I spent about three years as an M&A advisor at Carbon6 evaluating software companies, around 50 in all. I have also been the seller twice, with two multi-million dollar exits as a founder. So I have seen both sides of the table, and I can tell you the honest version: a seller-prepared P&L is a story, not a fact. Sometimes the story is true. Your job before signing an LOI is to find out cheaply whether it could be.
The checklist below is what I run before a buyer commits to exclusivity. It is built around the five places small digital deals actually go wrong. None of these checks require seller cooperation beyond what you can reasonably request pre-LOI, and most of the worst deals fail at least one of them in the first week.
Revenue plausibility
- Listing claims vs. observable reality. Does the revenue claimed line up with what you can see from the outside: review velocity, traffic estimates, app-store ranks, best-seller ranks, pricing pages? A $2M ecommerce brand leaves a footprint. If the footprint says $400K, stop.
- Screenshots are not evidence. Dashboards can be cropped, filtered, or fabricated. Pre-LOI, ask for a live screen-share inside Stripe, Seller Central, or the payment processor. A seller who refuses a 15-minute screen-share is telling you something.
- Revenue concentration. What share of revenue comes from the top customer, top SKU, or top affiliate? One whale customer or one hero SKU is a discount, not a feature.
- The trend story vs. the trailing twelve months. Sellers time their exits. If the listing leads with a great trailing twelve months, look at the last three. A business sold on TTM that is down 30% in the most recent quarter is a different deal at a different price.
Traffic authenticity
- "Organic" that is actually paid. Check whether the traffic mix claimed matches reality. Paid traffic dressed up as organic collapses the day the ad spend stops, and the ad spend is sometimes sitting in the add-backs.
- Branded vs. non-branded search. If most organic traffic is people searching the brand name, you are buying the founder's audience, which may not transfer. Non-branded rankings are the durable asset.
- Backlink and ranking spikes. Sudden link-velocity spikes before a sale suggest bought links or expired-domain tricks. Those rankings are borrowed, and search engines eventually collect.
- AI-referral fragility. A growing share of informational traffic is being absorbed by AI answer engines. Content businesses built on thin informational queries are the most exposed. Ask what percentage of revenue depends on traffic that an AI answer can replace.
Platform risk
- Single-platform dependence. One Amazon account, one TikTok Shop, one Chrome extension listing, one App Store entry. If a single suspension or policy email takes revenue to zero, price that in or walk.
- Account health and suspension history. Ask directly for the account-health record and any past suspensions, appeals, or policy warnings. Past suspensions predict future ones, and some marks survive transfer.
- Policy and API exposure. Is the business built on an API, scraping technique, or policy interpretation the platform is actively tightening? Amazon's AI agent policy is a current example: automation built on browser scripts instead of official APIs is now a compliance liability, not an asset.
- Transferability. Can the accounts, contracts, and integrations legally move to a new owner at all? Some marketplace accounts, payment processors, and affiliate relationships do not transfer cleanly, and you find out at the worst time.
Owner dependence
- Claimed hours vs. evidence. "Four hours a week" is the most common claim in listings and the least often true. Look at the actual activity: support inboxes, commit history, content cadence, supplier emails. The operational fingerprint of the owner is hard to hide.
- Personal-brand entanglement. If the founder's face, name, or social accounts drive customers, you are buying a business that partially leaves with them. Audience-dependent revenue needs a transition plan and an earnout, not a handshake.
- Key relationships held by one person. The supplier deal, the one affiliate driving 40% of sales, the agency contact who keeps the ads profitable. Map which relationships exist only in the owner's phone.
Add-backs and financial hygiene
- Aggressive add-backs. Every add-back is the seller telling you a cost will not exist under your ownership. Test each one. "Owner salary" is fine; "marketing we did not really need" is not.
- Family payroll and personal expenses. Main Street financials routinely carry relatives on payroll and personal spend in expenses, in both directions. It inflates or deflates EBITDA depending on which way it cuts.
- Deferred costs hiding in the asset. Aged inventory approaching long-term storage fees, a codebase one departure from unmaintainable, content that has not been updated in two years. These are real costs that do not appear on any P&L until you own them.
The Red-Flag Scan is this checklist executed properly on your specific deal: listing claims vs. observable reality, revenue plausibility, traffic sanity check, platform and transfer risk, and seller history. $950, 48-hour turnaround, kill-or-continue verdict in writing.
See the Red-Flag ScanWhat a $950 scan covers that this checklist cannot
You can and should run the checklist above yourself. What a paid pre-LOI scan adds is execution depth and a disinterested verdict. In 48 hours I check the listing's claims against every observable data source, run the traffic and revenue plausibility work with real tooling rather than gut feel, pull seller history across marketplaces, and put the conclusion in writing: kill, continue, or continue with these specific conditions priced in.
The point is not that the scan replaces diligence. It is that it costs $950 to avoid spending three months and $20K+ of advisor time on a deal that was dead on arrival. Most buyers learn this on their second deal. The checklist is how you learn it on your first.
Questions buyers ask
When should I run a red-flag check on a deal?
Before the LOI, not after. Once you sign an LOI you are typically in an exclusivity period, you have mentally committed, and you have started paying advisors. The whole point of a pre-LOI screen is to spend a few hundred dollars and a few days finding the deal-killers before you spend months and tens of thousands finding them under LOI.
What is the most common red flag in small digital deals?
Revenue that does not survive contact with source systems. Seller-prepared P&Ls and marketplace listing claims regularly diverge from what Stripe, Seller Central, or the payment processor actually shows. The second most common is owner dependence: a business priced as an asset that is actually a job.
Is a red-flag scan a replacement for full diligence?
No. A pre-LOI scan is a kill-or-continue filter built on observable evidence and plausibility checks. It tells you whether the deal deserves real diligence. Full diligence verifies financials against source systems, reconstructs MRR and churn, and reviews code and infrastructure, which requires seller cooperation you usually only get under LOI.
Do these checks apply to deals listed on broker marketplaces?
Especially there. Brokers package the seller's story; they rarely verify it to the standard a buyer should. Listing multiples and add-back schedules on marketplaces are negotiating positions, not audited figures. Treat every claim in a listing as unverified until you have seen the underlying data.