Here's the Devpost submission for ScamAware:
Inspiration Every day, millions of people encounter suspicious links in emails, phishing messages, unknown phone numbers, and sketchy file downloads. The problem? Most users have no quick, accessible way to verify if something is safe before engaging with it. We realized that people resort to manually Googling URLs, asking friends, or just clicking anyway — all slow, unreliable, or risky. We wanted to build a tool that removes friction from threat verification. Something that works everywhere — not just on a website, but integrated into their browser so protection happens automatically. The inspiration hit us during a conversation about how a simple phishing link in an email can compromise an entire company. We thought: What if threat detection was instant, accessible, and always running in the background? That's when we built ScamAware.
What it does ScamAware is a full-stack security ecosystem that scans links, messages, files, and phone numbers for phishing, malware, and scams in real-time. Web App (4 Scanning Modes)
Link Analysis — Paste any URL, get instant risk verdict (safe/suspicious/dangerous) with:
Confidence score (0-100%) Matched threat feeds (Google Safe Browsing, VirusTotal, OpenPhish) Specific threats detected (phishing, malware, lookalike domains, etc.)
Message Scanning — Paste an email or SMS, we:
Extract embedded URLs and scan them Detect phishing language patterns (urgency, credential requests, impersonation) Highlight suspicious phrases that triggered flags Flag shortened URLs hiding destinations
File Scanning — Upload any file (PDF, Office, image, archive), we:
Compute hash and check against malware databases (VirusTotal) Detect suspicious macros in Office files Return threats found or "clean" verdict Max file size: 10 MB
Phone Number Lookup — Enter a phone number, get:
Carrier and location info Number of scam reports from community Common scam types associated with it (IRS impersonation, robocall, etc.)
Chrome Extension (Real-Time Protection) The extension intercepts threats automatically:
Link clicks — warns before dangerous websites load Navigation — blocks dangerous sites with full-page warning Downloads — prevents malware downloads automatically Smart caching (24-hour TTL) for instant checking on repeat visits Silent for safe content, warnings only for suspicious/dangerous
How we built it Frontend (React + Vite + Tailwind)
Tab-based UI (Link, Message, File, Phone) Desktop-first design for projector demo visibility Real-time form validation Result cards with color-coded risk badges Mock API integration for rapid testing
Backend (FastAPI + Python)
Modular route structure (/api/scan/link, /api/scan/text, /api/scan/file, /api/scan/phone) Service layer abstracting threat intelligence APIs:
VirusTotal — URL, file, and hash scanning Google Safe Browsing — phishing/malware detection OpenPhish — phishing URL feed NumVerify — phone number validation & carrier info
Pydantic schemas for request/response validation CORS enabled for extension + web app
Chrome Extension (Manifest v3)
background.js — Service worker listening to webRequest, downloads, navigation content-script.js — Injected into every page, detects link clicks Caching — chrome.storage.local with 24-hour TTL Validators — URL validation, whitelist checking, localhost detection Warning UI — Inline popups and full-page interstitials
Architecture User → React Frontend → FastAPI Backend → Threat APIs (VirusTotal, GSB, OpenPhish) User → Chrome Extension → Same FastAPI Backend (shared API)
Challenges we ran into
- Real-Time API Integration
VirusTotal, Google Safe Browsing, and OpenPhish have different response formats Had to normalize threat data into a consistent { risk, score, details } schema Solution: Service layer abstracts differences
- Chrome Extension Permissions
Manifest v3 removed some APIs we initially wanted (webRequest blocking mode has limitations) Had to rethink URL interception strategy Solution: Used webRequest.onBeforeRequest with proper async handling
- File Scanning Without Uploading
Uploading large files through extension is slow and unreliable MVP solution: Scan filename/extension only, defer full file hashing to Phase 2 Trade-off: Good enough for dangerous executables (.exe, .dll, .msi), full scanning in next phase
- Caching Strategy
Extension needs fast lookups (< 50ms) for smooth UX IndexedDB overkill for MVP Solution: chrome.storage.local with TTL and periodic cleanup
- Desktop vs Mobile UI
Hackathon judging happens on big screens/projectors Mobile-first responsive design felt wrong Solution: Desktop-first design, mobile responsive as bonus
- API Timeout & Error Handling
If threat APIs are slow or unreachable, extension shouldn't hang Solution: 5-second timeout, fail-open (allow navigation if API down)
Accomplishments that we're proud of ✅ Full-stack execution — Web app + Chrome extension, same backend, shipped in hackathon timeframe ✅ Real threat intelligence integration — Actually calls VirusTotal, Google Safe Browsing, OpenPhish (not mocked) ✅ User-centric design — Desktop-first for demo visibility, readable from 6+ feet away on projector ✅ Smart caching — 24-hour TTL, auto-cleanup, avoids redundant API calls ✅ Privacy-first architecture — All extension data stored locally, no cloud sync, no tracking ✅ Graceful degradation — Extension works offline (cached results), fails open if API unavailable ✅ Real browser integration — Not a prototype; extension actually intercepts links, blocks downloads, shows warnings ✅ Ecosystem thinking — Built as a platform, not just a tool (web app is Phase 1, extension is bonus that proves the API design)
What we learned Technical
Manifest v3 is actually pretty solid once you understand async/await patterns Service workers behave differently than regular scripts (persistent state, event-driven) Normalizing data from multiple APIs is harder than it looks Chrome storage APIs are simple but need TTL logic (no built-in expiry)
Product
Users don't want to copy-paste URLs; they want protection to just work Real-time protection (extension) is 10x more compelling than manual scanning (web app) Caching is underrated — users are happy to wait 1s first time, then instant after Privacy matters; showing "data stored locally only" builds trust
Hackathon
Demo > explanation (judges care about seeing it work, not hearing about it) Desktop-first for a projector demo is the right call Integration with real APIs early (not mocks) saves time later Modular backend design pays off (extension + web app both use same routes)
What's next for ScamAware Phase 2 (1-2 weeks)
File hash scanning — Compute file hashes, query VirusTotal for full malware detection Download activity log — Show user blocked files with timestamps Settings page — Whitelist trusted domains, configure risk level filtering, change API endpoint
Phase 3 (1 month)
Email plugin — Gmail/Outlook integration to flag suspicious emails in-app Phone number detection — Scan emails/messages for known scam numbers Daily digest — Optional email: "You were protected from 3 dangerous sites today" Community reporting — Users can report false positives, build crowdsourced data
Long-term Vision
Cross-device sync — Whitelist syncs across devices via chrome.storage.sync Screenshot preview — Show preview of dangerous site before visiting API marketplace — Let security researchers contribute threat feeds Offline mode — Work completely offline with local threat database Mobile app — Expand beyond Chrome to iOS/Android browsers
Business
Submit to Chrome Web Store (free, ad-free for MVP) Partner with security companies (VirusTotal, Cloudflare) for deeper integrations B2B version for enterprises (centralized policy, admin dashboard)
Bottom Line ScamAware proves that instant threat detection can be accessible, frictionless, and private. We're not trying to replace enterprise security — we're building the first line of defense for everyday users. By the time someone realizes they clicked a phishing link, ScamAware has already blocked it.
Built With
- fastapi
- javascript
- openai
- openapi
- react
Log in or sign up for Devpost to join the conversation.