Is This a Scam?
What is a scam? A scam is a fraudulent message designed to trick you into sending money, sharing personal information, or clicking malicious links. Whether you're trying to figure out if a message is safe, checking whether a link is legit, or wondering if that suspicious text is a phishing attempt — look for urgency, impersonation, threats, or requests for unusual payments.
That weird text, email, or DM sitting in your phone — paste it below and we'll show you exactly how they tried to manipulate you.
Free • Private • No signup required
Works on any message — email, text, DM, or any of the 85+ scam types we detect. Analyzed in real time. Not retained.
How do you know if something is a scam?
According to the FBI IC3 2024 report, scams resulted in $16.6 billion in reported losses last year. The FTC reports that text messages have become one of the fastest-growing contact methods used in fraud schemes in the United States. A message is likely a scam if it:
- •Creates urgency or a fake deadline
- •Asks for money, gift cards, or personal information
- •Contains misspelled or unfamiliar website links
- •Impersonates a bank, government agency, or delivery service
- •Pressures you to act before you can verify
Not sure if a text, email, or DM is legitimate? Wondering whether a link is safe to click or if a message is a phishing attempt? Legitimate companies never demand secrecy, urgency, or payment in gift cards. Paste the message to check instantly →
People also search:
$16.6 billion in reported losses in the U.S. in 2024
|859,532 complaints filed in 2024(IC3)
|It takes seconds to check
Experts estimate actual losses are significantly higher due to underreporting. Figures reflect complaints submitted to IC3 and may not represent all incidents.
How to Check if a Message is a Scam
Three steps. Seconds to check. You'll know what to look for next time.
Paste the suspicious message
Copy any text, email, or DM you want to check. Upload a screenshot if you prefer.
Our engine analyzes the patterns
We check against 85+ documented fraud patterns derived from FBI IC3 reporting.
See the manipulation tactics used
Get a verdict plus a full breakdown of every trick — so next time, you spot it yourself.
7 Signs That Message is a Scam
Scammers follow a playbook. Here's what to look for.
The message creates panic or a deadline
"Your account will be locked in 24 hours" — scammers want you to act before you think.
They ask for gift cards, crypto, or wire transfers
No legitimate company or government agency asks for payment in gift cards. Ever.
The link doesn't match the real company
"usps-resch3dule.com" instead of usps.com. Always check the actual URL before clicking.
A stranger is unusually friendly or romantic
Unsolicited affection from someone you just met online — especially if they mention investing.
They threaten arrest or legal action
The IRS, police, and courts do not threaten people by text or phone. That's not how it works.
The offer is too good to be true
$65/hr remote work with no interview. Guaranteed 300% crypto returns. You know better.
They ask you to keep it secret
"Don't tell your bank" or "this is confidential" — secrecy protects the scammer, not you.
If you're wondering "am I being scammed right now?" — that hesitation is a signal. If a message makes you feel rushed, pressured, or confused — pause. Scammers rely on emotional momentum. Legitimate companies rely on verification. The fact that you're here means you're already ahead.
Free • Private • No signup required
How to Verify a Message is Legitimate
Not every unexpected message is a scam. But in 2025, verifying takes more than gut feeling. Here's what cybersecurity professionals actually check.
These verification steps apply to emails, texts, DMs, phone calls, and QR codes.
Inspect the sender — not just the display name
Scammers set display names like "Amazon Support" or "Chase Bank" while the actual address is something like [email protected]. On mobile, tap the sender name to reveal the full address. On desktop, hover.
Pro check: In Gmail, click "Show original" to see SPF, DKIM, and DMARC results. All three should show PASS. If any show FAIL or are absent, the email is not authenticated by the claimed sender's domain.
Verify every URL before clicking — HTTPS alone means nothing
Hover over links (don't click) to preview the actual destination. Scammers use homograph attacks (paypaI.com with a capital I instead of lowercase L), subdomain tricks (chase.com.secure-login.xyz — the real domain is secure-login.xyz, not chase.com), and URL shorteners (bit.ly, tinyurl) to mask malicious destinations.
Pro check: Read the domain right-to-left from the first single slash. In https://secure.chase.com/login, the domain is chase.com (legit). In https://chase.com.evil.xyz/login, the domain is evil.xyz (scam). HTTPS only means the connection is encrypted — any scammer can get a free TLS certificate in minutes.
