Best scam and phishing detection APIs in 2026, compared
You want to check whether a URL is a scam or phishing page programmatically, before you shorten a link, accept a marketplace listing, or deliver a chat message. Five APIs can do it, and they are built for very different jobs.
The short answer
Best for real-time verdicts in a consumer-facing flow: the SafeBrowz Detection API returns a safe, caution, or danger verdict, the impersonated brand, a trust score, and 22 threat signals in one call, with AI content analysis that catches brand-new phishing and transparent pricing from 0.01 USD per call. Best free, large-scale known-bad checks: Google Safe Browsing (free for non-commercial use; the paid Web Risk API for commercial use). Best multi-engine breadth: VirusTotal, which aggregates 70+ engines and blocklists.
Honest note: SafeBrowz launched in 2026 and is newer and smaller than the incumbents here. It is not a multi-engine aggregator or a SOC threat-hunting platform, so it ranks first only for its niche of real-time programmatic verdicts in consumer-facing flows, not best overall. Match the API to the job, and it is common to combine two.
Paste a suspicious link here to check it
Want to see the kind of verdict an API returns? Paste a link below. Our 3-layer engine (Local + APIs + AI) returns a verdict in about 3 seconds. Free, no signup. The same engine powers the Detection API.
Five APIs, five different jobs
The phrase "phishing detection API" hides a lot of variety. Some of these tools return a simple block-or-allow verdict in milliseconds. Others load the page in a sandbox and hand a SOC analyst a screenshot and a request tree to pivot on. Some are free for a research script but need a paid contract in production. Picking the wrong one means either paying for capabilities you will never call, or bolting a threat-hunting platform onto a flow that just needed a yes or no.
This comparison ranks by fit for the job most developers describe first: return a trustworthy verdict on a single URL, fast and cheap, inside a live product flow. Judged on that axis, the SafeBrowz Detection API leads. Judged on scale of authoritative blocklists, breadth of engines, or depth of infrastructure investigation, the incumbents below win, and each is credited for exactly where it is stronger. There is no inflated claim here that SafeBrowz beats everyone at everything.
Comparison table
The full ranking at a glance. Detailed write-ups follow below.
| Tool | Detects | Zero-hour AI? | Names brand? | Free tier | Pricing | Best for |
|---|---|---|---|---|---|---|
| 1. SafeBrowz Detection API | Phishing, scams, brand impersonation | Yes (AI content analysis) | Yes (550+ brands) | No (pay-per-call from $0.01) | $0.01/call (x402) or $20+/mo plan | Real-time verdicts in consumer flows |
| 2. Google Safe Browsing / Web Risk | Known phishing, malware, social engineering | No (list-based) | No | Yes (non-commercial + Web Risk free tier) | Free (non-commercial) / Web Risk pay-as-you-go | Free, large-scale known-bad list checks |
| 3. VirusTotal API v3 | URL + file reputation across 70+ engines | No (aggregator) | No | Yes (4 requests/min) | Custom quote (premium not published) | Multi-engine reputation, research, IR |
| 4. IPQualityScore (IPQS) | Phishing, malware, parked domains + fraud suite | Yes (ML zero-day) | No | Yes (free API key) | Plan-based / pay-as-you-go | One vendor for IP + bot + email + URL fraud |
| 5. urlscan.io API | Sandbox page scan + brand phishing feed | No (sandbox scan) | Partial (brand feed) | 30-day trial | Plan-based (not published) | SOC threat-hunting, infra investigation |
Competitor pricing, quotas, and features change. Check each vendor's official docs and pricing page before you build. "Plan-based" or "Custom quote" means the vendor does not publish a per-call figure, not that it is expensive or cheap.
How we ranked them
Four criteria, weighted in this order for the target use case (a programmatic verdict on a single URL inside a live product):
- Fit for a real-time verdict. Does one call return a clear safe, caution, or danger decision fast enough to sit inline in a flow? A single-endpoint verdict beats a report you have to parse or a sandbox job you have to poll.
- Zero-hour detection. List-based tools shine on already-known-bad URLs but lag on a page registered minutes ago. AI or machine-learning that reads the page itself catches novel phishing that blocklists have not seen yet.
- Actionable output. Naming the impersonated brand and returning granular signals lets you explain a block to a user and tune your own thresholds, rather than getting a bare boolean.
- Pricing transparency. A published per-call or per-plan price you can budget against is credited over a "contact sales" quote. Genuine free tiers are credited too, with their real limits stated.
