The email says it comes from the bank you've trusted for twenty years. The domain behind the link was registered last Tuesday. I have a soft spot for this mismatch: it's one of the loudest warning signs in phishing, and one of the easiest to check yourself. Let's see how.

Why are scam domains usually days old?

Phishing sites live fast and die young. A typical campaign registers a fresh domain, sends its emails within days, gets reported and added to blocklists (the shared lists of known dangerous sites that browsers and security tools check), and then abandons the domain and registers a new one.

That churn is routine for scammers, and it leaves a fingerprint you can read: the domain behind a phishing email is very often brand new. Not always. But often enough that checking its age is worth thirty seconds of your time.

Now flip it around. Real institutions keep their domains for decades. If an email claims a long relationship with you, but the domain it points to was born this month, the story and the paperwork disagree.

WHOIS: the public record of a domain's birthday

Every registered domain has a WHOIS record: a public registration file kept by registrars, the companies that sell domain names. It records which registrar sold the domain and, crucially, three dates: when it was created, when it was last updated, and when it expires.

The creation date is the field that matters here, because a registrant can't backdate it. A scammer can copy a bank's logo, clone its login page, and forge the sender name on an email. What they can't do is make a domain registered on Monday look ten years old. 🤓

Privacy rules mean the owner's name and contact details in WHOIS are often hidden. The dates usually aren't: creation, last update, and expiry stay visible even on redacted records.

What does IP Tracker show you?

Paste the suspicious domain (or the full sender email address; the extension extracts the domain for you) into the IP Tracker popup. It fetches the WHOIS record and shows the creation date alongside its other checks.

If another check has already raised a warning banner and the domain is under roughly 90 days old, the banner adds a line: "Registered N days ago." Age is deliberately a corroborating signal: supporting evidence for a warning that already exists, never a warning on its own. Plenty of honest domains are young too: new businesses, product launches, event sites, rebrands.

Age gets loud when it shows up next to a lookalike spelling:

Realpaypal.comthe brand's registered domain, in use since the late 1990s
Fakepaypa1.comthe lowercase "l" is really the number 1; a domain like this is typically days old

The swap above is visible once you know to look. Some aren't: a capital "I" standing in for a lowercase "l" looks identical in most fonts. That's why IP Tracker normalizes the characters before comparing, instead of trusting your eyes. The comparison runs against a bundled list of roughly 100 widely impersonated brands (banks, payment services, big tech, shipping, government sites), so a lookalike of a brand outside that list won't be named.

When the amber banner names a spelling trick and adds "Registered 4 days ago" underneath, you're looking at the classic phishing pattern: a throwaway domain dressed up as a brand.

How do you read age next to other signals?

Age never stands alone. Here is how the combinations tend to read:

What you seeHow to read it
Young domain + lookalike spellingWalk away. A fresh registration wearing a brand's name is the classic phishing pattern.
Young domain + a claim of long history ("your bank of 20 years")Strong caution. The claimed identity and the public record disagree.
Young domain, nothing else unusualJust a data point. New businesses, product launches, and event sites are young too.
Old domainNot automatically safe. Established domains get hijacked, and scammers sometimes buy aged domains precisely because they look trustworthy.

How to check a domain's age

  1. Copy, don't click. Select the domain from the link, or the full sender address from the email, without clicking anything.
  2. Paste it into IP Tracker. If you paste an email address, the extension pulls out the sender's domain automatically.
  3. Read the creation date in the WHOIS section. If other checks have raised a warning and the domain is under about 90 days old, the banner also shows a "Registered N days ago" line.
  4. Compare the age with the claimed identity. An email from "your long-time bank" pointing at an 11-day-old domain is a story that doesn't hold together.
  5. Weigh it with the other signals: lookalike warnings, Google Safe Browsing (Google's list of known dangerous sites), security-vendor verdicts, and community abuse reports. Age corroborates; it doesn't decide.

Age is context, not a verdict

Young doesn't mean guilty. Honest domains are registered every day, and a new bakery's website deserves the benefit of the doubt that a fake bank login page doesn't. Let's not demonize young domains; let's just read them in context.

Old doesn't mean innocent, either. Established domains get compromised, and aged domains change hands. A respectable birthday is not a character reference.

There's one more reason the creation date earns its place among the checks: blocklists lag. Google Safe Browsing is good, but a phishing site registered this week often hasn't been reported anywhere yet. The creation date is visible from day one, before any blocklist catches up.

A quiet result is not a clean bill of health. IP Tracker flags what it can see and names the tricks it recognizes. It can't click for you, and it won't promise a site is safe. "Not flagged" is not the same as "safe."

To summarize:

Happy checking! 😉