ScamShield

Inspiration

Scams do not look fake anymore. That was the realization that started ScamShield.

Modern phishing pages copy PayPal, Netflix, Apple, and Chase down to the pixel. They use urgent language engineered to make you panic and act before you think. Most people do not get tricked because they are careless, they get tricked because the page was deliberately designed to feel trustworthy under pressure, in the few seconds before doubt kicks in.

Existing protection is often too late, too buried in settings, or too technical to help the people who need it most: students, older adults, families, anyone who is not a security professional. We wanted to build something that intervenes at the moment of decision, not after the password is already gone, not in a weekly security report, but right now, in the browser, before the click.

What It Does

ScamShield is a Chrome extension that acts as a real-time trust layer for every page you visit.

The moment a page loads, it extracts signals from the URL, visible text, outbound links, forms, iframes, script behavior, and metadata. A local heuristic engine scores those signals immediately - before any network call, so users see a verdict within milliseconds.

The scoring model works like this:

$$ \text{risk score} = \min\left(100, \sum \text{signal weights}\right) $$

Each signal carries a weight based on how strongly it correlates with scam behavior. Suspicious TLDs, brand impersonation in the domain, urgency language, requests for passwords or seed phrases, cross-origin forms, hidden iframes, right-click blocking, and obfuscated scripts all contribute. The score determines what the user sees:

Safety scores

Score ≥ 70: nothing shown, page is clean
Score 30–69: a non-blocking warning banner appears with the top reasons and an AI explanation
Score ≤ 30: the page is fully blocked, the user cannot interact with anything until they go back or explicitly choose to proceed

For outbound links, the click interceptor checks every link before navigation happens. If a link scores dangerously, the extension blocks the click, fetches a preview of the destination page in the background, and shows the user what is on the other side before they ever leave.

The AI layer translates heuristic findings into plain English - not just "suspicious TLD detected" but "this domain is pretending to be PayPal but is hosted on a .xyz address with no connection to the real company." That combination of fast detection plus human-readable explanation was the core product goal, because people act on explanations, not just scores.

We also built a companion website where users can paste text conversations, upload screenshots, or drop in a PDF and get a full scam analysis report with indicators, prevention tips, similar scam types, and a recommended action.

How We Built It

The extension uses Chrome Manifest V3 architecture. A content script runs on every page and collects context - URL, title, visible text via a TreeWalker, metadata, and up to 80 outbound links. That context travels via the Chrome runtime message bus to a background service worker, which runs the heuristic pipeline and manages state per tab.

The scoring engine is a plain ES module with four signal categories: domain checks, text checks, link checks, and meta checks. It runs entirely locally so the first warning always appears before any external call completes.

The AI explanation is non-blocking. Heuristic results go to the content script immediately. The AI call runs in parallel behind a hard 4-second Promise.race timeout. If it resolves in time, the warning UI updates in place with the full explanation including scam type, risk location, prevention tips, and recommended action. If it times out or fails, the user still sees the score, verdict, and top three heuristic reasons. The product never goes blank.

For the website, users can submit text, images, or PDFs. The backend runs the same heuristic logic and passes the results to the AI layer, which returns a structured report covering what type of scam it likely is, where the risk is, how the technique works psychologically, and what to do right now.

Challenges We Faced

The async prevention problem was the hardest early bug. Chrome content scripts cannot call e.preventDefault() inside an async callback - by the time a storage read resolves, the browser has already started navigating. The fix was maintaining a synchronous in-memory localRiskMap cache so the click interceptor can make a blocking decision in the same event tick as the click, with storage as a mirror rather than the source of truth.

Extension context invalidation was another wall. When a user reloads the extension while a page is open, the content script keeps running but chrome.runtime disappears entirely. Every API call starts throwing. We built a full deactivation system with startup guards, a safelyRunChromeApi wrapper, and graceful teardown of the MutationObserver and debounce timers.

CORS hit us on the destination page fetch feature. Most real websites block cross-origin requests from service workers. We handled this with a two-attempt pattern: normal fetch first, fall back to mode: "no-cors", and if the response is opaque, skip the destination summary and continue with URL-only heuristics rather than blocking the user waiting on a fetch that will never succeed.

Balancing speed, accuracy, and clarity ran underneath every decision. Warnings need to appear fast enough to be useful, clear enough for non-technical users to act on, and calibrated carefully enough to avoid false positives that train users to ignore them.

What We Learned

AI is most useful here as an interpreter, not the primary detector. Heuristics are fast, deterministic, and explainable. AI turns those findings into something a non-technical user can actually act on. Getting the handoff right, showing heuristic results instantly while the AI catches up in the background — was the core product insight.

Security UX is its own discipline. A warning that causes panic is almost as bad as no warning at all. The language, timing, and design of how you communicate risk determines whether people actually change behavior.

And building a browser security product means understanding the full stack of Chrome extension constraints: content script isolation, service worker lifecycle, storage scoping, message passing, and permission boundaries. There are a lot of moving parts, and they interact in non-obvious ways.

Most importantly, a good security product is not just about catching threats. It is about helping users understand what is happening and giving them the confidence to make safer decisions in real time.

What's Next

Add optional rendered-page verification for JavaScript-heavy sites
Use Firecrawl or JigsawStack to inspect React/SPA pages more deeply after the local scan
Improve confidence on pages where static DOM signals are limited or delayed
Detect hidden routes, dynamic content, and client-rendered phishing flows more reliably
Keep this as a secondary enrichment layer so the core extension remains fast, local, and dependable

We see ScamShield as the beginning of a real-time trust layer for the browser. The most dangerous scams are the ones that look completely normal - and that is exactly the problem we are building to solve.