The number looks decisive, but understanding what sits behind a Scamalytics fraud score is more important than the score itself.
A visitor lands on a website. Their IP address appears suspicious. Within milliseconds, a risk engine can identify a VPN, Tor exit node, hosting provider, blacklisted network or geographic inconsistency—and recommend whether the connection should be trusted.
That capability matters because fraudulent registrations, account takeovers, payment abuse, fake reviews, romance scams and automated attacks often begin with network signals that appear before the attacker completes an action. Scamalytics positions its technology at this early decision point.
But an IP address is not a person. A high score can reveal meaningful technical risk without proving criminal intent. Businesses that misunderstand that distinction risk either admitting abusive traffic or rejecting legitimate customers.
Scamalytics is a UK fraud-intelligence provider that assigns IP addresses a 0–100 risk score using network reputation, proxy and VPN indicators, geolocation, ISP data, blacklists and observed abuse signals. The score estimates connection risk; it does not prove that a particular person committed fraud.
The Name Behind the Score: A Verified Scamalytics Snapshot
Scamalytics Ltd is an active UK private limited company incorporated on 20 June 2012. Its registered office is at 7 Bell Yard, London, and its recorded business activity is “other information technology service activities.” Nikolaos Tsinonis and Daniel Paul Winchester are listed as active directors. The corporate details can be checked through the official Scamalytics Ltd Companies House record.
- Legal name: Scamalytics Ltd
- Company number: 08112186
- Company status: Active
- Incorporated: 20 June 2012
- Registered office: 7 Bell Yard, London, WC2A 2JR
- Core category: Fraud prevention, IP intelligence and online risk scoring
- Primary delivery methods: Web lookup, API, bulk lookup, MMDB database and security-platform integrations
- Industries identified by the company: Banking, payments, classifieds, reviews, dating and social platforms
Scamalytics is therefore not an anonymous “scam-check” webpage with no identifiable operator. It is an established legal entity offering commercial fraud-detection products. That corporate legitimacy, however, should not be confused with a guarantee that every individual IP classification will be correct.
Born Inside the Dating-Fraud Problem
The origins of Scamalytics are closely connected to online dating fraud.
In a 2024 interview published by the Online Dating and Discovery Association, co-founder Nick Tsinonis said he had been working on machine-learning matchmaking technology in 2011. Dan Winchester, who operated the dating service Free Dating, became an early customer and later asked whether similar machine-learning techniques could automate scammer detection.
The problem was operationally expensive. Fraudulent profiles reused text, photographs and behavioural patterns, while customer-support teams had to identify and remove them manually. The proposed system combined real-time analysis with a trusted mechanism through which participating dating services could share information about blacklisted users.
That dating-specific system later expanded into broader fraud intelligence. Scamalytics now describes two distinct levels of detection:
- Connection-level risk detection: Assessing an IP address through an IP fraud score.
- User-level fraud detection: Analysing multiple data points through machine learning and shared blacklists, particularly for dating services and social networks.
This distinction is essential. The freely accessible IP checker evaluates a network connection. Scamalytics’ broader anti-fraud service can potentially analyse account, profile and behavioural information supplied by participating businesses.
Development Timeline
| Period | Verified development |
|---|---|
| 2011 | Tsinonis was working on machine-learning matchmaking technology; discussions began about applying it to dating-scam detection. |
| 20 June 2012 | Scamalytics Ltd was incorporated in the United Kingdom. |
| 2014 | Daniel Winchester became a company director. |
| 2016 | Scamalytics publicly described machine learning, text-pattern analysis, image recognition and shared blacklist capabilities for dating platforms. |
| 2024 | The company discussed its IP Fraud Risk API, dating-industry work and the growing use of AI by romance scammers. |
| 2026 | Its product range includes IP lookup, API and bulk delivery, on-premises MMDB files, and threat-intelligence integrations for SIEM and SOAR environments. |
Inside the Scamalytics Scoring Pipeline
Scamalytics does not publicly disclose the full weighting or proprietary logic behind its scoring algorithm. Its public materials do, however, reveal the principal data categories and delivery architecture.
1. The IP address becomes the lookup key
A website, application or security platform submits an IPv4 or IPv6 address through the public checker, API, bulk service or locally hosted MMDB file.
The objective is to assess the risk presented by the connection before—or while—the user performs an action such as creating an account, logging in, posting content or initiating a transaction.
