DuckDuckGo Help Pages
Threat Protection

DuckDuckGo Scam Blocker

The DuckDuckGo browser’s built-in Scam Blocker helps keep you safe from phishing sites, malware, and other common online scams while browsing online. Other browsers like Chrome, Firefox, and Safari rely on Google’s Safe Browsing Service, which involves sending information to Google. We don’t. We built our own anonymous solution that doesn’t send data to any third parties, doesn't require us to track any of your data, and doesn’t require an account.

In addition, DuckDuckGo’s Scam Blocker goes above and beyond what other browsers offer by default by protecting you from more than just phishing and malware. Scam Blocker also protects against online threats like sham e-commerce sites, fake cryptocurrency exchanges, “scareware” that falsely claims your device has a virus, and other sites known to advertise fake products or services.

Why is protection from phishing, malware, and scams necessary?

Phishing, malware, and online scams are three of the most common security threats online. Cybercriminals use phishing to trick people into giving them personal information, such as usernames, passwords, and credit card numbers. They also try to get people to download malware that can infect phones or computers to cause damage or extract personal information. On top of that, bad actors set up scam investment sites, storefronts, and similar schemes to steal your info or money.

Scam Blocker is designed to protect you from these common online security threats by alerting you to sites that have been flagged for pushing online scams like these. You can disable this feature in the DuckDuckGo browser settings menu, though doing so may put your personal information at risk. 

How does Scam Blocker work anonymously in DuckDuckGo browsers?

To start, your browser needs to know which websites have been flagged for phishing, malware, or scams. We get a feed of these malicious sites from our partner, Netcraft, and we store the list on our servers. Your browser downloads a version of this list from DuckDuckGo so it’s available locally on your device. When you navigate to a site, your browser first checks the site against the list stored on your device. If the site is on the list, your browser shows a warning message that gives you the option to navigate away safely or to continue to the site at your own risk. 

For uncommon threats, an extra, anonymous verification step that checks websites against a larger and more comprehensive database on DuckDuckGo servers is needed (as explained below); however, this process is also anonymous and at no time does your device communicate with any other third parties as part of the threat verification process.  

Here’s how it works technically: 

  1. Initial Feed Setup
    • Periodically, the browser receives a list of known malicious websites from a DuckDuckGo server. This list isn’t human readable. Instead, each domain is represented by the first 8 characters of its SHA256 hash, also known as a “hash prefix.”
      • If you were to look at this list, you’d see something like [d4c9d902, 133066d1, ...] instead of [website1, website2, ...]
      • For details on how hashes work, see Hash Function and SHA-2.
    • The DuckDuckGo server also provides a detailed list of the most common threats, sorted by their similarity to commonly visited sites.
      • For example, [{"regex": "(?i)^https?\\\\:\\\\/\\\\/bad-third-party\\\\.site(?:\\\\:(?:80|443))?\\\\/security\\\\/badware\\\\/phishing\\\\.html$", "hash": "e4753ddad954dafd4ff4ef67f82b3c1a2db6ef4a51bda43513260170e558bd13"}, ...]
  2. Local Threat Detection
    • When you navigate around the web, your browser generates the SHA256 hash of domains you’re about to visit and checks them against the SHA256 hashes in the list of known malicious sites and against the list of common threats.
    • If the site matches any entry in both lists, the browser warns you about the potential danger.
    • Most of the time, this on-device threat verification process is sufficient to determine if the site is dangerous.
  3. Handling Uncommon Threats
    • If your browser can’t find the domain you’re about to visit in the list of common threats but does find a match in the hash prefixes of known malicious sites, further verification against a larger and more comprehensive dataset is needed to ensure the site in question is known to be malicious.
    • In these cases, the browser sends the first 4 characters of the domain’s SHA256 hash to DuckDuckGo servers for further verification.
      • The extra step to generate a 4-character hash prefix ensures your browsing history can’t be tied back to you.
      • In fact, we chose a 4-character hash prefix because it represents up to 65,536 values, and with hundreds of millions of potential domains online, many will share the same 4-character prefix, making it virtually impossible to associate any hash sent to DuckDuckGo with any specific domain.
      • The DuckDuckGo server responds by sending a refined list of possible matches back to the browser. Your browser can then compare the URL you’re about to visit against this new list of known malicious sites and make a final decision based on information received. This request data is never logged or stored anywhere on our servers and is only used to return matching data from DuckDuckGo’s database.

To be clear, this means that your searches and browsing history are still completely anonymous. 

Learn More