Most fake and malicious websites are not immediately obvious. They use professional layouts, familiar branding, and convincing copy. The tells are there, but they require knowing what to look for and taking a few seconds to look before acting.

This guide covers the practical checks that reliably distinguish legitimate sites from fraudulent ones.

What this covers:

• HTTPS and what the padlock actually confirms

• How to inspect a URL before clicking

• Domain name patterns used by fake sites

• What legitimate sites typically disclose about themselves

• Design and content quality as signals

• Free tools for checking a site's reputation

• Browser warnings and useful extensions

1. Check for HTTPS

HTTPS encrypts the data transmitted between your browser and the site. Any site that handles logins, payments, or personal information should use it. The presence of HTTPS is indicated by a padlock icon in the address bar and https:// at the start of the URL.

A site without HTTPS is transmitting data in plaintext. Do not enter passwords, payment details, or any sensitive information on an HTTP site.

One important caveat: HTTPS confirms that the connection is encrypted. It does not confirm that the site is legitimate or operated honestly. Fake sites increasingly use HTTPS because free certificates are easy to obtain. HTTPS is a necessary condition for a trustworthy site, not a sufficient one.

2. Inspect the URL Before Clicking

On desktop, hovering over a link shows the destination URL in the status bar at the bottom of the browser window before you click. On mobile, pressing and holding a link typically shows the destination.

Look for:

• The actual domain, not just the display text. A link that displays as paypal.com can point to paypa1-secure.net.

• Subdomains used to mislead. paypal.login.attacker.com is a subdomain of attacker.com, not paypal.com. The real domain is always the segment immediately before the top-level domain (.com, .org, .net).

• Redirects. Short URLs (bit.ly, tinyurl) obscure the final destination. A URL expander (checkshorturl.com or unshorten.it) reveals where they lead before clicking.

3. Read the Domain Name Carefully

Fake sites often use domains that closely resemble legitimate ones. Common patterns:

• Character substitution: amaz0n.com (zero instead of o), g00gle.com

• Hyphens and additions: amazon-official.com, amazon-deals.net

• Different top-level domains: amazon.shop, amazon.store when the real site is amazon.com

• Subdomains of unrelated domains: amazon.free-deals.com

When in doubt about a site's authenticity, navigate directly by typing the known domain into the address bar rather than following a link from an email, message, or advertizement.

4. Look for Contact and Identity Information

Legitimate businesses disclose who they are. A genuine company's website should have an About page, a contact email or phone number, and often a physical address. The information should be consistent and specific rather than generic.

A site that has no contact information, a contact form with no other details, or vague language about who operates it is a red flag. This applies especially to sites selling products or requesting personal information.

5. Evaluate Design and Content Quality

Professional organisations maintain consistent, polished websites. Poor design, inconsistencies, or low-quality content are signals worth noting:

• Frequent spelling errors or awkward phrasing, particularly in important sections like product descriptions or terms

• Distorted logos or images that appear stretched or pixelated, suggesting they were copied rather than provided by the brand

• Mismatched fonts, broken layouts, or sections that do not fit together visually

• Outdated content, broken links, or placeholder text that was never replaced

A site that looks like it was assembled quickly with minimal investment likely was, and that is worth weighing when deciding whether to trust it.

6. Check Reputation with Free Tools

Several free tools check URLs against databases of reported malicious and fraudulent sites:

• Google Safe Browsing: transparencyreport.google.com/safe-browsing/search

• VirusTotal: virustotal.com (checks against multiple security vendors simultaneously)

• Norton Safe Web: safeweb.norton.com

Paste the URL into any of these and the tool returns a report indicating whether the site has been flagged. A clean result does not guarantee a site is safe, as new fraudulent sites are created continuously, but a flagged result is a reliable indicator to stay away.

7. Apply Scepticism to Implausible Offers

Fraudulent sites frequently use price or offer as the lure: a product at 90% off the normal price, a prize notification, an exclusive deal available only for a limited time. The urgency is manufactured to prevent careful evaluation.

Before engaging with any offer that seems unusually generous, a quick search for the site name or product alongside words like "scam" or "review" often surfaces community reports from people who have encountered the same site.

8. Pay Attention to Browser Warnings

Modern browsers flag sites that have been reported for phishing, malware, or invalid certificates. These warnings appear as a full-page alert before the site loads and include language like "Deceptive site ahead" or "Your connection is not private."

These warnings should be taken seriously. Proceeding past a browser warning means bypassing a security system that exists specifically to prevent harm. The site may have a legitimate explanation for a certificate warning (an expired certificate, for example), but the appropriate response is to investigate before proceeding, not to dismiss the warning reflexively.

9. Useful Browser Extensions

A few extensions add protection without requiring active effort:

• uBlock Origin blocks malicious advertizing networks and known fraudulent sites. It also reduces the malvertizing risk discussed in the ransomware and phishing contexts.

• Web of Trust (WOT) adds community-sourced safety ratings to search results and provides a warning when you visit a site with poor ratings.

Extensions from reputable sources add meaningful protection. Be cautious about extensions themselves: browser extensions with broad permissions can access and modify everything you do online. Install only from known sources and review what permissions any extension requests.

Key Takeaways

• HTTPS is necessary for any site handling sensitive data, but it does not confirm the site is legitimate. Fraudulent sites use HTTPS too.

• Inspect URLs before clicking. The real domain is the segment immediately before the top-level domain. Subdomains and display text can be misleading.

• Fake domains use character substitution, hyphens, and different top-level domains to resemble legitimate ones. When in doubt, type the known domain directly.

• Legitimate businesses provide specific, verifiable contact and identity information. Absence of this is a red flag.

• Free tools (VirusTotal, Google Safe Browsing, Norton Safe Web) check URLs against known malicious site databases.

• Browser security warnings exist for a reason. Proceed past them only after understanding why they appeared.

Conclusion

Website safety checks take seconds and the habits are simple to build. HTTPS as a baseline, a second look at the domain before clicking, and a quick reputation check for unfamiliar sites cover the most common risk scenarios.

The underlying principle is the same across all of these checks: slow down slightly before acting. Most fraudulent sites rely on creating enough urgency or familiarity that the target acts before examining the situation carefully. A moment of deliberate evaluation breaks that mechanism.

Spotted a suspicious site recently or unsure about a specific URL? Share the details in the comments.