IsThisAScam
Laman UtamaBlogHargaTentangHistoryAPIExtension
Upgrade
MS
Sign in
Sign in
IsThisAScam

Independent scam & phishing analysis. Free for individuals. APIs for developers.

© 2026 Zeplik, Inc.
1111B S Governors Ave, Dover, DE 19904
+1 (838) 221-7030
[email protected]
Produk
  • Home
  • Blog
  • Pricing
  • Tentang
  • Methodology
  • History
  • Chrome Extension
Resources
  • Developers
  • Dokumentasi API
  • Website trust reports
  • Scam type briefs
  • How-to guides
  • Scam glossary
  • Compare tools
  • Apple scams
  • PayPal scams
Undang-undang
  • Dasar Privasi
  • Terma Perkhidmatan
  • [email protected]

© 2026 Zeplik, Inc. Hak cipta terpelihara.

Built for the calm, the cautious, and the careful.

IsThisAScam is a Zeplik product. Explore our other tools: Arteza (AI image and video), OptiPix (privacy-first image tools).

Home/Methodology
Methodology

How our detection engine works.

Every scan runs through six independent detection layers in parallel — threat-intelligence lookups, public registration records, live certificate checks, email authentication, AI content analysis, and a community scam-pattern database. The layers are combined into a single 0–100 risk score and a verdict.

This page describes the engine as deployed today, including its measured accuracy and its limitations. Written and maintained by the IsThisAScam Research Team.

The six layers

Weights show each layer's share of the composite score. When a layer doesn't apply (e.g. no URL in the message), its weight is redistributed proportionally among the layers that ran.

01

URL Reputation

weight 25%
Sources: Google Web Risk, VirusTotal, PhishTank, URLhaus

Every URL found in the submission is checked against four independent threat-intelligence services in parallel. Google Web Risk covers malware and social-engineering flags, VirusTotal aggregates 90+ antivirus engines, PhishTank tracks community-verified phishing URLs, and URLhaus tracks malware distribution. A confirmed blocklist hit is the strongest single signal we have.

02

Domain Intelligence

weight 15%
Sources: RDAP registration records, DNS, live TLS certificate inspection

We query public RDAP records for the domain’s registration date and registrar, resolve its DNS (mail and nameserver records), and open a live TLS connection to inspect its certificate. Scam domains are disproportionately days or weeks old; legitimate businesses rarely run on a domain registered last Tuesday with no mail records and an invalid certificate.

03

Email Authentication

weight 15%
Sources: SPF, DKIM, DMARC via live DNS lookups

For email submissions, we verify the sending domain’s SPF, DKIM, and DMARC policies. A message that fails all three is very likely spoofed — this triggers a scoring override regardless of what the other layers say.

04

AI Text Analysis

weight 30%
Sources: Large language model (Anthropic Claude)

The full text is analyzed by a large language model trained to recognize manipulation tactics: manufactured urgency, impersonation of brands and authorities, requests for gift cards or crypto, too-good-to-be-true offers, and dozens of other patterns. This is the highest-weighted layer and the only one that understands meaning rather than metadata. It runs on every scan.

05

Visual Analysis

weight 5%
Sources: Text extracted from screenshots

For screenshot submissions, we analyze the extracted text for visual-deception patterns such as fake login prompts and spoofed payment interfaces.

06

Community Intelligence

weight 10%
Sources: Anonymized scam-pattern database from prior scans

Each scan is fingerprinted (a similarity hash — no raw content is stored) and compared against patterns from previous confirmed scams. Scammers reuse scripts; if a near-identical message was already flagged, that history counts against it.

From layers to a verdict

The composite score is a weighted average of the active layers. Safety overrides then apply on top: a confirmed blocklisted URL floors the score at 80, an email failing SPF, DKIM, andDMARC floors it at 70, and a high-confidence AI determination can override a diluted average. Overrides only ever push the score toward caution, never toward "safe".

Scores map to four verdict bands: safe (low risk), suspicious, likely scam, and confirmed scam (blocklist-verified). When the engine is uncertain, it is designed to err toward caution — we consider a false alarm far cheaper than a missed scam.

Measured accuracy

100%
Scam recall
96.8%
Band accuracy
157
Labeled cases
1
False positive

On our internal benchmark of 157 hand-labeled real-world cases (scam emails, phishing URLs, smishing texts, and legitimate messages that commonly trigger false alarms), the engine caught 100% of scams (zero false negatives) and placed 96.8% of all cases in the correct verdict band, with 1 legitimate message incorrectly flagged. Last evaluated July 1, 2026.

This is a benchmark result, not a guarantee. Real-world scams evolve constantly, and no automated system catches everything. Treat every verdict as a strong signal, not a substitute for your own judgment.

Known limitations

  • Brand-new scam infrastructure may not yet appear on any blocklist — in those cases the verdict rests mainly on domain age and AI analysis.
  • Genuinely ambiguous messages (e.g. a real debt collector using urgency tactics) can land in the "suspicious" band either way. By design, ambiguity errs toward caution.
  • A "low risk" verdict for a website reflects technical signals at scan time. It says nothing about product quality, shipping times, or business practices.
  • Registration data depends on public RDAP availability; a small number of TLDs return incomplete records.

Domain trust reports & disputes

Our public domain trust reports aggregate the domain-level technical findings above (never the content of anyone's scan). Every report is an automated algorithmic assessment that refreshes as new scans arrive.

If you operate a domain and believe its report is inaccurate, email [email protected] — we review every dispute and re-scan on request.

Research & editorial standards

Guides and scam alerts published on our blog are written by the IsThisAScam Research Team, drawing on patterns observed in scans, published advisories from the FTC, FBI IC3, and national consumer-protection agencies, and the threat-intelligence sources listed above. Articles show their publication date and are updated when a scam pattern changes. We do not accept payment for coverage, and no advertiser or brand can influence a verdict.

IsThisAScam is operated by Zeplik, Inc., a Delaware C-Corporation.

Try It

See the six layers run on a real message.

Run a free scan →