Is cms.gov legit or a scam?
Official U.S. federal government website for Medicare and Medicaid, registered since 2001 with a perfect security reputation.
Analysis Summary
No threats detected
All checks passed. This site appears legitimate — but always stay alert for phishing even on trusted domains.
Website Preview

Automated page render — captured in a safe sandbox. What an ordinary visitor would see when loading the site.
MT Intelligence
The domain is a verified .gov address, which is strictly reserved for U.S. government entities. Our analysis shows it has been active for over 24 years and is managed by the Department of Health and Human Services. All security signals are positive, including valid SSL encryption and a clean record across our antivirus network. While the agency frequently warns about third-party scammers impersonating them via fax or email, the website itself is the authoritative and secure source for these federal programs.
Web Research Findings
Our live research agent queries scam-report databases, consumer-review sites, news coverage, and general web search for cms.gov, then cross-checks business-registration records and look-alike domain patterns. Everything below is pulled from what it actually found.
- cms.gov is the official website of the Centers for Medicare & Medicaid Services (CMS), a U.S. federal agency within HHS that administers Medicare, Medicaid, CHIP, and related programs.
- Domain registered on 2001-06-20 (over 24 years old), expires 2026-09-15; managed as a .gov domain by the U.S. government.
- CMS actively publishes alerts about scams impersonating the agency (e.g., phishing faxes claiming to be Medicare audits) and runs fraud prevention initiatives like "Crushing Fraud, Waste, & Abuse".
- A 2025 data incident involved bad actors fraudulently creating Medicare.gov accounts using stolen beneficiary data from external sources; CMS notified affected individuals and deactivated accounts.
- Multiple independent sources (USA.gov, GoHealth, Reddit users) confirm cms.gov as the legitimate official government site; occasional user confusion with emails from related CMS systems.
- Address: 7500 Security Boulevard, Baltimore, MD 21244; official X account @CMSGov; no consumer scam reports or negative reviews found on major platforms.
- Site includes extensive resources on provider enrollment, coverage, data, and fraud reporting (e.g., 1-800-MEDICARE).
- Reddit (r/Scams)open
"Has anyone received this email? Seems like a scam but if lookup @cms.gov goes to a Medicare enrollment page."
- CMS.govopen
"CMS has identified a fraud scheme targeting Medicare providers and suppliers. Scammers are impersonating CMS and sending phishing fax requests for medical records"
- USA.govopen
"The Centers for Medicare and Medicaid Services (CMS) provides health coverage to more than 100 million people through Medicare, Medicaid, the Children's Health"
- GoHealthopen
"CMS.gov is the official government website for the Centers for Medicare and Medicaid Services. It gives you up-to-date information about Medicare, Medicaid, CHIP and other CMS initiatives."
- eHealth Insuranceopen
"A “.gov” web address indicates the web presence of a government entity. CMS.gov is the official website of the Centers for Medicare & Medicaid"
U.S. federal government agency (Centers for Medicare & Medicaid Services) under the Department of Health and Human Services (HHS); official .gov domain registered since 2001
Antivirus Engines
Security Scans
Checked against the major public blocklists used by browsers and security tools — no hits.
Contact Verification
We fetched the page and looked for real-world contact details. Legitimate businesses almost always publish an email on their own domain, a phone number, and a postal address. Scam shops usually don't.
- No contact email found anywhere on the page.
- No phone number listed on the page.
- Postal address visible on the page.
- Links to 5 social profiles.
Domain & Encryption
Redirect Chain
- 1301http://cms.gov/
- 2301https://cms.gov/
- 3200https://www.cms.gov/cross-domain
Server Reputation
Still, stay alert
No major threat indicators — but a clean scan does not guarantee every page is safe, and phishing emails routinely spoof real domains.
- Double-check the exact URL in your address bar
Confirm you are actually on cms.gov and not a lookalike like c-ms.gov.com or an IDN homoglyph.
- Use a password manager
Password managers only auto-fill on the exact domain they were saved for — they refuse to fill lookalike domains, which is the single best phishing defence.
- OpenDiscuss this site on the forum
If you have first-hand experience with this site — good or bad — share it with the MalwareTips community.
Reputation Sources
How this domain rates across independent threat-intelligence and blocklist providers.
Referenced Domains
Outbound domains this page links to or loads resources from. Each links to its own security scan.
Safety FAQ
Common questions about this site, answered directly from the scan data above — so the answers always reflect the latest verdict on this page.
- Our automated security review found no threat indicators on cms.gov. The site appears legitimate based on the signals we checked, but always stay alert for phishing emails that spoof real domains.
- cms.gov passed our automated security checks with a trust score of 97/100. No antivirus engines or major blacklists flagged the site at the time of the last scan.
- Yes. cms.gov presents a valid TLSv1.3 certificate issued by DigiCert Inc · GeoTrust TLS RSA CA G1, expiring in 165 days. Note that SSL only encrypts the connection — it does not guarantee that the site itself is trustworthy.
- cms.gov is 25.0 years old, registered on 6/20/2001 through get.gov. Scam domains are often freshly registered — a site under 6 months old warrants extra caution.
- No. All 92 antivirus engines in our malware network report cms.gov as clean.
- No. cms.gov is not currently listed on the major browser blocklist feeds that modern browsers use.
- cms.gov resolves to an IP operated by Akamai Technologies, Inc. in US (usage type: Data Center/Web Hosting/Transit). Hosting location alone doesn't make a site good or bad, but unusual geography for a brand's claimed country is one of many signals we weigh.
- Yes. cms.gov sits in the global top-100k on Cloudflare Radar, which means it has substantial real-world traffic. That does not automatically make it safe, but established brands almost always rank here and throwaway scam domains almost never do.
User reviews & comments(0)
Share your experience — "Lost $200 on a fake checkout" is more useful than "Scam". Your review helps others avoid traps.