Scamalytics Explained: What Its Fraud Score Really Knows—and What It Cannot Prove

A digital global map in a dark control room showing red glowing network connections, representing cyber threats, high-risk IP addresses, and online fraud detection.

The number looks decisive, but understanding what sits behind a Scamalytics fraud score is more important than the score itself.

A visitor lands on a website. Their IP address appears suspicious. Within milliseconds, a risk engine can identify a VPN, Tor exit node, hosting provider, blacklisted network or geographic inconsistency—and recommend whether the connection should be trusted.

That capability matters because fraudulent registrations, account takeovers, payment abuse, fake reviews, romance scams and automated attacks often begin with network signals that appear before the attacker completes an action. Scamalytics positions its technology at this early decision point.

But an IP address is not a person. A high score can reveal meaningful technical risk without proving criminal intent. Businesses that misunderstand that distinction risk either admitting abusive traffic or rejecting legitimate customers.

Scamalytics is a UK fraud-intelligence provider that assigns IP addresses a 0–100 risk score using network reputation, proxy and VPN indicators, geolocation, ISP data, blacklists and observed abuse signals. The score estimates connection risk; it does not prove that a particular person committed fraud.

The Name Behind the Score: A Verified Scamalytics Snapshot

Scamalytics Ltd is an active UK private limited company incorporated on 20 June 2012. Its registered office is at 7 Bell Yard, London, and its recorded business activity is “other information technology service activities.” Nikolaos Tsinonis and Daniel Paul Winchester are listed as active directors. The corporate details can be checked through the official Scamalytics Ltd Companies House record.

  • Legal name: Scamalytics Ltd
  • Company number: 08112186
  • Company status: Active
  • Incorporated: 20 June 2012
  • Registered office: 7 Bell Yard, London, WC2A 2JR
  • Core category: Fraud prevention, IP intelligence and online risk scoring
  • Primary delivery methods: Web lookup, API, bulk lookup, MMDB database and security-platform integrations
  • Industries identified by the company: Banking, payments, classifieds, reviews, dating and social platforms

Scamalytics is therefore not an anonymous “scam-check” webpage with no identifiable operator. It is an established legal entity offering commercial fraud-detection products. That corporate legitimacy, however, should not be confused with a guarantee that every individual IP classification will be correct.

Born Inside the Dating-Fraud Problem

The origins of Scamalytics are closely connected to online dating fraud.

In a 2024 interview published by the Online Dating and Discovery Association, co-founder Nick Tsinonis said he had been working on machine-learning matchmaking technology in 2011. Dan Winchester, who operated the dating service Free Dating, became an early customer and later asked whether similar machine-learning techniques could automate scammer detection.

The problem was operationally expensive. Fraudulent profiles reused text, photographs and behavioural patterns, while customer-support teams had to identify and remove them manually. The proposed system combined real-time analysis with a trusted mechanism through which participating dating services could share information about blacklisted users.

That dating-specific system later expanded into broader fraud intelligence. Scamalytics now describes two distinct levels of detection:

  1. Connection-level risk detection: Assessing an IP address through an IP fraud score.
  2. User-level fraud detection: Analysing multiple data points through machine learning and shared blacklists, particularly for dating services and social networks.

This distinction is essential. The freely accessible IP checker evaluates a network connection. Scamalytics’ broader anti-fraud service can potentially analyse account, profile and behavioural information supplied by participating businesses.

Development Timeline

PeriodVerified development
2011Tsinonis was working on machine-learning matchmaking technology; discussions began about applying it to dating-scam detection.
20 June 2012Scamalytics Ltd was incorporated in the United Kingdom.
2014Daniel Winchester became a company director.
2016Scamalytics publicly described machine learning, text-pattern analysis, image recognition and shared blacklist capabilities for dating platforms.
2024The company discussed its IP Fraud Risk API, dating-industry work and the growing use of AI by romance scammers.
2026Its product range includes IP lookup, API and bulk delivery, on-premises MMDB files, and threat-intelligence integrations for SIEM and SOAR environments.

Inside the Scamalytics Scoring Pipeline

Scamalytics does not publicly disclose the full weighting or proprietary logic behind its scoring algorithm. Its public materials do, however, reveal the principal data categories and delivery architecture.