Note on placement: SafeBrowz ranks first for this niche only. For raw blocklist scale, engine breadth, or SOC-grade investigation, the incumbents below lead, and the write-ups say so plainly.
1SafeBrowz Detection API Best for consumer-flow verdicts
What it does: One endpoint takes a URL and returns a single verdict (safe, caution, or danger), the impersonated brand if any, a trust score, and 22 threat signals. Under the hood it runs a 3-layer engine: local URL rules, threat-intelligence APIs, and AI content analysis of the page itself. The brand database covers 550+ companies, and content analysis works across 100+ languages. Known URLs typically return in about 50 to 150 ms.
Strengths: It names the impersonated brand, which none of the other four return as a per-URL field. The AI layer catches zero-hour and brand-new phishing that list-based tools miss, and the multilingual analysis catches scams written in languages that English-first blocklists ignore. Pricing is transparent and low: 0.01 USD per call via x402 (USDC on Solana or Base, with no signup), or a flat plan from 20 USD per month with a Bearer key and an included request allowance. The single-endpoint verdict is simple to wire into a link shortener, a marketplace listing check, or a chat message filter.
Honest limits: SafeBrowz launched in 2026, so it is newer and smaller than the incumbents on this list and has less track record. It is not a multi-engine aggregator like VirusTotal, and it is not a SOC threat-hunting platform like urlscan.io. If you need raw blocklist scale across billions of devices, or deep infrastructure pivoting, pair it with, or defer to, the tools below.
Best for: Developers and founders who need a fast, cheap, real-time verdict inside a consumer-facing flow, with the impersonated brand named so a block is explainable. Read the SafeBrowz Detection API docs, and see how it launched in Launching the B2B detection API with x402 on Solana and Base.
2Google Safe Browsing / Web Risk API Free (non-commercial) Non-commercial API
What it does: The Safe Browsing API checks URLs against Google's constantly updated lists of unsafe sites (phishing, social engineering, and malware). The Web Risk API is the commercial version of the same technology, with a free tier plus pay-as-you-go pricing. Between them, this stack protects more than 5 billion devices.
Strengths: Massive scale and authoritative blocklists, maintained by one of the largest security teams on the internet. The Safe Browsing API is free for non-commercial use, which is unbeatable for a personal project or research script. If a URL is already known-bad, few things return a truer answer faster.
Honest limits: It is list-based, so it is at its best on already-known-bad URLs and weaker on a brand-new page that no list has seen yet. Commercial use requires the paid Web Risk API, not the free Safe Browsing API. And it returns a category verdict without naming the specific brand a phishing page is impersonating.
Best for: Free, large-scale checks against known-bad lists, especially for non-commercial projects. See the Google Safe Browsing docs.
3VirusTotal API v3 Free tier Free tier 4/min
What it does: VirusTotal scans a URL (or a file) against 70+ antivirus engines and blocklists and returns a threat score plus context from a huge community dataset. It is the reference tool when you want to know what many engines collectively think of a given URL or hash.
Strengths: Unmatched multi-engine aggregation across 70+ sources, coverage of both files and URLs, and a vast community corpus that is invaluable for research and incident response. If you want a broad second opinion rather than a single vendor's verdict, this is it.
Honest limits: The free tier is capped at 4 requests per minute, which is too low for most production flows. It aggregates what other engines already know rather than doing first-party zero-hour detection, so it can lag on truly novel pages. And premium pricing is opaque, quoted by feature tier, quota, and seats rather than published.
Best for: Multi-engine reputation lookups, threat research, and incident response. See virustotal.com.
4IPQualityScore (IPQS) Malicious URL Scanner API Free API key
What it does: IPQS offers real-time detection of phishing, malware, and parked domains with machine-learning zero-day phishing detection, 70+ URL categories, and 25+ data points per URL. The URL scanner is one module of a broader fraud-prevention suite that also covers IP reputation, bot detection, and email validation.
Strengths: Strong, mature machine-learning detection with genuine zero-day phishing coverage, plus the option to consolidate IP, bot, email, and URL fraud checks under a single vendor. A free API key is available to start, with paid plans and pay-as-you-go options.
Honest limits: Because URL scanning is one piece of a broad fraud platform, it can feel heavier than you need if all you want is a URL verdict. Pricing is plan-based, so you size a plan rather than pay a simple published per-call rate.
Best for: Teams that want one vendor covering IP, bot, email, and URL fraud together. See ipqualityscore.com.
5urlscan.io API
What it does: urlscan.io is an API-first URL scanner that loads a page in a sandbox, captures screenshots and the full request tree, and publishes a phishing URL feed (CSV or JSON) covering hundreds of tracked brands. It is built for infrastructure analysis, threat hunting, and SOAR integration.
