Is This Website Scam Or Not?
Check before you buy, click or trust.
Instant scam check for any website. Domain age, brand impersonation, phishing patterns, payment red flags, transparency signals — in plain English.
No signup required. Results cached for 24 hours at the edge.
Every signal a legitimate site has.
Every gap a scam usually shows.
Categorized trust score
Not just one number — separate scores for Security, Infrastructure, Transparency, Content, Email and Performance so you know exactly where the risk lives.
Deep DNS + WHOIS
A/AAAA, MX, TXT, NS via DNS-over-HTTPS. Domain age, registrar and expiry via RDAP — new domains flagged automatically.
Security headers audit
HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy — with plain-language explanations.
Email spoofing risk
SPF, DMARC and DKIM verified from public DNS. Understand whether attackers can forge mail from a domain.
Transparency signals
Privacy policy, terms, contact, refund policy, social links, published email — the things reputable sites have and scams skip.
Technology fingerprint
WordPress, Next.js, React, Vue, Shopify, Google Analytics, Meta Pixel — 30+ signatures matched from live HTML.
Edge-cached (24h)
First scan is live; repeat lookups return in under 50ms from Cloudflare's edge. Cache layer is swappable — KV, R2 or DB later.
Free-only sources
Cloudflare DNS, RDAP, Certificate Transparency, native fetch. Zero paid APIs. Every signal is public and reproducible.
Small habits that block most scams.
Never trust a link in an email
Type the domain yourself or use a bookmark. Every serious phishing campaign starts with a link that looks right.
Use a password manager
It refuses to autofill on the wrong domain. That single behaviour blocks most lookalike-domain phishing outright.
Check the domain age
A three-day-old domain claiming to be a well-known brand is almost never legitimate. RDAP gives you the answer instantly.
Verify with a second channel
If your bank emails you, call the number on your card, not the one in the email. Costs 30 seconds; saves years of pain.
Deep dives on modern scams.
How to check a phishing link safely (without clicking it)
A step-by-step link checker guide: how to inspect a suspicious URL, expand shortlinks, verify SSL and reputation — all without ever loading the page in your browser.
Why DNS-over-HTTPS matters (and how Scam Lookup uses it)
Traditional DNS is plaintext and trivially tampered with. DNS-over-HTTPS encrypts the lookup — and lets any web app resolve records without a server-side helper.
Phishing in 2026: what modern phishing kits actually look like
Phishing has evolved past bad grammar and Nigerian princes. Here's what a well-executed 2026 phishing campaign looks like — and what still gives them away.
Ten free tools under one roof.
WHOIS, DNS lookup, SSL checker, HTTP header checker, IP lookup, email reputation, QR scanner, URL expander — all on the same $0 stack. Website Trust Checker is live now.
From URL to full report in about 3 seconds.
We fan out 9 independent scanners in parallel from Cloudflare's edge, aggregate the findings into weighted category scores, and render an explainable report — every signal shows why it raised or lowered the score.
- 1Normalize & resolveURL is parsed, host is validated, DNS-over-HTTPS resolves A/AAAA/MX/NS/TXT.
- 2Fetch primary HTMLSingle request follows redirects manually, records timings, headers, body sample.
- 3Fan-out scannersRDAP, Certificate Transparency, security headers, robots, tech signatures, transparency and email-security run concurrently.
- 4Score & explainFindings are weighted into six category scores. Each contributes to an overall trust score with its own reasoning.
- 5Cache at edgeFull JSON report is stored at the edge for 24h. Repeat requests return instantly.
Frequently asked
How does Scam Lookup decide if a site is safe?+
Every scan runs 9 independent modules — HTTP, DNS, RDAP, SSL, security headers, robots/sitemap, technology detection, content transparency and email security — and combines their findings into six category scores using a deterministic weighted algorithm. The overall score is the weighted average. No randomness, no black box, no AI verdict.
Is this a replacement for antivirus or malware scanning?+
No. Scam Lookup evaluates trust signals — the things a legitimate site does and a disposable scam typically doesn't. It won't replace endpoint security. Combine it with your browser's Safe Browsing, an ad blocker and a password manager.
Is it free? What's the catch?+
It is free and there's no catch. The whole stack runs on Cloudflare's free tier and uses only public data sources (Cloudflare DNS, RDAP, Certificate Transparency, and live HTTP requests). No paid APIs.
Do you store what I scan?+
Scan results are cached at the edge for 24 hours to keep repeat lookups fast. Nothing personal is collected on the public scanner. If you create an account (coming soon) you can opt-in to save history and favorites.
Can I share a scan report with someone?+
Yes. Every scan has a permanent shareable URL at /check/{domain} — send the link, no signup needed on the other end.
How can I spot a fake website myself in 60 seconds?+
Check the domain age, look for real transparency (privacy policy, contact page, real address), verify the SSL certificate history, and reverse-image search the product photos. We have a full 60-second checklist in the blog.
Try it on a domain you're curious about.
Free, no signup. Cached at the edge so your team can share the URL.
No signup required. Results cached for 24 hours at the edge.