1. The IP address becomes the lookup key

A website, application or security platform submits an IPv4 or IPv6 address through the public checker, API, bulk service or locally hosted MMDB file.

The objective is to assess the risk presented by the connection before—or while—the user performs an action such as creating an account, logging in, posting content or initiating a transaction.

2. Network and reputation data enrich the request

Scamalytics says its system considers indicators including:

  • IP and IP-range reputation
  • ISP and responsible organisation
  • Autonomous System Number
  • Geographic location
  • VPN or anonymising proxy use
  • Public and web proxy status
  • Tor exit-node status
  • Data-centre or hosting classification
  • External blacklist appearances
  • Known bot, spam or abusive activity
  • Previous visibility across the Scamalytics network

The presence of one indicator does not automatically establish fraud. A corporate employee, privacy-conscious consumer, travelling customer or cybersecurity researcher may legitimately use a VPN or data-centre connection. The value comes from the relationship between several signals.

3. The indicators become a risk score

The service returns a numeric score between 0 and 100, accompanied by a descriptive risk category and supporting context.

Some Scamalytics ISP and IP pages explain the score by referencing the approximate proportion of visible web traffic considered potentially fraudulent. The company also states that it does not have visibility across the entire internet and that its classifications represent an assessment based on the limited information available to it.

A score of 100 should therefore be interpreted as extremely high observed or inferred network risk, not as a mathematically proven 100% probability that a particular user is a criminal.

A high Scamalytics score should change the verification path, not automatically end the customer relationship.

4. The result enters the customer’s decision engine

Scamalytics supplies intelligence. The customer decides what happens next.

Score-driven responseAppropriate application
Allow the activityLow-risk connection with no conflicting signals
Log and observeMildly elevated risk without harmful behaviour
Apply step-up authenticationUnusual location, VPN, new device or login anomaly
Add rate limitsAutomated registration, scraping or request bursts
Require identity or payment verificationHigh-value transaction or regulated activity
Send for manual reviewHigh score combined with account-level inconsistencies
Block temporarilyKnown Tor abuse, bot activity, credential stuffing or repeated fraud
Block permanentlyConfirmed abuse supported by multiple independent signals

A well-designed implementation uses Scamalytics as one component within a layered control environment that may also include device intelligence, authentication telemetry, payment history, velocity rules, behavioural analysis and human review.

Four Ways Businesses Can Consume the Data

Scamalytics supports several deployment models, each serving a different technical and compliance requirement.

Delivery modelHow it worksPrimary advantagePrimary constraint
Public IP lookupA user manually checks an IP on the websiteFast investigation without integrationUnsuitable for automated, high-volume decisions
APIAn application sends an IP and receives a structured responseReal-time automationUsage limits and external data transfer
Bulk lookupMultiple IP addresses are processed togetherRetrospective investigation or list enrichmentNot designed for every live transaction
MMDB fileThe Scamalytics database runs inside the customer’s infrastructureLow latency, unlimited local queries and reduced data transferRequires database updates and local engineering
Threat-intelligence integrationScores and contextual fields enter SIEM or SOAR productsSecurity analysts receive context inside existing workflowsSeparate configuration, licensing and alert governance

The MMDB implementation is technically significant. Scamalytics describes it as a binary database keyed by IP ranges, including ranges as small as a single address. An application sends the IP to a local MMDB reader library and receives the corresponding data object without submitting the user’s IP address to Scamalytics.

The company claims that MMDB can support millions of lookups per second and low-microsecond query times, although actual performance depends on the customer’s hardware, implementation, library and queried data.

Core Output Fields

Public Scamalytics materials identify or illustrate fields such as:

Data categoryExample output
IP riskNumeric Scamalytics score and risk level
Network ownershipISP, organisation and ASN
AnonymisationVPN, proxy and Tor indicators
InfrastructureData-centre, server or hosting classification
LocationCountry, state, city or geographic coordinates where available
Major networksGoogle, Amazon Web Services or Apple Private Relay indicators
ReputationExternal blacklist and observed-abuse context
Investigation supportLink to the relevant Scamalytics IP record

What a Scamalytics Score Can—and Cannot—Tell You

What it can indicate

Scamalytics can help establish that a connection has characteristics frequently associated with fraud or abuse. Examples include traffic routed through an anonymising service, an IP range linked to suspicious activity, a mismatch between stated and detected location, or repeated connections from infrastructure commonly used for automation.