2. Network and reputation data enrich the request
Scamalytics says its system considers indicators including:
- IP and IP-range reputation
- ISP and responsible organisation
- Autonomous System Number
- Geographic location
- VPN or anonymising proxy use
- Public and web proxy status
- Tor exit-node status
- Data-centre or hosting classification
- External blacklist appearances
- Known bot, spam or abusive activity
- Previous visibility across the Scamalytics network
The presence of one indicator does not automatically establish fraud. A corporate employee, privacy-conscious consumer, travelling customer or cybersecurity researcher may legitimately use a VPN or data-centre connection. The value comes from the relationship between several signals.
3. The indicators become a risk score
The service returns a numeric score between 0 and 100, accompanied by a descriptive risk category and supporting context.
Some Scamalytics ISP and IP pages explain the score by referencing the approximate proportion of visible web traffic considered potentially fraudulent. The company also states that it does not have visibility across the entire internet and that its classifications represent an assessment based on the limited information available to it.
A score of 100 should therefore be interpreted as extremely high observed or inferred network risk, not as a mathematically proven 100% probability that a particular user is a criminal.
A high Scamalytics score should change the verification path, not automatically end the customer relationship.
4. The result enters the customer’s decision engine
Scamalytics supplies intelligence. The customer decides what happens next.
| Score-driven response | Appropriate application |
| Allow the activity | Low-risk connection with no conflicting signals |
| Log and observe | Mildly elevated risk without harmful behaviour |
| Apply step-up authentication | Unusual location, VPN, new device or login anomaly |
| Add rate limits | Automated registration, scraping or request bursts |
| Require identity or payment verification | High-value transaction or regulated activity |
| Send for manual review | High score combined with account-level inconsistencies |
| Block temporarily | Known Tor abuse, bot activity, credential stuffing or repeated fraud |
| Block permanently | Confirmed abuse supported by multiple independent signals |
A well-designed implementation uses Scamalytics as one component within a layered control environment that may also include device intelligence, authentication telemetry, payment history, velocity rules, behavioural analysis and human review.
Four Ways Businesses Can Consume the Data
Scamalytics supports several deployment models, each serving a different technical and compliance requirement.
| Delivery model | How it works | Primary advantage | Primary constraint |
| Public IP lookup | A user manually checks an IP on the website | Fast investigation without integration | Unsuitable for automated, high-volume decisions |
| API | An application sends an IP and receives a structured response | Real-time automation | Usage limits and external data transfer |
| Bulk lookup | Multiple IP addresses are processed together | Retrospective investigation or list enrichment | Not designed for every live transaction |
| MMDB file | The Scamalytics database runs inside the customer’s infrastructure | Low latency, unlimited local queries and reduced data transfer | Requires database updates and local engineering |
| Threat-intelligence integration | Scores and contextual fields enter SIEM or SOAR products | Security analysts receive context inside existing workflows | Separate configuration, licensing and alert governance |
The MMDB implementation is technically significant. Scamalytics describes it as a binary database keyed by IP ranges, including ranges as small as a single address. An application sends the IP to a local MMDB reader library and receives the corresponding data object without submitting the user’s IP address to Scamalytics.
The company claims that MMDB can support millions of lookups per second and low-microsecond query times, although actual performance depends on the customer’s hardware, implementation, library and queried data.
Core Output Fields
Public Scamalytics materials identify or illustrate fields such as:
| Data category | Example output |
| IP risk | Numeric Scamalytics score and risk level |
| Network ownership | ISP, organisation and ASN |
| Anonymisation | VPN, proxy and Tor indicators |
| Infrastructure | Data-centre, server or hosting classification |
| Location | Country, state, city or geographic coordinates where available |
| Major networks | Google, Amazon Web Services or Apple Private Relay indicators |
| Reputation | External blacklist and observed-abuse context |
| Investigation support | Link to the relevant Scamalytics IP record |
What a Scamalytics Score Can—and Cannot—Tell You
What it can indicate
Scamalytics can help establish that a connection has characteristics frequently associated with fraud or abuse. Examples include traffic routed through an anonymising service, an IP range linked to suspicious activity, a mismatch between stated and detected location, or repeated connections from infrastructure commonly used for automation.
These signals are especially useful when they appear before the business has accumulated behavioural or transaction history for a new user.
