15 reports indexed

Has anyone else been scammed by this sender?

Paste a phone number or email address. We search every report submitted to our SMS and email scanners and aggregate them into a single answer — verdict, dominant scam pattern, recent activity.

We search reports submitted by other MalwareTips users. Phones are normalised to E.164; emails to lower-case. Short codes and alphanumeric sender IDs aren't supported yet.

Real user reportsPhone + emailFree, no accountUpdated continuously
How it works

Real reports, not aggregator scrape.

Other reverse-lookup sites recycle stale spam-rep blocklists. Ours is built from MalwareTips users actively forwarding the suspicious messages they received — so the data is fresh, the scam-pattern classification is real, and every entry links back to the full forensic report.

Aggregated, not just stored

We tally reports per sender — verdict counts, scam-category breakdown, first/last sighting. The page reads like a scammer profile, not a database row.

AI-categorised at scan time

Every submitted message was already classified by our AI: package-fee scam, bank alert, IRS impersonation, romance opener, etc. The lookup just surfaces the dominant pattern.

Bodies redacted

Long digit runs, email addresses, and tokens in the message snippets get redacted before we render them. URLs stay visible because that's what other potential victims need to see.

Linked to full forensic reports

Each row links to the original /sms-scan or /email-scan report — full headers, AI verdict, deliverability checks, the whole pipeline. The lookup is the index; the reports are the depth.

Frequently asked

Quick answers.

Where does the data come from?
Every entry in the lookup is a real submission someone made to our SMS or email scanner. Nothing is scraped, bought, or aggregated from third-party blocklists. When you see '47 reports', that's 47 distinct people who took the time to forward a suspicious message to us.
Why isn't [number/email] in your database?
We only know about senders that someone has scanned. New scams take a few hours to a day to start showing up — and senders who only target a small group may never. If you got a suspicious message, scan it and become the first reporter; the next person looking up the same sender will see your finding.
What kinds of senders are supported?
Phone numbers in international (E.164) form: '+15551234567'. Bare 10-digit US numbers and common formats like '(555) 123-4567' are auto-normalised. Email addresses must be the standard 'user@domain.tld' shape. Short codes (5–6 digit numbers) and alphanumeric sender IDs ('CHASE', 'USPS-TXT') aren't supported yet — they're shared across many senders, both legitimate and impersonated, so a single lookup result would be misleading.
Are the message bodies stored verbatim?
We store a short body snippet for the recent-reports list. Before showing it on the lookup page we run a redaction pass that strips long digit runs (likely tracking numbers / OTPs / phones), email addresses, and bearer-token-shaped strings. URLs stay visible — they're what makes the report actionable. The full body lives in the per-scan report at /sms-scan/[hash], which is a separate (also public) page.
Can I have a sender removed from the lookup?
If you're the legitimate owner of a phone number or email that's been mis-reported, contact us through the MalwareTips forum. We can override individual scan rows with a 'safe' verdict, which immediately reflects on the lookup. We don't remove rows wholesale — the historical record matters when investigating coordinated campaigns.
How fresh is the data?
Each lookup is rebuilt every 10 minutes from the underlying scan tables. New submissions show up on their next rebuild. The CDN edge-caches result pages for 2 minutes with stale-while-revalidate, so traffic spikes don't hammer the database.

Got the message in front of you? Submit it.

Every scan you submit makes the next person's lookup more accurate. Free, no account, takes under a minute.