Caller ID and phone numbers can be spoofed in seconds
Scammers clone real phone numbers using VoIP services. Your phone may display "Chase Bank" or your local police department — that proves nothing. Texts from short codes (e.g. 72810) can also be spoofed. If you receive an urgent call or text about your accounts, hang up and call back using the number on your card or the company's official website.
Pro check: Legitimate companies will never object to you hanging up and calling back on an official number. If the caller resists this, pressures you to stay on the line, or offers to "transfer you directly," it's a scam. The transfer would be to another scammer, not the real company.
AI can clone any voice from a few seconds of audio
A panicked call from your "son" saying he's in jail, your "boss" requesting an urgent wire transfer, your "daughter" crying and asking for help — all can be generated in real time using AI voice cloning trained on public social media audio. Deepfake video calls are also emerging in BEC fraud, where a "CFO" appears on Zoom to authorize a transfer.
Pro check: Establish a family safe word that no AI would know. For business, require multi-party authorization for any wire transfer regardless of who requests it. If a family member calls in distress asking for money — hang up, call them directly on their known number. If they don't answer, call another family member to confirm. Never trust the voice alone.
QR codes are links you can't read — treat them the same way
Quishing (QR phishing) is surging: fake QR codes on parking meters, restaurant menus, mail packages, and even pasted over real ones on ATMs. A QR code is just a URL you can't visually inspect. Your phone camera follows it blindly.
Pro check: Use your phone's built-in QR scanner (not a third-party app) and preview the URL before opening. If the domain doesn't match the expected company, don't proceed. Never scan a QR code from an unsolicited email, text, or physical flyer that offers free money, refunds, or account verification.
The payment method tells you everything
Gift cards, cryptocurrency, wire transfers to personal accounts, Zelle/Venmo/CashApp to strangers, or "refund" overpayments — these are scam-exclusive payment methods. No government agency, bank, utility company, employer, or legitimate business uses them. There are zero exceptions.
Pro check: Legitimate businesses use invoicing, credit card processing, ACH, or checks payable to a registered business name. If anyone asks you to purchase gift cards and read the codes by phone — regardless of their claimed authority — it is a scam. The FBI, IRS, Social Security, and every bank confirm this without exception.
Verify through a different channel — every time
This is the single most effective anti-scam habit. Received an email from your bank? Open a new browser tab and go to the bank's website directly — don't click the email link. Got a text from a delivery service? Go to the carrier's app or website to check your tracking. Boss emailing from a new address asking for a wire? Call them on their known phone number.
The rule: If a message asks you to do something involving money, credentials, or personal information — verify the request exists through a completely independent channel that you initiate yourself. This one habit defeats phishing, smishing, vishing, BEC, and AI voice cloning simultaneously.
Secrecy is a weapon — legitimate companies never use it
"Don't tell your bank." "Keep this between us." "Don't discuss this with family." "The investigation is confidential." These are manipulation tactics designed to isolate you from the people who would immediately recognize the scam. This applies to romance scams, fake law enforcement calls, employment fraud, and investment schemes alike.
The rule: Any request involving money or personal information that comes with a secrecy requirement is a scam. Real banks, real law enforcement, and real employers will never penalize you for seeking a second opinion. If you feel you can't tell anyone about a financial decision — that's the red flag itself.
Never share a verification code you didn't request
You receive a 6-digit code from Google, Apple, your bank, or any service. Then someone calls or texts: "We need that code to secure your account." What's actually happening: they're logging into your account and using you to pass security. The code is the last barrier — and they're asking you to hand it over. No company, bank, or government agency will ever ask you to read back a verification code. If you didn't initiate the request yourself, the code isn't for you — it's for the attacker.
Pro check: This is real-time MFA phishing. Attackers trigger a password reset or login attempt, then social-engineer the OTP from you. Advanced kits like Evilginx act as reverse proxies, capturing both your password and OTP in real time. Defense: disable SMS-based MFA where possible and switch to FIDO2/hardware keys (YubiKey, passkeys). Push-based MFA is vulnerable to fatigue attacks — if you're getting MFA prompts you didn't request, your password is already compromised. Change it immediately and check active sessions.
An email in an existing thread can still be fake
Your supplier emails you — inside an existing email conversation — to say their bank details have changed. The email looks perfect: right name, right thread, right tone. But an attacker has compromised their mailbox (or yours) and is now sitting inside the conversation, waiting for an invoice moment. Any bank detail change must be confirmed by phone — using a number you already have on file, not one from the email. This is how companies lose $50,000–$500,000 in a single wire.