What it cannot establish
An IP score cannot independently determine:
- The legal identity of the user
- Who controlled the address at a specific moment
- Whether a shared-network user committed an offence
- Whether VPN use had an innocent or malicious purpose
- Whether a geographic mismatch resulted from travel or routing
- Whether the user intended to commit fraud
- Whether every device behind a carrier-grade NAT address presents the same risk
IP addresses can be reassigned. Multiple users can share one public address. Mobile carriers, universities, hotels, workplaces and residential networks may aggregate large numbers of people behind shared infrastructure.
For that reason, a high-risk IP is evidence about the connection environment, not conclusive evidence about the human being.
Pricing: Free Entry, Then Volume-Based API Plans
Scamalytics prices its main IP API and bulk-lookup service according to monthly request allowances. The same allowance can be shared between API and bulk use, and unused requests do not roll into the next month. The company also advertises free trials and a reduced effective price for annual payment.
Selected API and Bulk Pricing as Published in July 2026
| Monthly allowance | Monthly billing | Annual billing |
| 5,000 | Free | Free |
| 25,000 | $25 | $250 |
| 50,000 | $50 | $500 |
| 100,000 | $100 | $1,000 |
| 250,000 | $125 | $1,250 |
| 500,000 | $150 | $1,500 |
| 1 million | $200 | $2,000 |
| 5 million | $600 | $6,000 |
| 10 million | $1,000 | $10,000 |
| 50 million | $3,000 | $30,000 |
| 100 million | $5,500 | $55,000 |
Scamalytics’ threat-intelligence offering for SIEM and SOAR environments is presented separately from the core API pricing. Buyers should therefore confirm whether a quotation covers the standard IP API, enhanced data, MMDB access, security integrations, service-level commitments or custom support.
The company’s terms also prohibit unauthorised scraping and restrict resale or redistribution without written consent. API customers must follow documented limits and rate restrictions.
Privacy Questions Become More Serious at User Level
The public IP-scoring product and the broader dating anti-fraud service should not be treated as identical data-processing activities.
Scamalytics’ privacy policy states that its dating-sector solution may process information supplied by client platforms. Depending on the implementation, that information can include email addresses, dates of birth, names, profile photographs, profile text, professions, device identifiers, user agents and IP addresses. The policy also lists sensitive attributes that may appear in dating-profile data, including gender and sexual orientation.
That list does not mean every visitor using the public IP checker supplies all those fields. It describes the wider categories that Scamalytics may receive while providing anti-fraud services to client dating businesses.
Scamalytics identifies itself as the data controller for its own processing, lists an Information Commissioner’s Office registration number and names Dan Winchester as its data protection officer. The company states that it is committed to the UK GDPR and EU GDPR and uses appropriate mechanisms for international data transfers.
Due-Diligence Questions for Enterprise Buyers
Before integrating the service, a compliance, security or procurement team should determine:
- Whether Scamalytics acts as a controller, processor or independent controller for each data flow.
- Which fields are transmitted beyond the IP address.
- Where API requests and associated logs are processed and stored.
- Which subprocessors and external datasets contribute to enrichment.
- How long submitted identifiers, results and logs are retained.
- Whether the customer can use MMDB deployment to keep IP data internal.
- How data-subject access, correction, deletion and objection requests are handled.
- Whether automated adverse decisions require human intervention under applicable law.
- How false positives, appeals and score disputes are reviewed.
- Whether accuracy, latency, uptime and incident-notification obligations are contractually defined.
A vendor’s general GDPR statement is useful, but regulated customers still need a data-processing agreement, security evidence and a documented lawful basis tailored to their own use case.
Why Romance Fraud Still Matters to the Product
Romance fraud remains central to Scamalytics’ identity because dating platforms combine anonymous communication, emotional trust, cross-border interaction and rapid migration to private messaging services.
Scamalytics representatives have described scammers moving conversations from dating platforms to less controlled channels such as WhatsApp. They have also warned that AI-generated photographs, deepfakes, voice cloning and automated chatbots can help criminals operate more convincing personas and manage several targets simultaneously.
Technical detection can identify reused infrastructure, suspicious messaging patterns, blacklisted users and repeated profile elements. It cannot replace user education, reporting mechanisms, identity verification or law-enforcement cooperation.