These signals are especially useful when they appear before the business has accumulated behavioural or transaction history for a new user.

What it cannot establish

An IP score cannot independently determine:

  • The legal identity of the user
  • Who controlled the address at a specific moment
  • Whether a shared-network user committed an offence
  • Whether VPN use had an innocent or malicious purpose
  • Whether a geographic mismatch resulted from travel or routing
  • Whether the user intended to commit fraud
  • Whether every device behind a carrier-grade NAT address presents the same risk

IP addresses can be reassigned. Multiple users can share one public address. Mobile carriers, universities, hotels, workplaces and residential networks may aggregate large numbers of people behind shared infrastructure.

For that reason, a high-risk IP is evidence about the connection environment, not conclusive evidence about the human being.

Pricing: Free Entry, Then Volume-Based API Plans

Scamalytics prices its main IP API and bulk-lookup service according to monthly request allowances. The same allowance can be shared between API and bulk use, and unused requests do not roll into the next month. The company also advertises free trials and a reduced effective price for annual payment.

Selected API and Bulk Pricing as Published in July 2026

Monthly allowanceMonthly billingAnnual billing
5,000FreeFree
25,000$25$250
50,000$50$500
100,000$100$1,000
250,000$125$1,250
500,000$150$1,500
1 million$200$2,000
5 million$600$6,000
10 million$1,000$10,000
50 million$3,000$30,000
100 million$5,500$55,000

Scamalytics’ threat-intelligence offering for SIEM and SOAR environments is presented separately from the core API pricing. Buyers should therefore confirm whether a quotation covers the standard IP API, enhanced data, MMDB access, security integrations, service-level commitments or custom support.

The company’s terms also prohibit unauthorised scraping and restrict resale or redistribution without written consent. API customers must follow documented limits and rate restrictions.

Privacy Questions Become More Serious at User Level

The public IP-scoring product and the broader dating anti-fraud service should not be treated as identical data-processing activities.

Scamalytics’ privacy policy states that its dating-sector solution may process information supplied by client platforms. Depending on the implementation, that information can include email addresses, dates of birth, names, profile photographs, profile text, professions, device identifiers, user agents and IP addresses. The policy also lists sensitive attributes that may appear in dating-profile data, including gender and sexual orientation.

That list does not mean every visitor using the public IP checker supplies all those fields. It describes the wider categories that Scamalytics may receive while providing anti-fraud services to client dating businesses.

Scamalytics identifies itself as the data controller for its own processing, lists an Information Commissioner’s Office registration number and names Dan Winchester as its data protection officer. The company states that it is committed to the UK GDPR and EU GDPR and uses appropriate mechanisms for international data transfers.

Due-Diligence Questions for Enterprise Buyers

Before integrating the service, a compliance, security or procurement team should determine:

  1. Whether Scamalytics acts as a controller, processor or independent controller for each data flow.
  2. Which fields are transmitted beyond the IP address.
  3. Where API requests and associated logs are processed and stored.
  4. Which subprocessors and external datasets contribute to enrichment.
  5. How long submitted identifiers, results and logs are retained.
  6. Whether the customer can use MMDB deployment to keep IP data internal.
  7. How data-subject access, correction, deletion and objection requests are handled.
  8. Whether automated adverse decisions require human intervention under applicable law.
  9. How false positives, appeals and score disputes are reviewed.
  10. Whether accuracy, latency, uptime and incident-notification obligations are contractually defined.

A vendor’s general GDPR statement is useful, but regulated customers still need a data-processing agreement, security evidence and a documented lawful basis tailored to their own use case.

Why Romance Fraud Still Matters to the Product

Romance fraud remains central to Scamalytics’ identity because dating platforms combine anonymous communication, emotional trust, cross-border interaction and rapid migration to private messaging services.

Scamalytics representatives have described scammers moving conversations from dating platforms to less controlled channels such as WhatsApp. They have also warned that AI-generated photographs, deepfakes, voice cloning and automated chatbots can help criminals operate more convincing personas and manage several targets simultaneously.

Technical detection can identify reused infrastructure, suspicious messaging patterns, blacklisted users and repeated profile elements. It cannot replace user education, reporting mechanisms, identity verification or law-enforcement cooperation.

The FBI’s romance scam guidance similarly warns users to be cautious when an online contact requests money or attempts to build trust without meeting in person.

