How We Build a Trust Report
Every website that enters the ScamsTester system undergoes a rigorous, multi-layered evaluation before a trust score is published. Our process combines automated technical scanning with human expert review to produce reports that are both comprehensive and accurate. Below are the eight discrete stages every domain passes through, in order.
Domain Analysis
The foundation of every trust report begins with a thorough analysis of the domain itself. We query WHOIS records to determine domain age, registrar identity, registration country, and expiration date. Domains registered within the past six months receive heightened scrutiny, as newly created websites are statistically more likely to be associated with fraudulent activity.
We also examine the domain's DNS configuration, nameserver providers, and historical ownership data. Frequent ownership transfers or the use of privacy-masking services can indicate attempts to obscure the identity of site operators. Our system cross-references domain data against known registrar abuse lists maintained by ICANN and anti-fraud coalitions.
Finally, we analyze the domain name itself for typosquatting patterns — domains that mimic popular brands with minor character substitutions, additions, or transpositions. This heuristic analysis catches phishing sites designed to impersonate legitimate businesses before they can cause harm.
SSL & Encryption Verification
We perform a deep inspection of the site's SSL/TLS configuration to verify that user data is transmitted securely. This goes far beyond simply checking for the presence of HTTPS. We evaluate the certificate authority, certificate type (DV, OV, or EV), cipher suite strength, and protocol version support. Sites using outdated TLS 1.0 or 1.1 protocols are flagged for potential vulnerabilities.
Our scanner also checks for common SSL misconfigurations such as expired certificates, hostname mismatches, incomplete certificate chains, and mixed-content warnings. These issues can expose visitors to man-in-the-middle attacks even when a site appears to have valid HTTPS.
Extended Validation (EV) certificates, which require the certificate authority to verify the legal identity of the business, receive positive scoring weight. We also monitor certificate transparency logs for suspicious issuance patterns that might indicate domain hijacking or unauthorized certificate generation.
Business Registration Check
Legitimate websites are almost always backed by a registered business entity. We verify corporate filings by querying state and federal business registries, including the SEC EDGAR database for U.S. entities, Companies House for U.K. businesses, and equivalent registries in over 40 jurisdictions worldwide. We compare the registered company name, address, and officers against the information displayed on the website.
Discrepancies between the claimed business identity and official registration records are a major red flag. We look for shell companies, recently formed entities with no operating history, and businesses registered in jurisdictions known for lax oversight. Physical address verification is performed using geolocation databases and satellite imagery cross-referencing.
For sites that claim nonprofit or government affiliation, we perform additional validation against relevant charity databases and government entity registries. Impersonation of government agencies or established nonprofits is one of the most common social engineering tactics used by scam operators.
Payment Infrastructure Audit
The payment systems a website uses tell us a great deal about its legitimacy. We analyze the site's payment infrastructure, including which payment processors are integrated, whether escrow protections exist, and what refund and chargeback policies are in place. Legitimate platforms typically partner with recognized payment providers such as Stripe, PayPal, or established banking partners.
Sites that exclusively accept irreversible payment methods — such as cryptocurrency, wire transfers, or gift cards — receive significant negative scoring. We also examine payout mechanisms for platforms that promise to pay users, looking for evidence of consistent, verifiable payment histories and realistic compensation structures.
Our audit includes a review of the site's pricing transparency, fee disclosure, and terms of financial transactions. Hidden fees, unrealistic income promises, and vague payment terms are all indicators of potential fraud that factor into our trust calculation.
User Report Aggregation
Community intelligence is a powerful complement to technical analysis. ScamsTester aggregates user reports from our own platform, collecting over 50,000 new submissions each month. Every report is categorized by issue type — including payment problems, account access issues, customer service complaints, and suspected fraud — and analyzed for patterns that automated scans might miss.
To ensure data quality, we employ a multi-tier validation system for user reports. Verified accounts carry higher weight, and our algorithms detect and filter coordinated review manipulation, bot-generated submissions, and competitor-driven defamation campaigns. Statistical outlier detection helps us distinguish genuine complaint patterns from noise.
We also monitor social media platforms, consumer protection forums, and discussion communities for unsolicited mentions of the websites we track. This passive listening layer captures real-time sentiment shifts and emerging fraud patterns before they appear in formal complaint channels.
Complaint Database Cross-Reference
Every domain is checked against more than 30 external complaint and fraud databases. These include the Better Business Bureau (BBB), Federal Trade Commission (FTC) complaint records, the Internet Crime Complaint Center (IC3), Trustpilot, Sitejabber, and international equivalents such as the European Consumer Centre Network and the Australian Competition and Consumer Commission database.
We also query specialized blacklists maintained by cybersecurity organizations, including PhishTank, Google Safe Browsing, the APWG eCrime Database, and Spamhaus. Presence on any of these lists results in an immediate severe scoring penalty and a prominent warning on the site's trust report.
Our cross-referencing engine normalizes data from these disparate sources, resolving duplicate entries and reconciling conflicting information. The aggregate complaint density — complaints per estimated monthly visitor — provides a fair comparison metric that accounts for differences in site traffic volume.
Security Scanning
Our automated security scanner evaluates the technical security posture of each website. This includes checking for known malware signatures, drive-by download scripts, cryptojacking code, and malicious redirects. We analyze page source code for obfuscated JavaScript, hidden iframes, and unauthorized third-party tracking scripts that could compromise visitor privacy or security.