Pro check: Business Email Compromise (BEC) caused $2.77 billion in reported losses in 2024 (IC3). Thread hijacking is the most dangerous variant because it bypasses all trust heuristics — the email is in a real thread, from a real address, about a real transaction. Defenses: enforce DMARC with p=reject on your domain, monitor for lookalike domain registrations, implement a mandatory callback protocol for any payment instruction change, and require dual authorization for wire transfers regardless of amount. If your organization uses Microsoft 365, enable Mailbox Audit Logging and review mail forwarding rules regularly — compromised accounts often set up silent forwarding.
If your password was leaked once, attackers will try it everywhere
You get an alert: "Unusual sign-in to your account." Don't click the link in that email — open a new browser tab and go directly to the service's website. The alert itself might be fake. But even if it's real, the underlying problem is usually a password reused across sites. When one service gets breached, attackers test that email/password combination on every major platform automatically. If you use the same password for your email and your bank — a breach at a random shopping site can empty your account.
Pro check: This is credential stuffing — automated login attempts using leaked credential pairs from data breaches. Billions of combos are traded on dark web markets. Defense stack: use a password manager (1Password, Bitwarden) to generate unique passwords for every service, enable MFA everywhere (FIDO2 preferred), check haveibeenpwned.com for your email, and enable breach monitoring alerts. For organizations: enforce password complexity policies, implement credential screening against known breach databases (NIST 800-63B recommends this), and deploy zero-trust architecture with conditional access policies — even valid credentials should require device compliance and location verification.
The universal test: If a message creates urgency, asks for money or credentials, and discourages independent verification — it fails all three checks. Legitimate communications pass all three.
These verification methods work against phishing, smishing, vishing, quishing, AI voice cloning, deepfake video, business email compromise, OTP harvesting, credential stuffing, romance scams, investment fraud, and impersonation scams.
Typical scam checkers
- ✗Match keywords like "urgent" or "verify"
- ✗Check URLs against known blocklists
- ✗Miss sophisticated manipulation tactics
ZeroScam
- ✓Analyzes manipulation patterns — urgency, impersonation, emotional pressure
- ✓Cross-references 85+ documented fraud patterns from IC3 data
- ✓Shows you how the scam works — so you spot the next one yourself
Keyword matching catches yesterday's scams. Pattern analysis catches tomorrow's.
What Scams Can We Detect?
Our detection engine analyzes messages against 85+ documented fraud patterns derived from FBI IC3 reporting and real-world scam data.
Cryptocurrency Scams
4 patterns
Payment & BEC Scams
9 patterns
Tech Support Scams
5 patterns
Personal Data Breach
2 patterns
Online Purchase Scams
5 patterns
Romance Scams
3 patterns
Government Impersonation
6 patterns
Corporate Data Breach
3 patterns
Job & Employment Scams
6 patterns
Crypto ATM & Kiosk Scams
3 patterns
Gold Courier Scams
2 patterns
Identity Theft
3 patterns
Rental Scams
2 patterns
Extortion & Blackmail
1 patterns
Prize & Lottery Scams
1 patterns
Phishing & Smishing
3 patterns
Delivery & Shipping Scams
4 patterns
Impersonation Scams
4 patterns
AI-Powered Scams
5 patterns
Social Media Scams
2 patterns
Telemarketing Scams
1 patterns
Healthcare Scams
1 patterns
Financial Service Scams
2 patterns
Service Provider Scams
2 patterns
Charity Scams
1 patterns
Election & Civic Scams
2 patterns
Synthetic Identity Fraud
2 patterns
Recovery Scams
1 patterns
Browse all patterns in our scam database or learn about the most costly scam types.
Analyzed in real time. Never stored. Never sold. Never used for training.
Only anonymized security signals are retained to strengthen protection for everyone.
Common Scam Questions
Here are the messages people ask us about most.
Is this USPS delivery text a scam?
Almost certainly. USPS does not send redelivery links by text.
Read our full USPS scam breakdown →Is this "wrong number" text a scam?
It's likely the opening move of a pig butchering scam — designed to start a conversation that leads to a fake investment pitch weeks later.
See how wrong number scams work →Is this job offer text legitimate?
If it came unsolicited with high pay, no interview, and no company name — it's a scam.
Learn about fake job offer tactics →Is this bank fraud alert real?
Your bank will never ask you to click a link or reply to a text. Call the number on the back of your card instead.
