Online fraud has become one of the most expensive problems on the internet — and most people still have no fast, trustworthy way to check whether a message, link, or screenshot is a scam. This is the story of how we built ScamCheck, a free AI scam detection platform designed for everyone, and the engineering decisions behind it.
The Growing Scam Problem
Scams are no longer crude, typo-ridden emails that are easy to ignore. They are well-funded, multilingual, and increasingly powered by the same generative AI tools that legitimate businesses use. The result is a flood of convincing fake bank alerts, parcel-delivery traps, UPI “refund” requests, investment cons, and job offers that are engineered to bypass human skepticism in seconds.
The numbers are sobering. According to the U.S. Federal Trade Commission, consumers reported losing more than $10 billion to fraud in 2023 — the highest figure the agency has ever recorded. The FBI’s Internet Crime Complaint Center (IC3) reported even higher complaint-based losses of roughly $12.5 billion in the same year. In India, the national cybercrime helpline (1930) and the National Cyber Crime Reporting Portal field hundreds of thousands of complaints about UPI fraud, fake KYC updates, and “digital arrest” scams.
This is a global, well-documented threat. Agencies and security teams worldwide publish guidance on recognizing it — including the U.S. Cybersecurity and Infrastructure Security Agency (CISA), the National Institute of Standards and Technology (NIST), Europol, and Microsoft Security, whose annual Digital Defense Report tracks the industrialization of phishing. Google Safe Browsing alone warns users about millions of unsafe sites — yet new scam domains still slip through before they are ever listed.
What makes today’s scams dangerous is not just their volume but their velocity and personalization. A phishing link can be spun up, shared across WhatsApp groups, and taken down before any blocklist catches it. A spoofed “your account is blocked” SMS reaches millions before a single fraud report is filed. The people most affected — older adults, first-time smartphone users, small business owners — are often the least equipped to investigate a suspicious message on their own.
Why Existing Tools Fail
When we mapped the landscape, we found that the tools meant to protect ordinary people fall short in predictable ways:
- Blocklists are always behind. URL reputation services rely on a domain already being reported. New scam domains — registered by the thousands daily — sail through untouched for hours or days.
- Most checkers only handle links. Real scams arrive as messages, emails, phone numbers, and screenshots, not just clickable URLs. A grandmother forwarding a WhatsApp screenshot has nowhere to paste an image and get an answer.
- Enterprise security is invisible to consumers. Email gateways and endpoint protection live inside corporate networks. The individual on a personal phone gets none of that.
- Language is a blind spot. Many tools only understand English, while a huge share of fraud is written in Hindi, Hinglish, Spanish, and other languages.
- Friction kills usage. Tools that require sign-up, downloads, or payment simply don’t get used in the 10-second window when someone is deciding whether to click.
Generative AI has made this worse. The same models that write marketing copy now write flawless phishing messages in any language, clone brand tone, and localize a con for a specific region in seconds. The grammatical mistakes people were taught to look for have largely disappeared. When the attacker’s tooling is AI, the defender’s tooling has to be AI too — but pointed at the public, not locked inside an enterprise.
The lesson was clear: people don’t need another security product for experts. They need an instant, free, explainable second opinion that works on whatever a scam actually looks like — a pasted message, a forwarded email, a phone number, or a screenshot.
How ScamCheck Was Created
ScamCheck is built by A Square Solutions, where we ship production AI systems and document the engineering openly. Many of the decisions behind ScamCheck are recorded in our AI Execution Lab — a public journal of how we operationalize AI, including the trade-offs we made on cost, latency, and accuracy. If you want the deeper engineering context, our write-up on operationalizing AI for scale and sovereignty covers the philosophy that shaped this product.
We set three non-negotiable principles before writing a line of code:
- Free and frictionless. No download, no paywall to run a basic check. Guests can scan immediately; signing in simply unlocks more daily checks.
- Multimodal by default. If a scam can arrive as text, a link, an email, a phone number, or an image, ScamCheck must accept all of them.
- Explainable, not a black box. A verdict without a reason teaches nobody. Every result shows why it was flagged so users learn the patterns.
Technically, ScamCheck combines deterministic detectors (regex and rule engines tuned for multilingual scam patterns), entity extraction (links, UPI IDs, phone numbers), domain and brand-impersonation intelligence (typosquatting, homoglyph and punycode detection, deceptive subdomains), reputation signals for known-good first parties, and an AI layer for screenshots and ambiguous cases. We deliberately built the cheap, fast, deterministic checks first, and reserve the heavier AI vision calls for when they add real value — an approach we detail across the Lab.
