How we calculate risk

FakeOrLegit produces a risk score from 0 to 100 and a risk level (Low, Medium, High, Critical) for any URL, email, or message you submit. The score is based on a combination of heuristic checks, brand impersonation detection, and an AI-based risk analysis. Here is exactly what goes into it.

1. Heuristic checks

For URLs we look at signals that are publicly observable from the URL itself:

• Whether the site uses HTTPS
• Hostname length and the number of hyphens
• Use of high-risk top-level domains (such as .shop, .xyz, .top, .click, .icu)
• Use of punycode / non-ASCII characters that can imitate Latin letters
• Depth of subdomains
• Urgency words inside the hostname (login, verify, secure, account, etc.)
• Whether the hostname looks like a brand impersonation

For messages we look at:

• Urgency or pressure language
• Requests for passwords, codes, or sensitive identifiers
• Requests for gift cards, wire transfer, crypto, or unusual payment methods
• Suspicious links inside the message
• Phone numbers and callback patterns
• Brand mentions that are common targets of impersonation

2. Brand impersonation check

We maintain a small allow-list of well-known consumer brands and their legitimate domains. If a hostname contains a brand name but does not match the brand's official domains, we treat that as a strong signal of possible impersonation. This is one of the most reliable indicators of phishing.

3. AI risk analysis

We pass the heuristic signals together with the URL or message text to a large language model (currently OpenAI's gpt-4o-mini) with a strict scam-analysis prompt. The model returns a JSON object that we validate before showing it to you. If the model fails or returns invalid JSON, we fall back to a heuristic-only score so the site still works.

4. Caching

URL checks are cached at the hostname level for up to seven days. This keeps the service fast and the cost-per-check low, and means that scam-risk reports for popular domains stay reasonably consistent across users who arrive from search.

5. What the score does not mean

A Low score does not mean the site or message is safe - it only means we did not detect strong scam patterns from the limited information available. A Critical score does not prove the operator is malicious; it means the pattern matches well-known scam templates.

Always verify any sensitive request by contacting the real institution directly through their official app or website. FakeOrLegit provides risk signals, not a guarantee.