You've probably met the full-screen red warning in Chrome at least once. Mine caught me on a "parcel tracking" link, and I was grateful for it. That screen comes from Google Safe Browsing, a list of confirmed dangerous sites. It's a strong signal when it appears. The more interesting question is what it misses when it doesn't. Let's figure it out.
What is Safe Browsing, actually?
Google Safe Browsing is a blocklist: a constantly updated list of web addresses that Google's automated scanners and user reports have confirmed as dangerous. When you try to open a listed site, Chrome (along with several other browsers that use the same list) shows the red screen before the page loads.
Sites end up on the list for three main reasons, in plain words:
- Social engineering, the technical name for phishing: a page pretending to be your bank, email provider, or a delivery company so you'll type in a password or card number.
- Malware: software that damages your device or steals data once it gets on there.
- Unwanted software: downloads that do things you didn't agree to, like changing your browser settings or bundling extra programs.
To get on the list, a site generally has to be found first: by Google's crawlers, by security researchers, or by people reporting it. That word "found" is where the catch lives.
The catch: brand-new sites aren't on the list yet
Phishing campaigns move fast on purpose. The well-known pattern: register a domain in the morning, send the emails at midday, collect passwords in the afternoon, abandon the domain within days.
Google's scanners are good, but no scanner can confirm a site is dangerous before anyone has found it. A phishing page registered this morning and mailed out at lunchtime may not be flagged for hours, sometimes days. That gap is exactly the window in which the email is sitting in your inbox, looking urgent.
What does "flagged" mean? And "not flagged"?
Because of that lag, the two possible answers carry very different weight.
Flagged means Google has confirmed the site is dangerous. Treat that as close to a final answer as anything in this space gets. Don't rationalize it away; "maybe it's a mistake, the email looked so real" is exactly the thought the scam is designed to produce.
Not flagged means only that the site isn't on the list right now. It might be fine. It might be three hours old and simply not found yet. "Not flagged" is a shrug, not a clean bill of health.
Why pair it with checks that don't need to wait?
IP Tracker runs the Safe Browsing check on every domain you paste. But it never runs alone, because some signals have no waiting period at all.
Lookalike detection is the clearest example. IP Tracker compares a domain against a bundled list of roughly 100 widely impersonated brands: banks, payment services, e-commerce, shipping, big tech, and others. If someone registers a letter-swap of one of those names, the name itself is suspicious the second it exists; no scanner has to visit it first. The honest scope note: about 100 brands is not every brand, so a lookalike of a name outside that list won't be spotted this way. (Each brand entry also includes its official regional siblings, so a real address like paypal.de isn't flagged.)
paypal.comthe brand's registered domainpaypa1.comthe "l" is really the number 1An edit-distance check (counting how many letters differ from a brand's real domain) spots typo-style tricks like paypall.com or amazzon.com. It scales with length: very short domains allow no differences, medium-length ones allow one, long ones two. So it stays strict where a single letter matters most. A match here shows up as a "possible lookalike" caution rather than a firm verdict.
The swaps your eye can't catch are what homoglyph normalization is for: converting lookalike characters back to their plain form before comparing. That covers a number 0 standing in for the letter "o" in amaz0n.com, a capital "I" or the number 1 standing in for a lowercase "l" in paypaI.com, and common Cyrillic letters shaped like Latin ones. One current limit, stated plainly: internationalized domain names often travel in a coded form that starts with xn--, and IP Tracker doesn't yet decode that form before checking. The Cyrillic scan works when the visible lookalike form is what you paste. Decoding is on the team's list.
Alongside those, IP Tracker checks vendor verdicts from VirusTotal (a service that runs a domain past dozens of security companies), community abuse reports, and the domain's age from its registration record. If a domain was registered less than 90 days ago, the warning adds a "Registered N days ago" line, but only as a supporting detail. A young domain proves nothing by itself; new businesses exist. So age is never a standalone verdict.
One rule cuts through all of it: a Safe Browsing flag, or detections from multiple security vendors, is treated as authoritative. IP Tracker shows that warning even when every other signal looks fine, including when the domain is the brand's real one, because real sites do get compromised.
| Signal | When it's present | What its absence does NOT mean |
|---|---|---|
| Safe Browsing flag | Google has confirmed the site as dangerous. Treat it as decisive. | The site could simply be too new to have been found yet. |
| Security-vendor detections | Multiple companies independently flagged it. Strong evidence. | Vendors may not have scanned a brand-new domain at all. |
| Lookalike match | The name imitates a known brand: suspicious from the moment it was registered. | The list covers about 100 widely faked brands, not every brand. |
| Very young domain | Fits the throwaway pattern phishing sites follow. Supporting evidence only. | Old domains get hijacked too; age alone proves nothing either way. |
A site is flagged. Now what?
- Close the tab. Don't click "proceed anyway," and don't click anything on the page itself.
- Don't retry. Don't re-paste the link or open it in another browser "to check." The warning is the answer.
- Report the email as phishing using your mail app's report button. That helps your provider warn other people who got the same message.
- If you already typed anything on that site (a password, card number, or login code), open the real account through the official app or a saved bookmark (never through the email) and change the password. For card details, call the number on the back of your card.
- If you reuse that password anywhere else, change it there too. Stolen passwords get tried on other sites quickly.
No list is complete
Safe Browsing is one of the most valuable single signals available. When it speaks, listen. But it's a record of what has been confirmed, and confirmation takes time that fresh scams are built to outrun.
That's why layering matters: a name check that works from minute one, vendor verdicts, abuse reports, domain age, and your own sense of whether this email should exist at all. IP Tracker can name the trick and lay out the signals. Weighing them is still your call, and it always will be.
To summarize:
- ✓ Red screen = walk away. No rationalizing.
- ✓ No warning is a shrug, not a promise.
- ✓ Lookalike checks work from minute one; blocklists need time.
- ✓ Layer the signals, and keep your own judgment on top.
Stay safe out there! 😎