Scam Detector is an online service that automatically assigns a trust score out of 100 to any website, based on about thirty technical criteria (domain age, HTTPS, blacklists, IP, WHOIS, etc.). The idea is appealing, but the tool’s methodology and its business model raise serious questions, to the point that many perfectly legitimate sites end up being classified as dangerous. Here is what the tool really does, what it doesn’t do, and the technical checks to carry out yourself.
What Scam Detector actually does
The tool exposes a public validator at the URL scam-detector.com/validator/{domain}. For each submitted domain, a page is automatically generated with a score out of 100 and a verdict ranging from “Verified. Safe” to “Untrustworthy. Risky. Danger”. This can be seen on any test URL, for example the page generated for effetpapillon.fr: no human intervention, an indexable page produced on the fly.
According to the publisher’s documentation, the algorithm combines a series of public technical signals:
- domain age and WHOIS data;
- presence on antivirus or anti-phishing blacklists;
- validity and type of SSL/TLS certificate;
- popularity ranking (Alexa, Tranco, etc.);
- Web of Trust (WOT) rating;
- basic analysis of the homepage source code;
- geographical location of the IP and host;
- presence of legal notices, general terms and conditions, and contact methods.
The resulting score is then indexed by Google, which explains why these review pages often appear in the SERPs when searching for a site’s name followed by words like “review” or “scam”.
Methodological limitations of the tool
On paper, Scam Detector’s framework looks like a classic automated technical audit. The problem lies with three factors.
A purely static and superficial analysis
All checks are done without context. A legitimate site hosted in Lithuania, behind Cloudflare, with a domain less than a year old, can accumulate “negative signals” even though this is a standard setup for a young European startup. The case of the jobba.fr report is typical: a young French platform is evaluated on the same criteria as a long-established fraudulent site, with no consideration of its actual operational reality. Conversely, a recent fraudulent site that has polished its HTTPS and WHOIS can obtain a decent score.
A score that ignores operational reality
The tool knows nothing about the actual activity: transaction volume, customer satisfaction, reports to the DGCCRF or Signal Conso, feedback on marketplaces. It assesses a technical signature, not a business. It is the SEO equivalent of a port scan: useful but unable to qualify the nature of the service. A quick comparison between several reports generated by the tool — for example, that of cyroco.fr — shows that sites with very different profiles receive verdicts based on the same rigid framework, without sectoral nuance.
A business model that raises questions
This is the most problematic point for anyone working in IT or cybersecurity. On Trustpilot, the pattern documented by dozens of site owners is recurrent: a very low initial rating (often 10 to 30 out of 100) with the mention “Untrustworthy”, followed by a rapid score increase — sometimes up to 100/100 within a few days — once the publisher is contacted and documents are provided. The line between independent validator and commercial pressure lever is thin.
How to truly verify a site’s reliability, on the technical side
For an IT, security, or e-commerce team wanting to audit a site (their own or a partner’s), no single tool is sufficient. Here is the minimal, free audit stack, which is far more reliable than an aggregated score.
1. WHOIS and domain history
First of all, consult the raw WHOIS via who.is, the AFNIC registry for .fr, or the whois command line. Check the creation date, registrar, and contact consistency. Wayback Machine also allows you to see if the site existed in another form, and since when.
2. TLS certificate audit
The reference test remains SSL Labs (Qualys): it evaluates the certification chain, cipher suites, TLS 1.3 support, resistance to known attacks (BEAST, POODLE, Heartbleed), and assigns a grade from A+ to F. A serious site aims for at least an A. A truly suspicious domain will often present a recent Let’s Encrypt certificate on a wildcard subdomain, with no organizational information.
3. HTTP headers and security configuration
The tool securityheaders.com checks for the presence of HSTS, Content-Security-Policy, X-Frame-Options, Referrer-Policy, Permissions-Policy headers. An e-commerce site that takes payments without HSTS or CSP is, at best, negligent. Mozilla Observatory provides a useful complement.
4. Reputation and threat indicators
To systematically cross-check:
- VirusTotal (URL and domain): aggregates more than 70 detection engines.
- Google Safe Browsing: the database consulted by Chrome, Firefox, and Safari.
- URLVoid and AbuseIPDB: community reports.
- Signal-Arnaques for the Francophone context.
5. Summary table of checks
| Check | Tool | What we look at |
|---|---|---|
| Domain identity | WHOIS, AFNIC | Creation date, registrar, contacts |
| Encryption | SSL Labs | Grade A+/A, TLS 1.3, certification chain validity |
| Web hardening | securityheaders.com | HSTS, CSP, X-Frame-Options |
| Reputation | VirusTotal, Safe Browsing | Multi-engine detections |
| Antiquity | Wayback Machine | Consistency over time |
| User feedback | Trustpilot, Signal-Arnaques | Volume and nature of complaints |
What if your site is poorly rated by Scam Detector?
First thing to know: a bad score has no direct impact on your Google ranking. Scam Detector pages are third-party content, treated like any review. What can harm, however, is their visibility in the SERP when a prospect searches for your brand.
Some reasonable actions:
- Objectively audit your site with the tools listed above, to identify technical signals that may have triggered the bad rating (weak certificate, missing legal notices, obscure hosting, etc.).
- Correct what needs to be fixed: publish compliant legal notices, secure TLS, add T&C/CGU pages, show a real contact.
- Work on your e-reputation in parallel: Trustpilot reviews, Google Business Profile, mentions on authoritative sites in your sector. The more your brand is positively cited elsewhere, the less a Scam Detector page weighs in the SERP.
- Request a reevaluation from Scam Detector if you wish, but without making it a top priority: the score can evolve, but the tool remains contested.
FAQ
Is Scam Detector an official or recognized site?
No. It is a private service operated by a commercial company, without official certification from any consumer protection or cybersecurity body. Its scores have no legal value.
Should a bad Scam Detector rating be taken seriously?
Not as a verdict, but as a signal to investigate. If the score is low, check the technical points yourself with SSL Labs, VirusTotal, and WHOIS before drawing any conclusions.
Can Scam Detector impact my SEO?
Only indirectly. Google does not penalize a site because a third party gives it a bad score. However, a Scam Detector page well ranked for your brand name can influence a prospect’s decision before they arrive on your site.
What is the best alternative to verify a site?
No single source is sufficient. The combination SSL Labs + VirusTotal + Google Safe Browsing + WHOIS + Wayback Machine provides a much clearer and more actionable picture than an aggregated score, at no cost.
Does a 100/100 score on Scam Detector guarantee a site is reliable?
No. A high score simply means the automated checks have passed. Many recent scams achieve very good scores because they polish their technical envelope. A site’s reliability is judged on its operational reality, not on an algorithmic rating.
