How to Tell If a Website is Fake or Legit (10 Warning Signs)

Q: How can I tell if a website is fake?

Key signs include: newly registered domain, mismatched SSL certificate, lookalike domain name, poor grammar, no contact information, and being flagged by Google Safe Browsing. Use ShieldScan to automatically check all of these in one scan.

Q: Can a fake website have HTTPS?

Yes. Free SSL certificates are available to anyone, including scammers. A padlock icon only means the connection is encrypted — not that the site is legitimate. Always check the domain name itself.

Q: What should I do if I entered my details on a fake website?

Change your passwords immediately, especially for any accounts that use the same password. Contact your bank if you entered payment details. Enable two-factor authentication on critical accounts. Monitor your accounts for unauthorized activity.

Fake websites — designed to steal your login credentials, payment details, or personal information — are more convincing than ever. Modern phishing sites copy the exact design of real banks, retailers, and government services down to the logo and layout.

Here are 10 warning signs that a website might be fake, plus the fastest way to verify any site before trusting it with your data.

10 Warning Signs of a Fake Website

Warning #1

The domain name looks slightly off

Look at the actual URL, not the page design. Attackers use lookalike domains: paypa1.com (number 1 instead of l), paypal-secure.com, or paypal.login-now.net. The real domain is always the part directly before the TLD (.com, .org). If you see paypal anywhere except at the very end before .com, it's fake.

Warning #2

The domain was registered very recently

Phishing sites are almost always newly created domains — often registered days or weeks before an attack. A domain that's less than 90 days old and claiming to be a major bank or company is a serious red flag. ShieldScan shows domain age in every URL scan.

Warning #3

The SSL certificate doesn't match

Click the padlock icon in your browser and check "Certificate." The certificate should be issued to the company the site claims to be. A certificate issued to an unknown company or individual for a site claiming to be your bank is a clear warning sign.

Warning #4

It's flagged by Google Safe Browsing

Google maintains a database of phishing and malware sites and warns users automatically in Chrome, Firefox, and Safari. If you see a "Deceptive site ahead" or "Site ahead contains malware" warning, leave immediately. ShieldScan checks Google Safe Browsing as part of every scan.

Warning #5

Poor grammar, spelling errors, or strange formatting

Legitimate companies proofread their websites. Phishing sites — often created quickly and in bulk — frequently contain spelling mistakes, awkward phrasing, or inconsistent formatting. A single obvious typo on a login page is a strong indicator of fraud.

Warning #6

No contact information or privacy policy

Real businesses are legally required to provide contact information and privacy policies in most countries. If a site asking for personal information has no "About Us," "Contact," or "Privacy Policy" page — or those pages are blank or generic — treat it as suspicious.

Warning #7

You arrived via an unexpected link

You got an email claiming to be from your bank asking you to "verify your account." You received a text about a package you never ordered. You clicked a link in a social media DM from someone you barely know. The context of how you arrived at a site matters as much as the site itself.

Warning #8

The site creates extreme urgency

"Your account will be suspended in 24 hours." "Confirm your details immediately to avoid charges." Urgency is a core social engineering tactic designed to make you act before you think. Legitimate companies almost never threaten immediate consequences via unsolicited messages.

Warning #9

Prices are unrealistically low

A fake shopping site might offer the latest iPhone for $99 or luxury goods at 95% off. If a deal seems too good to be true, it almost always is. These sites collect payment details and either send counterfeit goods or nothing at all.

Warning #10

The page design looks slightly wrong

Phishing sites often copy the HTML of legitimate sites but miss details: images that don't load, fonts that look slightly different, logos that are blurry or pixelated, or layout elements that are slightly misaligned. These are signs of a hastily cloned page.

Verify Any Website in 10 Seconds

ShieldScan checks domain age, SSL certificate, Google Safe Browsing, and 95+ antivirus engines automatically.

Check a Website Now →

How to Verify a Website Before Trusting It

The fastest way to check any website is to paste its URL into ShieldScan's URL scanner. In under 10 seconds you'll see:

A 0–100 risk score and plain-English verdict
Whether the domain is newly registered
SSL certificate status and domain match
Google Safe Browsing result
Results from 95+ antivirus engines
A live screenshot of the page (so you can see it without visiting)

You can also manually check:

WHOIS lookup at who.is — see when the domain was registered and by whom
Google Safe Browsing at transparencyreport.google.com/safe-browsing/search
SSL certificate details by clicking the padlock in your browser

Good habit: Before entering your password or payment details on any site, check the URL bar. Make sure you're on the real domain — not a lookalike. Type important sites (your bank, email, government services) directly into your browser rather than clicking links to reach them.

What to Do If You've Already Entered Your Details

If you think you entered your login credentials or payment information on a fake site, act immediately:

Change your password on the real site immediately
Change your password on any other site where you use the same password
Contact your bank if you entered payment details — ask them to monitor for unusual activity or issue a new card
Enable two-factor authentication on your email, bank, and social media accounts
Check your accounts for unauthorized logins or transactions
Report the site to Google at safebrowsing.google.com/safebrowsing/report_phish

Frequently Asked Questions

How can I tell if a website is fake?

Key signs include: newly registered domain, lookalike domain name, mismatched SSL certificate, poor grammar, no contact info, and urgency messaging. Use ShieldScan to check all of these automatically in one scan.

Can a fake website have HTTPS and a padlock?

Yes. Free SSL certificates are available to anyone — including scammers. A padlock means the connection is encrypted, not that the site is legitimate. Always check the actual domain name.

How do I check if an online store is legit?

Check how old the domain is (newly registered stores are suspicious), look for real contact information, search for reviews on independent sites, and scan the URL with ShieldScan before purchasing.

What should I do if I entered my details on a fake website?

Change your passwords immediately, contact your bank if you entered payment details, enable two-factor authentication on your accounts, and report the site to Google Safe Browsing.