ScamDetector, an AI-powered scam detector

A few weeks ago I got an SMS that looked like it was from my bank. "Your account has been temporarily blocked. Verify your identity by accessing the following link." The link pointed to a domain that looked almost identical to the real one, but with one extra letter. I spotted it because I've spent years working in tech and I pay attention to those details, but it made me think about all the people who don't have that advantage. My mother, my neighbors, anyone who gets that message at ten on a Friday night and wants to fix the supposed problem as quickly as possible.

Digital scams in Spain are at record levels. Smishing (fraudulent SMS), banking phishing, calls from supposed Microsoft technicians, and fake delivery messages are just everyday stuff now. And scammers keep getting more sophisticated, messages are better written, domains look more believable, and the urgency they create is calibrated down to the millimeter.

ScamDetector is a web tool I built to help identify these scams. The idea is simple: you paste the suspicious message, optionally include the phone number or a screenshot, and the tool tells you whether it looks like fraud, what kind of scam it might be, and what you should do next.

Three layers of analysis running in parallel

ScamDetector doesn't just look for keywords in a message. It combines three different sources of information that run in parallel to give you as complete a picture as possible.

Message analysis with Gemini

The main engine is Google Gemini 3 Flash, a multimodal AI model that analyzes both the message text and any images you attach. If you get a suspicious WhatsApp message, you can take a screenshot and upload it directly. The model can process up to three images in the same request.

The analysis isn't generic. The system prompt is designed to recognize scam patterns specific to the Spanish context. It detects banking phishing that impersonates CaixaBank, Santander, BBVA, or local credit unions. It identifies fake delivery smishing that mimics Correos, SEUR, or Amazon. It recognizes utility scams involving Endesa or Iberdrola, fake tax refunds from Hacienda, the classic reverse Bizum, and even the "child in trouble" message that shows up on WhatsApp from an unknown number.

The result includes a risk level (high, medium, or low), a confidence percentage, the specific type of scam it identifies, a detailed explanation of why it considers the message fraudulent, and a recommendation on what to do next. If the risk is medium or high, it shows direct links to report it to INCIBE, the Policía Nacional, or the Guardia Civil.

Alongside the general recommendation, the tool shows specific action steps tailored to the type of scam it detects. If it identifies banking phishing, it tells you to contact your bank through its official channel, change passwords, and enable two-step verification. If it's a reverse Bizum, it reminds you to always check whether someone is asking you for money instead of sending it. If it's fake delivery smishing, it tells you to verify the tracking on the carrier's official website. Each type of scam has its own steps because the right response isn't the same for all of them.

Phone number reputation

If you also have the number the message came from, ScamDetector looks up its reputation online using Perplexity Sonar, a model with access to real-time web search. It checks sources like ListaSpam, Tellows, quienllama.es, and Clever Dialer to see whether that number has already been reported by other users.

There's a design decision here that I think is worth mentioning. If the model can't find information about a number, the result is "unknown", never "low risk". It would be tempting to classify a number with no complaints as safe, but the absence of reports doesn't prove anything. A number might be new, recently activated, or simply not reported yet. The tool reflects that honestly instead of creating a false sense of security.

URL scanning with urlscan.io

The third layer is link scanning. When you paste a message that contains URLs, ScamDetector extracts them automatically and lets you scan them with urlscan.io. The service visits the URL in a controlled environment, takes a screenshot of the page, analyzes the TLS certificates, records all redirects, identifies the technologies the server uses, and issues a verdict on whether it's malicious.

You can scan up to five URLs in parallel. The results include the screenshot (so you can see the page without visiting it), the maliciousness verdict with a score, TLS certificate details including whether it was issued less than 30 days ago (a common phishing indicator), and a link to the full report on urlscan.io if you want to dig deeper.

Results from recent scans are cached for one hour so it doesn't repeat unnecessary queries, and if someone already scanned that same URL in the last 24 hours it reuses the existing result.

Cross-enrichment

What makes ScamDetector more than the sum of its parts is the option to enrich message analysis with data from urlscan. When you turn this on, the tool first scans the URLs in the message and then injects the results (verdict, TLS certificate age, redirects, contacted domains) into the context the AI receives.

This makes a real difference. Without enrichment, the AI analyzes the text and makes its best guess based on language patterns. With enrichment, it can tell you things like "the link redirects three times before landing on a domain registered two days ago with a newly issued Let's Encrypt certificate, which is consistent with an active phishing campaign". That's concrete technical information, not an inference based on the tone of the message.

No login, no stored data

ScamDetector doesn't require signup, doesn't store the messages you analyze, and doesn't save the phone numbers you look up. Your analysis history stays in the browser's localStorage, so it lives and dies on your device.

Messages go through a proxy server that talks to the AI services. The proxy doesn't log message contents or images, only anonymized metadata (IP hash, duration, analysis type) that is automatically purged every 7 days. Its main job is to authenticate against external services and apply rate limiting to prevent abuse.

The interface mimics an SMS-style chat bubble so pasting a suspicious message feels natural. If you copy suspicious text to the clipboard and paste anywhere on the page, the tool automatically detects whether it's text, a URL, or an image and sends it to the right field. You don't need to hunt for where to paste, detection is global. If you lose your internet connection, a visual indicator lets you know. And the history of previous analyses is organized with pagination so the screen doesn't get overloaded if you use it often.

If it's your first time, a slide-out help panel explains each feature with screenshots. It opens from a button in the corner and doesn't get in the way of the form.

Images that say more than text

One of the features I like most is image support. A lot of scams come in as screenshots forwarded on WhatsApp or as images that imitate a bank interface. In those cases, copying the text is useless because the text is inside the image.

ScamDetector accepts up to three images (PNG, JPG, or WebP, maximum 5 MB each) that are sent along with the message to Gemini's vision model. The model analyzes them visually and can detect fake interfaces, manipulated logos, or embedded text containing signs of fraud.

But visual analysis isn't the only thing ScamDetector extracts from images. If the screenshot contains visible URLs, whether it's a link in a WhatsApp message or a web address in a forwarded email, the tool detects them automatically through optical recognition and sends them to the urlscan.io scanner. You don't need to manually copy any URLs that appear in the image to analyze them.

What ScamDetector isn't

It's worth being clear about the limits. ScamDetector is an educational tool, not an infallible oracle. There are things it does well, and things outside what it can do.

It works best with messages in Spanish that follow known scam patterns. If you get an SMS in Romanian impersonating a Portuguese bank, the analysis will be less reliable because the prompts are optimized for the Spanish context. It also has a 5000-character limit per message, which covers the vast majority of fraudulent SMS and WhatsApp messages but may fall short for long emails.

Phone reputation lookup depends on previous reports existing in the sources it checks. A new number being used for a scam for the first time won't appear in any database, and the tool will tell you that honestly.

And most importantly, if an analysis says "low risk", that doesn't mean you can blindly trust the message. Scammers keep evolving, and no AI model detects 100% of fraud attempts. ScamDetector is a second pair of eyes, not a substitute for your own judgment.

If you want to share a result with someone, the tool generates a styled PNG image with the full analysis (risk level, scam type, explanation, and recommendation) that you can send over WhatsApp, save, or share from the browser. ScamDetector also works as an installable application. If you add it to your phone's home screen, it behaves like a native app, with offline cache so the interface loads even if you don't have a connection at that moment.

Try it at scamdetector.josemanuelortega.dev and if you ever get a message that makes you hesitate, paste it there before clicking any link.

Another entry in the Proyecto ScamDetector series. The next post is The architecture, AI proxy, and security.