The email says it comes from the bank you've trusted for twenty years. The domain behind the link was registered last Tuesday. I have a soft spot for this mismatch: it's one of the loudest warning signs in phishing, and one of the easiest to check yourself. Let's see how.
Why are scam domains usually days old?
Phishing sites live fast and die young. A typical campaign registers a fresh domain, sends its emails within days, gets reported and added to blocklists (the shared lists of known dangerous sites that browsers and security tools check), and then abandons the domain and registers a new one.
That churn is routine for scammers, and it leaves a fingerprint you can read: the domain behind a phishing email is very often brand new. Not always. But often enough that checking its age is worth thirty seconds of your time.
Now flip it around. Real institutions keep their domains for decades. If an email claims a long relationship with you, but the domain it points to was born this month, the story and the paperwork disagree.
WHOIS: the public record of a domain's birthday
Every registered domain has a WHOIS record: a public registration file kept by registrars, the companies that sell domain names. It records which registrar sold the domain and, crucially, three dates: when it was created, when it was last updated, and when it expires.
The creation date is the field that matters here, because a registrant can't backdate it. A scammer can copy a bank's logo, clone its login page, and forge the sender name on an email. What they can't do is make a domain registered on Monday look ten years old. 🤓
What does IP Tracker show you?
Paste the suspicious domain (or the full sender email address; the extension extracts the domain for you) into the IP Tracker popup. It fetches the WHOIS record and shows the creation date alongside its other checks.
If another check has already raised a warning banner and the domain is under roughly 90 days old, the banner adds a line: "Registered N days ago." Age is deliberately a corroborating signal: supporting evidence for a warning that already exists, never a warning on its own. Plenty of honest domains are young too: new businesses, product launches, event sites, rebrands.
Age gets loud when it shows up next to a lookalike spelling:
paypal.comthe brand's registered domain, in use since the late 1990spaypa1.comthe lowercase "l" is really the number 1; a domain like this is typically days oldThe swap above is visible once you know to look. Some aren't: a capital "I" standing in for a lowercase "l" looks identical in most fonts. That's why IP Tracker normalizes the characters before comparing, instead of trusting your eyes. The comparison runs against a bundled list of roughly 100 widely impersonated brands (banks, payment services, big tech, shipping, government sites), so a lookalike of a brand outside that list won't be named.
When the amber banner names a spelling trick and adds "Registered 4 days ago" underneath, you're looking at the classic phishing pattern: a throwaway domain dressed up as a brand.
How do you read age next to other signals?
Age never stands alone. Here is how the combinations tend to read:
| What you see | How to read it |
|---|---|
| Young domain + lookalike spelling | Walk away. A fresh registration wearing a brand's name is the classic phishing pattern. |
| Young domain + a claim of long history ("your bank of 20 years") | Strong caution. The claimed identity and the public record disagree. |
| Young domain, nothing else unusual | Just a data point. New businesses, product launches, and event sites are young too. |
| Old domain | Not automatically safe. Established domains get hijacked, and scammers sometimes buy aged domains precisely because they look trustworthy. |
How to check a domain's age
- Copy, don't click. Select the domain from the link, or the full sender address from the email, without clicking anything.
- Paste it into IP Tracker. If you paste an email address, the extension pulls out the sender's domain automatically.
- Read the creation date in the WHOIS section. If other checks have raised a warning and the domain is under about 90 days old, the banner also shows a "Registered N days ago" line.
- Compare the age with the claimed identity. An email from "your long-time bank" pointing at an 11-day-old domain is a story that doesn't hold together.
- Weigh it with the other signals: lookalike warnings, Google Safe Browsing (Google's list of known dangerous sites), security-vendor verdicts, and community abuse reports. Age corroborates; it doesn't decide.
Age is context, not a verdict
Young doesn't mean guilty. Honest domains are registered every day, and a new bakery's website deserves the benefit of the doubt that a fake bank login page doesn't. Let's not demonize young domains; let's just read them in context.
Old doesn't mean innocent, either. Established domains get compromised, and aged domains change hands. A respectable birthday is not a character reference.
There's one more reason the creation date earns its place among the checks: blocklists lag. Google Safe Browsing is good, but a phishing site registered this week often hasn't been reported anywhere yet. The creation date is visible from day one, before any blocklist catches up.
To summarize:
- ✓ Copy the domain; don't click it.
- ✓ Check the WHOIS creation date.
- ✓ Compare the age with the story the email tells.
- ✓ Young + lookalike = walk away.
- ✓ Old is not innocent; young is not guilty. Context decides.
Happy checking! 😉