The Right Operational Role for Scamalytics

Scamalytics is most useful when deployed as an enrichment and prioritisation layer rather than a single-source adjudication system.

Strong use cases

  • Detecting suspicious registrations
  • Identifying proxy and Tor traffic
  • Reducing automated account creation
  • Prioritising account-takeover investigations
  • Adding context to payment-fraud rules
  • Screening user-generated reviews and listings
  • Enriching SIEM alerts
  • Detecting infrastructure reused across dating profiles
  • Protecting advertising systems from click fraud

Weak or dangerous use cases

  • Treating the score as proof of a crime
  • Automatically accusing a customer of fraud
  • Rejecting regulated-service applicants without review
  • Blocking every VPN or data-centre user
  • Inferring nationality or residence solely from IP geolocation
  • Making employment, credit or insurance decisions from an IP score
  • Retaining risk labels indefinitely without reassessment

The strongest policy is progressive: low-risk traffic proceeds normally, ambiguous traffic receives proportionate friction, and severe cases are escalated only when corroborating account or behavioural evidence exists.

Scamalytics Questions People Commonly Ask

What is Scamalytics?

Scamalytics is a UK fraud-prevention and IP-intelligence company. Its public service checks an IP address and returns a 0–100 fraud-risk score with information about network ownership, geolocation, VPNs, proxies, Tor and related indicators. It also provides business APIs, bulk processing, MMDB databases and broader user-level fraud detection.

Is Scamalytics legitimate?

Scamalytics Ltd is a legitimate, active UK private company incorporated in 2012 and registered at Companies House. It publishes terms, privacy information and commercial pricing. Legitimacy does not mean every risk result is infallible; each score remains an assessment produced from available network and reputation data.

Is a Scamalytics score accurate?

A Scamalytics score is an evidence-based estimate, not an independently verified statement of guilt. Accuracy will vary with available observations, IP reassignment, network sharing and data freshness. The company itself states that it does not observe the entire internet. Businesses should validate the score against device, account, transaction and behavioural evidence.

What does a Scamalytics score of 100 mean?

A score of 100 represents the highest risk level in Scamalytics’ scoring system. It indicates that the IP address or associated network matches extremely strong fraud or abuse signals within the company’s available data. It does not prove that every user connecting through that address is fraudulent.

Can using a VPN increase a Scamalytics score?

VPN use can contribute to a higher risk assessment because it conceals the user’s apparent network location and may place the connection on shared infrastructure. However, Scamalytics also evaluates other indicators. Legitimate VPN use should not be treated as fraud without additional evidence such as behavioural anomalies, blacklisting or account inconsistencies.

Is Scamalytics free?

Scamalytics provides a free public IP checker and publishes a free API tier allowing up to 5,000 monthly requests. Paid API and bulk plans begin above that allowance. MMDB access, advanced threat intelligence, integrations and customised enterprise arrangements may be priced separately.

The Score Is a Signal, Not a Sentence

Scamalytics addresses a real security problem: businesses often need to assess an unknown connection before fraud has fully materialised. Its combination of IP reputation, anonymisation detection, network ownership and shared observations can provide valuable early warning.

The critical decision occurs after the score arrives.

Used with corroborating evidence, proportional controls and human oversight, Scamalytics can reduce fraud while preserving access for legitimate users. Used as an unquestionable verdict, the same score can produce false positives, discriminatory outcomes and poor security decisions.

The technology is therefore most credible when its limits are treated as part of the architecture—not as an inconvenient footnote.

Sources and Verification

  • Scamalytics official product and company overview.
  • Scamalytics IP Address Fraud Check documentation.
  • Scamalytics API and bulk-lookup pricing.
  • Scamalytics MMDB product documentation.
  • Scamalytics threat-intelligence product materials.
  • Scamalytics privacy, GDPR and terms documents.
  • UK Companies House company and officer records.
  • Online Dating and Discovery Association interview with Scamalytics.
  • FBI romance-scam guidance.

Editorial Disclaimer: Product capabilities, prices, corporate records and policy terms were checked against publicly available sources at the time of publication. Fraud scores are risk estimates rather than proof of unlawful conduct. Commercial terms, datasets and technical features may change, and organisations should complete independent legal, privacy, security and procurement reviews before deployment.