How It Works

Sender Authentication

We verify the email's authenticity using industry-standard protocols:

• SPF (Sender Policy Framework) — Verifies the sending server is authorized
• DKIM (DomainKeys Identified Mail) — Confirms the email wasn't modified in transit
• DMARC — Checks the sender's domain policy alignment

If an email claims to be from PayPal but fails these checks, it's almost certainly fake.

Sender Reputation

We analyze the sender's identity for suspicious patterns:

• Domain verification — Is the domain legitimate or a lookalike?
• Typosquatting detection — Catches domains like "paypa1.com" or "arnazon.com"
• Display name analysis — Detects mismatches between name and address
• Known sender database — Cross-references with 60+ trusted brands

Link Analysis

Every link in the email is thoroughly examined:

• URL unshortening — Reveals where shortened links actually lead
• Malware database check — Compared against URLhaus and other threat databases
• Homograph detection — Catches unicode tricks (е vs e)
• Suspicious TLD flagging — Identifies high-risk domain extensions

Content Analysis

The email content is scanned for common scam indicators:

• Urgency patterns — "Act now!", "Your account will be closed"
• Threat detection — Legal threats, account suspension warnings
• Data requests — Requests for passwords, credit cards, personal info
• Too-good-to-be-true — Lottery wins, inheritance, prize notifications

External Database Check

We query external threat intelligence sources:

• URLhaus — Database of malware distribution URLs
• Spamhaus — Known spam and phishing domains
• Our own database — Continuously updated from analyzed emails

Final Verdict

All signals are combined to produce a final assessment:

• SAFE — No threats detected, email appears legitimate
• SUSPICIOUS — Some warning signs, proceed with caution
• SCAM — Multiple confirmed threat indicators

We're conservative — we only mark emails as SCAM when we're highly confident.