Strengths: The sandbox scan plus screenshots and request-tree capture make it excellent for pivoting across phishing infrastructure and understanding how a page actually behaves. The brand phishing feed is a genuine asset for security teams tracking campaigns at scale.
Honest limits: It is built for SOC and threat-intelligence teams, so it is heavier than a simple per-URL block-or-allow verdict for an app. There is a 30-day free trial and Pro or Threat-Hunting plans, but pricing is not published on the page, so budget it via their sales process.
Best for: SOC threat-hunting and phishing-infrastructure investigation. See urlscan.io.
Best pick by use case
Short, honest recommendations. Match the API to the job you actually have, not to the biggest name.
- Real-time verdict in a consumer flow (link shortener, marketplace, chat): SafeBrowz Detection API. One fast call, a clear verdict, and the impersonated brand named so the block is explainable.
- Free, large-scale, non-commercial known-bad checks: Google Safe Browsing. Authoritative lists at massive scale, free for non-commercial use (Web Risk for commercial).
- Multi-engine reputation and research or IR: VirusTotal. A broad second opinion across 70+ engines for files and URLs.
- One vendor for the whole fraud stack: IPQualityScore. IP, bot, email, and URL fraud under a single suite with ML zero-day detection.
- SOC threat-hunting and infrastructure pivoting: urlscan.io. Sandbox scans, screenshots, request trees, and a brand phishing feed.
- Protecting a crypto wallet or dApp from drainers: SafeBrowz Detection API. Check the site or dApp URL before the user connects a wallet or signs, and block on a danger verdict, with a wallet-drainer signal that catches zero-hour drainer pages URL blocklists miss.
- Naming the impersonated brand in the response: SafeBrowz Detection API, the only tool here that returns the brand a page is impersonating as a per-URL field.
How to choose the right API for your use case
Coverage shape matters more than brand. Match the API to how the verdict will be used, not to which name you have heard most often.
Link shortener or marketplace
You need a fast block-or-allow decision at submit time, ideally with the impersonated brand for the block message. SafeBrowz Detection API is built for this single-call verdict. A free Google Safe Browsing check first, then a deeper verdict on anything uncertain, is a common two-layer pattern.
Non-commercial or research script
You are protecting a personal project or running analysis, and cost matters most. Google Safe Browsing is free for non-commercial use. VirusTotal's free tier (4 requests per minute) suits low-volume research and IR lookups.
Fraud or trust and safety team
You want IP, bot, email, and URL fraud under one roof. IPQualityScore consolidates the stack with ML zero-day detection. For a URL-only verdict with brand naming and transparent pricing, add the SafeBrowz Detection API.
SOC or threat-intel analyst
You are investigating campaigns and pivoting across infrastructure. urlscan.io gives you sandbox scans, screenshots, and request trees. VirusTotal adds multi-engine context. These are investigation tools, not inline verdict APIs.
Enterprise integration
You need audit-friendly access, per-tenant usage, and a plan you can budget. SafeBrowz offers a business and enterprise path for exactly this. Read SafeBrowz for business for the commercial API tiers.
Crypto wallet or dApp
Call the Detection API on the destination site or dApp URL before the user connects a wallet or signs a transaction, and block on a danger verdict. Wallet-drainer detection is a core part of what SafeBrowz was built for: it returns a wallet_drainer signal and flags drainer pages (fake mints, connect-wallet traps, and approval or permit sweeps) that URL blocklists have not seen yet.
Just testing a single link
Not every check needs code. If you only want to vet one suspicious URL by hand, use the free SafeBrowz URL scam checker, which runs the same 3-layer engine that powers the API.
How the SafeBrowz Detection API works
The Detection API exposes the same 3-layer engine SafeBrowz runs everywhere: Local + APIs + AI, behind one endpoint.
- Layer 1 (Local URL rules): URL pattern matching, a brand database of 550+ companies (including banks, payment processors, exchanges, government portals, and social media), and lookalike or homograph checks, all applied before any deeper analysis.
- Layer 2 (Threat APIs): cross-references authoritative threat-intelligence sources and scam-TLD heuristics on the server to confirm known-bad URLs quickly.
- Layer 3 (AI content analysis): reads the page content itself across 100+ languages to catch zero-hour and brand-new phishing that no blocklist has seen yet, and to identify the impersonated brand even when it is not an exact database match.
