1 in 170 Devices Lands on Scam Sites Every Day, Study Warns

From phony storefronts to slick social-media ads, new research exposes the hidden routes that steer unsuspecting shoppers into costly online traps

A peer-reviewed paper presented at NDSS 2025 by researchers from Norton Research Group, IMDEA, BforeAI, and the University of Crete offers the most comprehensive snapshot yet of how often real people stumble onto malicious websites. Mining up to ten months of desktop and five months of mobile telemetry drawn from 25.1 million IP addresses, the team matched those visits against 607,000 confirmed scam domains sourced from commercial feeds and an internal machine-learning detector.

The result: an average of 149,000 devices per day, or roughly one in every 170 active machines studied, landed on a scam site. For consumers, that means online shopping scams are no longer fringe events but a daily risk.

Why shopping scams dominate

The dataset covered seven popular ruses: shopping, cryptocurrency, financial investment, dating, gambling, employment, and funds-recovery scams. Fake storefronts dwarfed everything else. In total, 10.2 million unique IPs visited a fake online store or bogus e-commerce pages.

This was compared with 653,000 for crypto scams and 443,000 for traditional investment fraud. The authors connect that dominance to the sheer volume of counterfeit online shops, competitive ad spending, and consumers’ comfort with buying goods without seeing them first.

1 in 140 devices lands on a scam site every day.

Desktop users face double the danger

Contrary to the common belief that phones are riskier, the study found desktops twice as likely to reach a scam. About 0.8% of desktop devices in the sample hit a malicious domain each day compared to 0.3% of mobiles.

Researchers suggest two reasons. First, users still prefer full-screen browsing for big-ticket purchases. In addition, native apps on phones tend to shield shoppers from shady web links.

Ads supercharge the fraud funnel

Scammers are not waiting for victims to mistype URLs. Roughly 13% of all scam visits - and nearly a quarter of shopping-scam traffic - began with a paid advertisement containing Google-Analytics UTM codes. Of those ad-driven clicks, 59% originated on social networks, and Facebook alone accounted for three-quarters of the social total.

Crypto con artists lean especially hard on ads. Only 340 scam domains were actively promoted. But still, they reeled in more than 131,000 users. This is nearly six times the haul seen by similarly advertised financial-investment pages.

A surprisingly long life for malicious domains

Phishing sites are notorious for disappearing within hours, but scams linger. The median “active time” between first and last observed visit was 11 days. This was 12 to 15 times longer than typical phishing domains. Dating scams stayed up the longest at, on average, 59 days. Meanwhile, crypto, financial, and funds-recovery scams often folded after just a day.

Even so, feeds such as ScamAdviser usually learned about new scam domains only one day after victims had already begun visiting them, giving defenders a narrow window for scam website detection and blocking access before more people got hurt.

Checkout pages reveal real-world losses

Because the researchers could inspect full URLs on desktop machines, they tagged paths like “/checkout” or “/order” to gauge intent. They discovered that 4% of all IPs visiting a shopping scam proceeded as far as the checkout page, strongly implying that tens of thousands of users tried to pay for nonexistent goods. On a typical day, about 1,800 devices reached a payment form, which is evidence of a steady stream of likely financial losses.

Geography matters, but not as expected

When researchers normalized by local user populations, exposure varied greatly. The Philippines, Turkey, and Vietnam topped the risk chart as global scam hotspots. They have more than one percent of daily devices hitting scams, whereas Japan and China sit at the bottom below 0.2%. Cultural factors, differing reliance on mobile browsing, and uneven adoption of security software may explain the gap.

What the findings mean for consumers and defenders

The study underscores that scams are not fringe events. They are a daily reality for hundreds of thousands of Internet users. Consumers seeking advice on how to avoid online scams should treat discounts that look too good to be true, especially on social-media ads, as red flags. They should favor established marketplaces or app-based storefronts on mobile.

Security vendors and regulators, meanwhile, may want to prioritize faster takedown mechanisms for shopping, crypto, and financial scams. Together, they trap far more victims than other ruses. Automated monitoring of newly registered domains and real-time ad-verification tools could cut the median 11-day window in which scammers currently operate with impunity.

Written and Edited by Lizzy Schinkel & WhatIsMyIP.com® Editorial Contributors

Lizzy is a tech writer for WhatIsMyIP.com®, where she simplifies complex tech topics for readers of all levels. A Grove City College graduate with a bachelor’s degree in English, she’s been crafting clear and engaging content since 2020. When she’s not writing about IP addresses and online privacy, you’ll likely find her with a good book or exploring the latest tech trends.