The three-layer scoring engine

Every URL, phone number, or message you submit to Scampede is run through three independent layers of analysis simultaneously. Each layer contributes a score from 0 to 100. The layers are then combined using weighted averaging to produce a final risk score, with the verdict ranging from Safe through Low, Medium, High, to Critical.

This multi-layer approach means that even if one data source has no information about a particular URL, the other layers can still catch it. A known phishing domain will score high on threat intelligence. A scam message with no known URL will score high on pattern analysis. A company reported hundreds of times by consumers will score high on community signals.

Layer 1 — Pattern analysis

Weight: 45%

The first layer analyses the raw input — the URL, message text, phone number, or email — for known scam patterns without relying on any external database. This means it works even for brand new scams that haven't been reported anywhere yet.

Signals checked include:

• URL structure — suspicious TLDs (.xyz, .top, .tk, .ml), excessive hyphens, numeric sequences in domains, brand name impersonation patterns (e.g. "paypal-verify", "amazon-secure")
• Protocol — HTTP instead of HTTPS adds risk; combined with other signals it becomes significant
• Urgency language — phrases like "act now", "limited time", "expires today", "you have been selected" that are characteristic of scam messages
• Payment pressure — mentions of wire transfer, Western Union, MoneyGram, gift cards, or cryptocurrency as payment methods
• Credential harvesting signals — "verify your account", "confirm your identity", "your account has been suspended"
• Investment fraud patterns — "guaranteed returns", "risk-free investment", "double your money"

Each matched pattern adds points to the heuristic score, capped at 100. The score is then weighted at 45% of the final result.

Layer 2 — Threat intelligence

Weight: 35%

The second layer cross-references the submitted URL or domain against live threat intelligence feeds from two sources:

• PhishDestroy — a free, open-source threat intelligence database covering 770,000+ malicious domains. It returns a risk score, severity level, matched blocklists, and suspicious keyword flags for any domain. No API key is required, making this check always available.
• IPQualityScore (IPQS) — a commercial threat intelligence service used by thousands of security teams. It performs 50+ real-time checks on any URL including phishing detection, malware scanning, domain reputation, parking domain detection, and spam scoring. Returns a fraud score from 0 to 100 along with specific threat flags.

The two API scores are averaged together. If one source has no data on a domain, the other carries full weight automatically. Any confirmed phishing or malware flag from either source adds a score boost on top of the base API score.

Layer 3 — Community reports

Weight: 20%

The third layer checks Scampede's own database of verified scam reports. This database is built from:

• PhishTank — community-verified phishing URLs, each independently confirmed by multiple volunteers before being added.
• ScamSniffer — 50,000+ cryptocurrency phishing domains identified by the web3 security research community.
• CFPB consumer complaints — financial fraud reports from US consumers describing real experiences with scam companies, fake debt collectors, fraudulent money transfer services, and identity theft.
• User submissions — reports submitted directly through Scampede, reviewed before being added to the public database.

The community score uses a logarithmic scale — a single report adds modest risk, but 20+ reports on the same domain adds significant weight. An admin-confirmed scam record immediately scores 100 on this layer. This prevents single false reports from unfairly flagging legitimate businesses while still surfacing patterns from repeated reports.

Dynamic score merging

The three layer scores are combined using weighted averaging. However, the weights adjust dynamically based on data availability:

• If no API data is available (e.g. the domain is too new for any database), the heuristic layer carries full weight (100%) rather than being capped at 45%.
• If no community data exists, its 20% weight is redistributed equally between the heuristic and API layers.
• If all three layers have data, the default weights apply: Heuristic 45% · Threat Intelligence 35% · Community 20%.

This means Scampede never gives a false sense of security just because one data source returned nothing. The engine always makes the best possible assessment from whatever data is available.

Verdict bands

Final scores map to five verdict levels:

Limitations and accuracy

Scampede is a detection tool, not a guarantee. There are two types of errors any detection system can make:

• False negatives — a scam site that scores Safe because it's too new to appear in any database and uses no common scam patterns. This is most common with freshly registered phishing sites in the first 24–48 hours after launch.
• False positives — a legitimate site that scores High because it shares a domain pattern with known scam sites, or because it's been incorrectly reported by users. If you believe a report on Scampede is wrong, please contact us with evidence.

Our threat intelligence feeds update in near real-time, and our database grows daily. But no automated system catches everything. Always apply your own judgement, especially before making payments, sharing passwords, or providing personal information to any website.

Try it now

Paste any suspicious URL, phone number, or message into the checker — free, instant, no login required.