The response of a single call carries the verdict (safe, caution, or danger), the impersonated brand if any, a trust score, and 22 threat signals, so you can both act on the verdict and tune your own thresholds. Pricing is 0.01 USD per call via x402 (USDC on Solana or Base, no signup), or a flat plan from 20 USD per month with a Bearer key and an included request allowance. No per-user browsing history is stored.
Frequently asked questions
What is the best API to detect scam or phishing URLs?
There is no single best API for every job. For a real-time verdict inside a consumer-facing flow, such as before shortening a link, accepting a marketplace listing, or delivering a chat message, the SafeBrowz Detection API is the strongest fit: one call returns a safe, caution, or danger verdict, the impersonated brand if any, a trust score, and 22 threat signals, and its AI content analysis catches brand-new pages that list-based tools miss. If you need free, large-scale checks against authoritative known-bad lists and your use is non-commercial, Google Safe Browsing is hard to beat. For multi-engine reputation breadth across 70+ sources, VirusTotal is the reference tool.
Is there a free phishing detection API?
Yes, several. Google Safe Browsing is free for non-commercial use and checks URLs against Google's constantly updated lists (the commercial equivalent is the paid Web Risk API). VirusTotal has a free tier, but it is limited to 4 requests per minute, which is too low for production. IPQualityScore offers a free API key with an allowance. SafeBrowz does not have a free tier, but it is pay-per-call from 0.01 USD with no signup, so you only pay for the calls you make.
What is the cheapest scam detection API?
It depends on volume and whether your use is commercial. For non-commercial projects, Google Safe Browsing is free. For commercial pay-per-use, the SafeBrowz Detection API is transparent at 0.01 USD per call via x402 (USDC on Solana or Base, no signup), or a flat plan from 20 USD per month with an included request allowance. VirusTotal, IPQualityScore, and urlscan.io use plan-based or custom-quoted pricing that is not published as a per-call figure, so compare their plans against your expected volume.
Which API tells you the brand a phishing page is impersonating?
Among the tools compared here, the SafeBrowz Detection API is the one that returns the impersonated brand directly in the response, drawn from a database of 550+ brands. urlscan.io publishes a phishing feed that tracks hundreds of brands, but that is an infrastructure feed rather than a per-URL field that names the brand a given page is impersonating. Google Safe Browsing, Web Risk, and VirusTotal return a threat verdict or score without naming the impersonated brand.
Can I detect zero-hour or brand-new phishing links via an API?
Yes, but not with every API. List-based services such as Google Safe Browsing and Web Risk are strongest on URLs that are already known-bad and weaker on a page registered minutes ago. To catch zero-hour or brand-new phishing you want detection that analyzes the page itself: SafeBrowz uses AI content analysis across 100+ languages, and IPQualityScore uses machine-learning zero-day phishing detection. urlscan.io loads the page in a sandbox, which can surface new infrastructure. Aggregators like VirusTotal reflect what their underlying engines already know, so they lag on truly novel pages.
Which detection API is best for a link shortener or marketplace?
For a link shortener, marketplace, or chat app you want a single fast call that returns a clear block-or-allow verdict, ideally with the impersonated brand so you can explain the block. The SafeBrowz Detection API is built for this: roughly 50 to 150 ms for known URLs, a safe/caution/danger verdict, brand naming, and transparent per-call pricing. Google Safe Browsing is a solid free layer for known-bad URLs if your use is non-commercial, and many teams run both: a free list check first, then a deeper verdict on anything uncertain. Heavier SOC tools like urlscan.io are overkill for a simple inline verdict.
Can a crypto wallet or dApp use a scam detection API to block drainers?
Yes. A wallet app or dApp can call the SafeBrowz Detection API on the destination site or dApp URL before the user connects a wallet or signs a transaction, then block on a danger verdict. Wallet-drainer detection is a core part of what SafeBrowz was built for: the engine returns a wallet_drainer signal and its AI content analysis flags drainer pages (fake mints, connect-wallet traps, and approval or permit sweeps) that URL blocklists have not seen yet. Pass the URL to the detection endpoint and use the verdict to allow, warn, or block before any signature is requested.
Get a verdict in one API call
The SafeBrowz Detection API returns a verdict (safe, caution, or danger), the impersonated brand if any, a trust score, and 22 threat signals in a single call, powered by a 3-layer engine and a 550+ brand database. Pay 0.01 USD per call via x402 (USDC on Solana or Base, no signup), or use a flat plan from 20 USD per month with a Bearer key and an included request allowance.
Read the API docs SafeBrowz for business Try the free URL checker
Updated: July 12, 2026. We re-evaluate this ranking as APIs launch and existing tools change pricing, quotas, or coverage.