The FBI’s romance scam guidance similarly warns users to be cautious when an online contact requests money or attempts to build trust without meeting in person.
The Right Operational Role for Scamalytics
Scamalytics is most useful when deployed as an enrichment and prioritisation layer rather than a single-source adjudication system.
Strong use cases
- Detecting suspicious registrations
- Identifying proxy and Tor traffic
- Reducing automated account creation
- Prioritising account-takeover investigations
- Adding context to payment-fraud rules
- Screening user-generated reviews and listings
- Enriching SIEM alerts
- Detecting infrastructure reused across dating profiles
- Protecting advertising systems from click fraud
Weak or dangerous use cases
- Treating the score as proof of a crime
- Automatically accusing a customer of fraud
- Rejecting regulated-service applicants without review
- Blocking every VPN or data-centre user
- Inferring nationality or residence solely from IP geolocation
- Making employment, credit or insurance decisions from an IP score
- Retaining risk labels indefinitely without reassessment
The strongest policy is progressive: low-risk traffic proceeds normally, ambiguous traffic receives proportionate friction, and severe cases are escalated only when corroborating account or behavioural evidence exists.
Scamalytics Questions People Commonly Ask
What is Scamalytics?
Scamalytics is a UK fraud-prevention and IP-intelligence company. Its public service checks an IP address and returns a 0–100 fraud-risk score with information about network ownership, geolocation, VPNs, proxies, Tor and related indicators. It also provides business APIs, bulk processing, MMDB databases and broader user-level fraud detection.
Is Scamalytics legitimate?
Scamalytics Ltd is a legitimate, active UK private company incorporated in 2012 and registered at Companies House. It publishes terms, privacy information and commercial pricing. Legitimacy does not mean every risk result is infallible; each score remains an assessment produced from available network and reputation data.
Is a Scamalytics score accurate?
A Scamalytics score is an evidence-based estimate, not an independently verified statement of guilt. Accuracy will vary with available observations, IP reassignment, network sharing and data freshness. The company itself states that it does not observe the entire internet. Businesses should validate the score against device, account, transaction and behavioural evidence.
What does a Scamalytics score of 100 mean?
A score of 100 represents the highest risk level in Scamalytics’ scoring system. It indicates that the IP address or associated network matches extremely strong fraud or abuse signals within the company’s available data. It does not prove that every user connecting through that address is fraudulent.
Can using a VPN increase a Scamalytics score?
VPN use can contribute to a higher risk assessment because it conceals the user’s apparent network location and may place the connection on shared infrastructure. However, Scamalytics also evaluates other indicators. Legitimate VPN use should not be treated as fraud without additional evidence such as behavioural anomalies, blacklisting or account inconsistencies.
Is Scamalytics free?
Scamalytics provides a free public IP checker and publishes a free API tier allowing up to 5,000 monthly requests. Paid API and bulk plans begin above that allowance. MMDB access, advanced threat intelligence, integrations and customised enterprise arrangements may be priced separately.
The Score Is a Signal, Not a Sentence
Scamalytics addresses a real security problem: businesses often need to assess an unknown connection before fraud has fully materialised. Its combination of IP reputation, anonymisation detection, network ownership and shared observations can provide valuable early warning.
The critical decision occurs after the score arrives.
Used with corroborating evidence, proportional controls and human oversight, Scamalytics can reduce fraud while preserving access for legitimate users. Used as an unquestionable verdict, the same score can produce false positives, discriminatory outcomes and poor security decisions.
The technology is therefore most credible when its limits are treated as part of the architecture—not as an inconvenient footnote.
Sources and Verification
- Scamalytics official product and company overview.
- Scamalytics IP Address Fraud Check documentation.
- Scamalytics API and bulk-lookup pricing.
- Scamalytics MMDB product documentation.
- Scamalytics threat-intelligence product materials.
- Scamalytics privacy, GDPR and terms documents.
- UK Companies House company and officer records.
- Online Dating and Discovery Association interview with Scamalytics.
- FBI romance-scam guidance.
Editorial Disclaimer: Product capabilities, prices, corporate records and policy terms were checked against publicly available sources at the time of publication. Fraud scores are risk estimates rather than proof of unlawful conduct. Commercial terms, datasets and technical features may change, and organisations should complete independent legal, privacy, security and procurement reviews before deployment.


Leave a Reply