We also assess the site's Content Security Policy (CSP), HTTP security headers (HSTS, X-Frame-Options, X-Content-Type-Options), and cookie security attributes. Proper implementation of these standards indicates a security-conscious operator, while their absence suggests neglect or intentional omission.
Server-side vulnerabilities are probed through non-intrusive fingerprinting of web server software, CMS versions, and known plugin vulnerabilities. Sites running severely outdated software with known exploits are flagged as potential security risks, even if no active exploitation has been detected.
Manual Expert Review
The final stage of our process involves review by a human analyst from our verification team. Our team includes former FTC analysts, certified cybersecurity professionals (CISSP, CEH), and consumer protection specialists with decades of combined experience. They review the aggregated data from all previous steps and apply contextual judgment that automated systems cannot replicate.
Expert reviewers evaluate the overall user experience, assess the clarity and fairness of terms of service, test customer support responsiveness, and verify that the site delivers on its stated promises. They also consider industry-specific factors — for example, freelance platforms are evaluated against different criteria than e-commerce sites or financial services.
If a reviewer identifies ambiguous or conflicting signals, the site is flagged for extended monitoring and may be assigned a provisional score pending further data collection. This conservative approach ensures that our published scores reflect high-confidence assessments rather than premature judgments.
The 47-Point Trust Criteria
Our trust score is derived from a proprietary 47-point evaluation framework developed in partnership with the Digital Trust Alliance and refined through six years of continuous research. These 47 criteria are grouped into seven categories, each carrying a specific weight in the final score calculation:
- Domain & Infrastructure (8 criteria, 15% weight) — Domain age, registrar reputation, DNS configuration, hosting provider reliability, IP geolocation consistency, nameserver redundancy, domain history, and typosquatting risk.
- Security & Encryption (7 criteria, 15% weight) — SSL certificate type, TLS version support, cipher suite strength, security header implementation, malware presence, vulnerability exposure, and Content Security Policy.
- Business Legitimacy (7 criteria, 20% weight) — Business registration verification, address validation, officer identification, operating history, regulatory compliance, industry licensing, and corporate transparency.
- Financial Practices (6 criteria, 15% weight) — Payment processor reputation, refund policy clarity, fee transparency, payout reliability, escrow availability, and chargeback history.
- User Experience (6 criteria, 10% weight) — Terms of service fairness, privacy policy completeness, contact accessibility, customer support responsiveness, complaint resolution rate, and content accuracy.
- Community Sentiment (7 criteria, 15% weight) — User report volume, complaint density, sentiment trend, platform review scores, social media perception, forum reputation, and report consistency.
- External Reputation (6 criteria, 10% weight) — Blacklist status, BBB rating, regulatory action history, media coverage sentiment, industry endorsements, and partnership affiliations.
Each criterion is scored on a 0–100 scale, weighted according to its category, and combined into a single composite trust score. The weighting model is recalibrated quarterly to reflect evolving threat landscapes and emerging fraud tactics.
Understanding Trust Score Ranges
The composite trust score maps to three distinct safety classifications that appear on every report. These ranges are calibrated using historical data from over 12,000 analyzed websites and validated against known outcomes.
Sites in this range exhibit multiple high-severity risk indicators. They may have no verifiable business registration, use deceptive practices, appear on fraud blacklists, or have a pattern of unresolved user complaints. We strongly recommend avoiding these sites entirely. If you have already transacted with a site in this range, we advise monitoring your financial accounts and considering a fraud report to relevant authorities.
Sites scoring in this range present a mixed picture. They may have some legitimate characteristics but also display concerning signals such as limited operating history, inconsistent business information, below-average security practices, or a higher-than-expected complaint rate. Proceed with caution — conduct your own additional research before sharing personal information or making financial commitments. These sites are not necessarily fraudulent, but they carry elevated risk.
Sites in this range have passed the majority of our verification checks. They typically feature verified business registrations, strong security configurations, established operating histories, transparent financial practices, and positive community sentiment. While no website can be guaranteed 100% risk-free, sites in this range meet our standards for trustworthiness and are generally considered safe for normal use. Always review a site's specific report for any noted caveats.
Data Sources & Independence
ScamsTester maintains strict editorial independence. We do not accept payment from website operators for favorable scores, and no site can pay to have its report removed or altered. Our revenue model is based on API licensing, educational partnerships, and enterprise security consulting — none of which create conflicts of interest with our consumer-facing trust reports.
Our data is sourced from a combination of proprietary scanning infrastructure, licensed commercial databases, publicly available government records, and our community of over 4 million registered users. All data sources are documented and auditable, and our methodology undergoes annual third-party review by an independent cybersecurity research firm.
Continuous Improvement
The threat landscape evolves constantly, and so does our methodology. Our research team continuously monitors emerging fraud patterns, new attack vectors, and changes in regulatory frameworks. The 47-point criteria and their associated weights are reviewed and updated on a quarterly basis. Major methodology updates are documented in our blog and communicated to API users through our changelog.
If you have questions about our methodology or would like to suggest improvements, we welcome feedback through our contact page. Transparency and accountability are foundational to the trust that millions of users place in our reports.