Core Features
ScamCheck is organized around the five ways a scam actually reaches a person. Each has a dedicated, SEO-friendly entry point so you can go straight to the check you need.
Message Analyzer
Paste any suspicious SMS, WhatsApp, or chat message. The WhatsApp scam checker and message analyzer extract embedded links, phone numbers, and UPI IDs, then flag manufactured urgency (“your account will be blocked today”), OTP-theft attempts, and impersonation of banks or government bodies.
Email Checker
Phishing emails spoof trusted senders or use look-alike domains. The email scam checker inspects the exact sender domain, detects deceptive “from” addresses, and surfaces credential-harvesting cues that separate a real notification from a fake.
Link Checker
The link scam checker reads the destination domain rather than the display text, catching typosquats, homoglyph attacks, suspicious TLDs, link shorteners, and brand names hidden inside deceptive subdomains — exactly the tricks that blocklists miss on day one.
Phone Checker
Unsolicited callbacks and “customer care” numbers are a fast-growing vector. The phone scam checker flags callback numbers from unexpected messages, remote-access app requests, and “verification fee” demands.
Screenshot Scanner
This is where ScamCheck stands apart. Most people forward a screenshot — a fake payment “success,” a spoofed bank screen, or a chat. The screenshot scanner runs OCR and AI vision to read the image, then applies the same fraud detection as for text. Critically, images are optimized on your device and processed in-request — they are never stored.
AI Detection Workflow
Under the hood, a single scan flows through a layered pipeline designed for speed first and intelligence where it counts:
- Input normalization. Text is parsed directly; screenshots run through OCR (with AI-vision fallback) to extract the underlying text and entities.
- Entity extraction. URLs, email addresses, phone numbers, and UPI IDs are isolated for targeted analysis.
- Deterministic detection. Multilingual rule engines flag high-severity signals — OTP requests, fake-payment screens, and suspicious links — with no AI cost.
- Impersonation & reputation. Domains and emails are tested for typosquatting, homoglyph/punycode tricks, and deceptive subdomains, while verified first parties are recognized to reduce false positives.
- Semantic matching. The content is compared against a corpus of known scam campaigns so a new message can be linked to an existing pattern.
- Calibrated verdict. A 0–100 risk score is produced with confidence calibration — strong claims on thin evidence are pulled toward “needs review” rather than over-asserting.
This is the same disciplined approach to AI reliability we explore in what happens when AI goes off-script — automated systems must be honest about uncertainty, not confidently wrong.
Two engineering choices matter most here. First, speed before spend: the deterministic layers resolve the vast majority of obvious scams in milliseconds with zero AI cost, so the expensive vision model is only invoked when it genuinely changes the answer. This keeps the product free to run at scale. Second, calibrated humility: rather than forcing a binary “safe/scam” verdict, ScamCheck returns a graded risk score and explicitly downgrades its own confidence when the evidence is thin — for example, a blurry screenshot with little readable text. A tool that admits “this needs human review” is far safer than one that guesses confidently and is occasionally, dangerously wrong.
How to Read a ScamCheck Result
A result is designed to teach, not just to judge. Here is how to act on one:
- High risk (70–100): treat it as a scam. Do not click, pay, or share any code. If it impersonates your bank, contact the bank using the number on your card — never a number from the message.
- Medium risk (40–69): proceed with caution. Independently verify the sender or company through their official app or website that you type yourself.
- Low risk (0–39): likely safe, but a low score is not a guarantee. If money or sensitive data is involved, still verify through official channels.
Every result also lists the specific signals that drove the score — an unverified domain, an OTP request, a fake-payment screen — so each scan makes you a little better at spotting the next one without a tool.
Real-World Scam Examples
Here are patterns ScamCheck catches every day, drawn from live scam intelligence:
- Fake bank KYC: “Dear customer, your account will be BLOCKED today. Update KYC: http://sbi-kyc-verify.xyz” — manufactured urgency plus a typosquatted domain on a suspicious TLD.
- UPI refund trap: “You have a pending refund of ₹4,999 — scan the QR to receive it.” A real credit never requires you to scan a QR or approve a payment to receive money.
- Courier/customs fee: a parcel “held” until you pay a small fee via a link — a classic low-value, high-volume scam.
- Fake payment screenshot: a forged “₹X received” screen sent to a seller to trick them into releasing goods before the money exists.
- Investment/Telegram cons: guaranteed-return groups that front-load small payouts to build trust before the exit scam.
