ScamCatchr — Setup Guide

1 Install & open Gmail

ScamCatchr runs automatically once loaded. After installing, open Gmail in any Chrome tab. The extension activates immediately — no further action needed just to start scanning.

      ✅ DOM-only scanning starts immediately, no login required. Emails are
      checked for sender impersonation and scam keywords as soon as you open them.
    

2 Connect Gmail API (recommended)

Click the ScamCatchr icon in your Chrome toolbar to open the popup, then click "Connect Gmail". Sign in with your Google account.

What this unlocks

Full email header analysis including SPF, DKIM, and DMARC checks
Detection of spoofed sender addresses that look legitimate in the preview
"API verified" badge on warnings — highest confidence scam detection
Ability to subscribe to the weekly scam digest

      🔒 ScamCatchr only requests gmail.readonly scope and only reads the
      From and Authentication-Results headers of emails you open.
      No email body content is ever accessed.
    

If you see "Access blocked" or Error 403

The app may still be in test mode. Ask the developer to add your Gmail address as a test user in the Google Cloud Console → OAuth consent screen → Test users.

3 Using ScamCatchr

Inbox view — row badges

When browsing your inbox, ScamCatchr scans each visible email row and adds a small badge:

⚠ Red badge — high-risk email, likely a scam or impersonation attempt

! Yellow badge — suspicious email, worth checking manually

Hover over a badge to see a tooltip with the specific reason it was flagged.

Email view — warning banner

When you open a flagged email, a banner appears at the top of the page explaining what was detected. Click "Report phishing" in the banner to log it.

Manual report button

A 🚩 Report Phishing button appears in the top-right corner of the screen whenever you have an email open — even if ScamCatchr didn't automatically flag it. Use this whenever you spot something suspicious that the extension missed.

Popup scan button

Click the ScamCatchr icon and press "Scan Current Email" to manually re-scan the open email or re-scan all inbox rows.

How detection works

🏢

Brand impersonation

Checks if sender claims to be FedEx, UPS, USPS, DHL, Maersk etc. but emails from an unrecognised domain

📧

Free email providers

Flags logistics emails sent from Gmail, Yahoo, Hotmail — legitimate carriers use corporate domains

🔐

SPF / DKIM / DMARC

Email authentication checks that verify the sender is who they claim to be (requires Gmail API connection)

🔍

Scam keyword patterns

Detects phrases like "customs fee required", "last delivery attempt", "confirm your address to release parcel"

🎭

Display name spoofing

Catches emails where the display name contains a domain that doesn't match the actual sender address

🗃️

Reported domain database

Domains previously reported by users are flagged automatically on future emails

Scam types ScamCatchr recognises

Type	What it looks like	Red flags
Fake delivery notification	"Your FedEx package could not be delivered"	Non-FedEx sender domain, urgency language
Customs / clearing fee	"Pay €2.99 to release your parcel from customs"	Payment link in email, free email provider used
Phishing via tracking link	"Track your shipment here" → fake login page	SPF/DKIM failure, domain mismatch
Freight company impersonation	Fake Maersk / MSC booking confirmation	Known freight brand in display name, wrong domain
Fraudulent payment request	"Invoice attached — wire payment within 24 hours"	Payment keywords, domain mismatch
Credential theft	"Your shipping portal password has expired — reset now"	DMARC fail, urgency language, login prompt

Weekly scam digest

Once you connect Gmail, you can subscribe to a weekly email digest from the ScamCatchr popup. The digest is sent to your connected Gmail address every Monday and contains:

Total scam emails reported by all ScamCatchr users that week
Breakdown by scam type with tips on how to spot each one
Most-flagged sender domains to watch out for

      ⚠️ The digest uses your connected Gmail address automatically. No extra
      email input is required. You can unsubscribe at any time from the popup
      or via the link at the bottom of any digest email.
    

Privacy at a glance

No email bodies are ever read or stored — only From and Authentication-Results headers
Phishing reports store only the sender domain (not full address), subject, scam type, and risk level
Your Gmail address is only stored if you subscribe to the digest, and only for that purpose
All local data can be cleared from chrome://extensions → ScamCatchr → Clear data

Read the full Terms & Privacy Policy →