Does a padlock icon mean a website is safe?

No. The padlock (HTTPS) only means the connection between your browser and the website is encrypted — it says nothing about whether the site itself is legitimate. Scammers routinely use HTTPS on fraudulent websites. The padlock is necessary but not sufficient. You must also verify the domain name, the website's content quality, and its contact and registration details.

How can I check if a website is legitimate?

Check the domain name carefully for character substitutions or extra words (paypa1.com, barclays-secure.com). Look for a physical address, registered company number, and phone number. Search the company name plus 'scam' or 'review'. Check the domain age using a WHOIS tool — scam sites are often registered within the last few months. Look for a clear privacy policy and returns policy.

What are the most common fake website tricks?

Character substitution in the domain (using '1' instead of 'l', '0' instead of 'o'). Hyphenated domains (barclays-login.com). Subdomains designed to look like the main domain (barclays.com.phishing-site.ru). Copied logos and branding from the real site. Offers that are significantly below market price. Missing or fake contact details.

How do I check who owns a website?

Use a WHOIS lookup tool (who.is or lookup.icann.org). Enter the domain and check the registration date, registrant country, and registrar. UK-registered legitimate businesses should be searchable on Companies House (gov.uk/get-information-about-a-company). A recently registered domain with hidden registration details and no company registration is a strong red flag.

How to Spot a Fake Website in 60 Seconds

Most people were taught that the padlock in the browser address bar means a website is safe. This is wrong — and it is a gap in public understanding that scammers have exploited for years.

The padlock (HTTPS) only tells you the connection between your browser and the site is encrypted. It says nothing about whether the site itself is legitimate. A fraudulent website can and routinely does have HTTPS. You are sending your card details securely to a criminal.

Here is the seven-point checklist that actually tells you whether a site is safe to use — each check takes under ten seconds.

The 7-point fake website checklist

Read the domain name character by character. Fraudulent sites use look-alike characters: "paypa1.com" (number 1 not letter l), "arnazon.com" (r and n together look like m), "barclays-securelogin.com" (hyphenated). Read the actual domain in the address bar slowly. The real organisation's domain should appear directly before the first forward slash.
Check for a physical address and company registration. Legitimate businesses have an address, a company registration number (in the UK, visible at Companies House), and a phone number. If a retailer has no address and no company number, that is a significant red flag. In the UK, any limited company must be registered — search at gov.uk/find-company-information.
Check the domain age. Go to who.is and enter the domain. A website claiming to be a well-known retailer but registered three months ago is almost certainly fraudulent. Most scam sites exist for only a few months before being taken down — the registration date exposes this.
Search for "[company name] scam" or "[company name] review". Thirty seconds. If others have been defrauded, they have likely reported it on Action Fraud, Trustpilot, Reddit, or consumer sites. No presence online at all for a supposedly established business is also suspicious.
Check the returns policy and privacy policy. Legitimate retailers have detailed, specific policies. Fake sites either have none, or have vague copied text with the wrong company name still in it. A privacy policy that refers to "Company X" when the site is supposedly "Company Y" is a dead giveaway.
Look at the price. If it is significantly below what the same product costs anywhere else, ask why. Fake sites use impossibly low prices to bypass scepticism. Real discounts exist, but a brand-new iPhone for £150 is bait, not a deal.
Try the contact details. Call the phone number or send a test email before making a payment. A phone number that is not answered during business hours, or an email that bounces, is a clear signal. Some scam sites use a chat bot — test it with a specific question about the product.

✅ The 60-second version

Time-short? The three highest-yield checks: (1) read the domain name carefully, (2) search "[name] scam" on Google, (3) check the domain age on who.is. Between them, these three catch the vast majority of fake retail, banking, and service sites.

Common fake website types and their tells

Fake retail websites

Prices well below market. Domain registered recently. No company registration. A physical address that does not exist or is a residential address. Social media links that go nowhere or have zero followers. Payment only by bank transfer or cryptocurrency.

Fake banking login pages

URL is almost-right (barclays-login.com, lloydsbank-security.co.uk). Usually arrived at via a phishing link. No contact details. May display the real bank's phone number but the page itself is fraudulent. The safest approach: never click to a banking page from an email or text. Always type the address or use a bookmark.

Fake HMRC / government sites

Legitimate UK government sites always use the gov.uk domain. Any tax rebate or government service at any other domain is fraudulent. The URL bar should show gov.uk — nothing else, no hyphens, no subdomains from other roots.

Real case

"I ordered trainers from a site with 'Nike' in the name. Domain looked fine, it had the padlock, prices were about 30% off. Checked after the fact — domain was three months old, no company registration, no real address. The WHOIS showed it was registered in Eastern Europe. I'd already paid £180." — Action Fraud report, 2025.

What to do if you have already used a suspicious site

If you made a payment, contact your bank or card provider immediately and request a chargeback. If you entered login credentials, change that password now — and anywhere else you use the same password. If you entered personal information, place a fraud alert on your credit file. Read our full guide on what to do in the first 60 minutes after a scam.

The printable 7-point website safety checklist

Our free cheat sheet includes the complete website verification checklist — plus the 10 warning signs that apply to any online or phone scam.

Get the free cheat sheet Full Blueprint — $27 →