Worked example. Consider this real-world pattern: “Congratulations! You are selected for a work-from-home job, earn ₹5,000/day. Pay ₹199 registration to start: bit.ly/job-xyz.” Paste it into ScamCheck and several signals fire at once — a link shortener hiding the true destination, an upfront “registration fee” (legitimate employers never charge to hire), and an unrealistic income promise. The verdict comes back high-risk with each reason listed, so the user not only avoids the ₹199 loss but learns the three tells for every future job scam. That educational compounding is the point: one scan, three lessons.
You can track current campaigns on the latest scams page, which is updated as new patterns emerge.
Privacy and Security Approach
Trust is the entire product, so privacy is built in, not bolted on:
- No screenshot storage. Images are optimized on-device and processed only for the duration of the request.
- Minimal retention. We keep non-reversible analysis metadata (category, risk score, a content hash) to improve detection and prevent abuse — not your raw content.
- Transient IP use. Your IP is used for rate limiting and to show the correct national reporting authority, not to profile you.
- Consent-aware. Analytics and advertising load only after consent, in line with GDPR and UK/EU rules.
This mirrors the verification-first thinking behind our sister product, TrustSeal, an AI fact-checking and verification platform. Both products share a belief that automated tools should be transparent about how they reach a conclusion.
Future Roadmap
ScamCheck is improving continuously. On the roadmap:
- Wider language coverage — full localized experiences beyond English, Hindi, and Spanish.
- Browser and messaging integrations so checks happen where scams arrive.
- Community reporting loops that feed verified scams back into detection.
- Deeper screenshot intelligence for spoofed-UI and deepfake-style fakes.
- An open scam-intelligence API for partners and researchers.
We document this work in the open; follow the engineering in the AI Execution Lab.
Why Free Scam Detection Matters
Charging for safety excludes the people who need it most. Fraud disproportionately harms those with the least margin for error, and a paywall in the 10-second decision window means the tool never gets used. Keeping ScamCheck free — supported responsibly by non-intrusive advertising rather than selling data — is a deliberate choice aligned with how we help businesses adopt Ai affordably, as in our guides on building an AI website for free and the small business AI toolkit. Accessible AI is more useful AI.
Free detection also compounds: every scan makes the system smarter, which protects the next person. That network effect only works if there is no barrier to the first scan. A paid gate would quietly exclude the students, retirees, and first-time internet users who are targeted most aggressively — exactly the people a public-safety tool exists to protect. Removing cost is not a marketing tactic here; it is the safety mechanism itself.
It also changes behavior. When checking is free and instant, people check more often — and the habit of pausing to verify before clicking is, statistically, the single most effective defense against social-engineering fraud. ScamCheck is engineered to make that pause take two seconds instead of twenty minutes of manual research.
Try ScamCheck Today
If a message, link, email, phone number, or screenshot feels off, don’t guess — check it. Open ScamCheck, paste or upload what you received, and get an instant, explainable risk assessment for free. Share it with the people in your life who are most likely to be targeted; the best protection is a habit, and ScamCheck is built to make that habit effortless.
For businesses that want to build trustworthy, AI-powered digital experiences, explore our work on building a business website with AI and measuring SEO ROI, or learn about responsible AI governance in the call for stronger AI regulation.
Frequently Asked Questions
Is ScamCheck free to use?
Yes. Anyone can run scam checks for free every day. Signing in unlocks more daily checks; screenshot (AI vision) scans use more credits than text checks.
How do I check if a message is a scam?
Paste the message, link, email, or phone number into ScamCheck, or upload a screenshot. It extracts links and entities, flags fraud signals, and shows the risk score and the reasons behind it.
Does ScamCheck store my screenshots?
No. Images are optimized on your device and processed in-request only. They are not stored. We retain only non-reversible analysis metadata to improve detection.
Can ScamCheck detect WhatsApp and SMS scams?
Yes. The message analyzer is tuned for WhatsApp, SMS, UPI, banking, courier, job, and investment scams, including content written in Hindi and Hinglish.
How accurate is AI scam detection?
ScamCheck combines deterministic rules with AI and calibrated confidence, but it is decision support, not a guarantee. A low-risk result is not proof something is safe — always verify through official channels before paying or sharing details.
What should I do if I’ve been scammed?
Contact your bank immediately and report to your national authority — for example, the FTC or FBI IC3 in the U.S., or call 1930 / report at cybercrime.gov.in in India.
Is ScamCheck a replacement for antivirus or my bank’s security?
No. It is a fast second opinion before you click, pay, or share. Keep using your device security and your bank’s official channels.
Who built ScamCheck?
ScamCheck is built and operated by A Square Solutions, an AI product studio. The engineering is documented openly in the AI Execution Lab.
ScamCheck Scam Guides
Practical, in-depth guides to the scams ScamCheck detects – learn the red flags and check anything suspicious free: