirect pattern

🎭 Brand impersonation

Domains designed to look like a known brand by tweaking spelling or using lookalike characters.

Scammers try to pass off their domain as a brand you trust. The classic moves are swapping a number for a letter (paypa1.com instead of paypal.com), padding with plausible words (nike-store-uk.shop), or using characters from another alphabet that look identical. An “a” from Cyrillic instead of Latin reads the same to your eyes but is technically a different domain.

If you’re skim-reading a URL in an SMS or email, a clever lookalike will sail past you. This is how phishing kits steal millions from people who would never knowingly hand credentials to a fake.

We flag number-for-letter swaps on big-brand names, padded-out domains that mash a brand into a long string, and mixed-script domains where Cyrillic, Greek, or other characters substitute for Latin ones.

Signals you might see

Brand impersonationBrand-associated domainLikely brand typosquatNumber-for-letter swapMixed-script lookalikeBrand favicon impersonation

⭐ Public review reputation

What real customers say about this brand in public review databases. Useful for catching sellers who aren't phishing scams but consistently ship fakes, miss deliveries, or refuse refunds.

Some of the most damaging sites aren't classic phishing pages. They take payment, send a real-looking parcel, and sell you a counterfeit, or send nothing at all and ghost your refund request. None of the technical signals (domain age, HTTPS, hosting) catch this. The site itself is competently run. The only place this shows up is in customer reviews.

We look at public review databases for an aggregate rating, the volume of reviews, and the language people use in recent reviews. A pattern of “fake”, “knock-off”, “never arrived”, or “won't refund” across multiple recent reviews is a much stronger signal than any one angry customer. We also flag when the most recent reviews are sharply worse than the historic average. That's the signature of a once-decent brand that has changed hands or started cutting corners.

Public review pages are sometimes bot-walled or briefly unavailable. When that happens we simply don’t emit a signal rather than penalising the site for something we couldn’t verify.

Signals you might see

Review databases: very poor ratingReview databases: poor ratingReview databases: below averageReview databases: very few reviewsReviews report counterfeit goodsReviews report non-deliveryRecent reviews trending negative

🚨 Community mentions

Whether real customers are talking about this site on community forums, particularly in places where people warn each other about scams.

Some scam shops are technically competent. The domain looks fine, the site has HTTPS, the WHOIS checks out. But customers consistently say their orders never arrive, the goods are fake, or the company refuses refunds. The only place that pattern shows up is in conversations between real customers.

We search public community forums for posts that mention this exact domain, with two passes. The first looks specifically inside scam-reporting communities, where a single match is meaningful. The second searches more widely for posts mentioning the domain alongside terms like “scam”, “fake”, or “refund”, and we count how many independent posts describe counterfeits or non-delivery.

A handful of forum posts is normal. Angry customers exist for every business. We only flag a domain when the volume is high enough that a real pattern is showing through the noise.

Signals you might see

Reported scam in community forumsMentioned in scam-reporting communitiesCommunity reports of fraud or investment scamCommunity reports of counterfeit goodsCommunity reports of non-delivery

🧠 Landing page content

What the page itself says and does. Scam sites use pressure, fear, and misleading forms that legitimate businesses don't.

We fetch the page and analyse what’s actually on it. Real businesses don’t pressure you into acting immediately, ask for credentials unprompted, or mimic a well-known brand’s tone while operating from an unrelated domain.

This is content-level evidence. A domain might look fine on paper, but if its landing page behaves like a phishing site (pressure tactics, misleading calls to action, suspicious form handling), the page itself is the signal.

We flag pages that display suspicious content patterns and forms that behave in ways inconsistent with legitimate sites.

Signals you might see

Suspicious page contentSuspicious form behaviourSelf-declared unaffiliated brand storefront

💳 Payment integration

How the site collects payment. Established processors are a green flag; crypto-only or wire-transfer-only is a red flag.

Legitimate online shops integrate with recognised payment processors like Stripe, PayPal, Klarna, Shopify Pay, or Apple Pay. These providers vet their merchants, handle fraud disputes, and offer chargeback protection to buyers. A real shop almost always has at least one of them on the page, usually several.

Scam shops avoid these processors because the processors would freeze them quickly. Instead they push customers towards irreversible payment methods: bank transfer, Western Union, MoneyGram, or “send X coin to this wallet”. If you pay that way and the goods never arrive, your money is gone.

We scan the page for both: recognised processors as a positive trust signal, and crypto wallet addresses, “BTC payment only”, or untraceable remitter mentions as strong scam indicators.

Signals you might see

Established payment integrationNo recognised payment processorsCrypto-only payment indicatorsUntraceable payment methods