See how bank impersonation scams work →Is this crypto investment opportunity real?
If someone you met online is recommending a "guaranteed" crypto platform — it's pig butchering. Investment fraud resulted in $6.57 billion in reported losses in 2024 (IC3).
Understand how pig butchering works →Can't find your exact situation? Paste the message — your first scans are free.
The Psychology Behind Every Scam
Every scam exploits the same 4 psychological triggers. Once you see them, you can't unsee them.
Urgency
"Act now or lose your account." Fake deadlines bypass your rational brain. A real company will give you time.
Fear
"You will be arrested." "Your account is compromised." Panic stops you from verifying. That's the point.
Trust
They impersonate your bank, the IRS, USPS, even family members. Familiar logos and names make you lower your guard.
Greed
"You won $10,000" or "guaranteed returns." The promise of easy money overrides common sense. Every time.
Many free scam checkers only match keywords. ZeroScam analyzes psychological manipulation patterns — and shows you which triggers a message is using, so you understand why it's dangerous, not just that it is. Learn more →
Frequently Asked Questions
How can I tell if a text message is a scam?
Look for urgency ("act now"), requests for money or personal info, links to unfamiliar domains, and senders you don't recognize. Scammers manufacture panic so you act before thinking. Paste the message into ZeroScam to see a full breakdown of the manipulation tactics used.
What should I do if I think I received a scam message?
Do not respond, click any links, or send money. Block the sender. Report it to the FTC at reportfraud.ftc.gov and to the FBI at ic3.gov. If you already sent money, contact your bank immediately.
Can scammers text you from a real phone number?
Yes. Scammers routinely spoof phone numbers to appear as your bank, a government agency, or even someone in your contacts. The number alone is never proof that a message is legitimate.
What types of scams are most common in 2025?
According to FBI IC3 2024 data, the fastest-growing scams include AI voice cloning (surging in recent reports), investment fraud including pig butchering ($6.57B in reported losses), business email compromise ($2.77B), package delivery phishing, and crypto recovery fraud.
Is it safe to paste my message into a scam checker?
With ZeroScam, yes. No external AI calls. Your message is analyzed in real time and not retained. Never stored. Never sold. Never used for training. Only anonymized security signals are retained to strengthen protection.
Can scammers steal my money just from me replying to a text?
Replying confirms your number is active, which leads to more targeted attacks. Some scams use replies to build rapport over weeks (pig butchering) before asking for money. Never engage with suspicious messages.
How do I report a scam?
File with the FTC at reportfraud.ftc.gov and the FBI IC3 at ic3.gov. If it involved a phone call, also report to the FCC. If you lost money, contact your bank or payment provider immediately — speed matters for recovery.
How do I know if a message is legitimate?
Verify through an independent channel: if an email claims to be from your bank, open a new browser tab and go directly to the bank's website instead of clicking the link. Check the sender's full email address (not just the display name) for domain spoofing. Confirm that SPF, DKIM, and DMARC pass in the email headers. No legitimate company will ask for gift cards, crypto, or wire transfers, demand secrecy, or pressure you with artificial deadlines. For phone calls, hang up and call back on the official number from their website or your card.
Someone is asking for my verification code — is it a scam?
Yes. No company, bank, or government agency will ever ask you to share a verification code. If you receive a code you didn't request, someone is trying to log into your account. Do not share it. Change your password immediately, check active sessions, and switch to hardware-based authentication (passkeys or security keys) if available.
My password was in a data breach — what should I do?
Change that password immediately on every site where you used it. Use a password manager to generate unique passwords for each service. Enable multi-factor authentication everywhere. Check haveibeenpwned.com to see which breaches exposed your data. If the breached password was for your email, check for unauthorized forwarding rules and revoke any unfamiliar app permissions.
Can a scam email appear inside a real email thread?
Yes. In business email compromise (BEC), attackers gain access to a real mailbox and insert themselves into existing conversations — often right before a payment is due. The email appears in a legitimate thread, from a real address, about a real transaction. Always confirm bank detail changes by phone using a number you already have on file, never from the email itself.
Don't guess. Know.
That message you're not sure about? Seconds to check it.
You'll see the exact tricks they used — and you'll know what to look for next time.
Free • Private • No signup required
Scam patterns based on FBI IC3 2024 Report and FTC consumer data. ZeroScam is an independent educational resource.
3 free scans, no account needed. Need more? Upgrade to Pro.