How to tell if a domain is suspicious in 30 seconds

// published 2026-04-17

You got a link in an email and it looks slightly off. Or you're about to enter a card on a checkout page from a brand you've never bought from. Or someone in support sent you a "click here to verify". Five 30-second checks that catch most scams.

1. Domain age

Real businesses register their primary domain years before they need it. Scammers register domains hours before campaigns. If the domain is <30 days old, that's a strong signal — most legitimate brands you'd encounter have domains years old.

Quick check: paste the domain into the Domain Age Checker. WHOIS may be redacted, but Certificate Transparency logs always show when the domain first got a TLS certificate — usually within hours of registration.

Red flag: <30 days old. Yellow flag: 1-12 months old + brand-imitation name (e.g. "secure-paypal-login.com").

2. WHOIS — registrar and country

Even with privacy redaction, WHOIS shows the registrar. Established brands use enterprise registrars (MarkMonitor, CSC, ComputerShare). Scammers use cheap registrars in jurisdictions that don't respond to abuse reports — Namecheap, Porkbun, NameSilo are all fine for legitimate use, but combined with other red flags they shift the needle.

Also check the country code TLD: a "PayPal" subdomain on a .tk, .gq, .ml, or .icu is almost certainly a scam. Real PayPal is paypal.com.

Run the WHOIS Lookup for registrar + creation date in one query.

3. DNS — where is the site hosted?

Real companies use enterprise DNS (Route53, Cloudflare, NS1, GoDaddy Premium). Many scams run on free DNS like FreeDNS or use the registrar's default. Cheap CDNs (some Russian/Chinese providers) are common in mass campaigns.

Run the MX Lookup — does the domain have any MX record? A pure-phishing domain often doesn't. A legitimate business almost always does, even if just a forwarding setup.

And check the IP via the Reverse DNS Lookup. If it resolves to a generic shared-hosting hostname rather than the brand's infrastructure, that's another point against legitimacy.

4. Certificate — who issued it, when

An SSL Checker reveals who issued the cert and when. Two red flags:

• Cert issued days before you saw the link. Scammers grab Let's Encrypt certs at the moment of the campaign launch.
• Cert subject (CN) doesn't match the brand being impersonated. Even free Let's Encrypt certs require domain validation — but a scammer can easily get one for paypa1-login.com.

What you actually want to verify: does the cert match the real brand's certificate? If you have the legitimate domain handy (e.g. paypal.com), compare both with the SSL Checker. Different issuer or wildly different SAN list = different domain entirely.

5. Check the subdomain map

Real brands have lots of subdomains in CT logs — www, api, blog, support, billing, dev/staging variants, country-localized sites. Phishing domains have one or two: the campaign URL itself.

Run the CT Log Subdomain Finder. Real PayPal has hundreds of historical subdomains. secure-paypal-verify.com has one or two, all related to the active campaign.

The 30-second routine

1. Domain age <30 days? Probably scam, stop here.
2. Brand impersonation in the name? Plus item 1? Scam, definitely.
3. No MX record + suspicious-looking subdomain? Scam very likely.
4. Cert issued in the last 7 days + brand-imitation name? Scam.
5. One subdomain in CT logs vs hundreds for real brand? Scam.

None of these checks individually proves anything (a tiny startup could fail all of them legitimately). But for known brands being impersonated, a few red flags together is conclusive.

Save your own domain in DomBrains and we'll alert you if a suspicious cousin domain appears in CT logs — early warning for impersonation campaigns targeting your brand.