Is the padlock icon enough to tell if a website is safe?

No. The padlock means the connection between your browser and the website is encrypted — nothing more. Any scammer can get a free SSL certificate from Let's Encrypt in minutes, and the vast majority of phishing sites have a valid padlock. Treat the padlock as the bare minimum, not a green light.

Does HTTPS mean a website is safe?

HTTPS protects the data in transit from being intercepted by a third party, but it doesn't say anything about who's on the other end. A scam site over HTTPS is still a scam site. The real safety question is whether the domain itself is trustworthy — which is what a trust checker is for.

How can I check who owns a website?

You can run a WHOIS lookup at any registrar's website to see the domain's creation date, registrar, and (sometimes) registrant details. Many domains hide the registrant behind a privacy service, so the most useful signals from WHOIS are usually the age of the domain and the registrar it's hosted with. A trust checker bundles this with dozens of other signals automatically.

What does it mean if a website appears on Google Safe Browsing?

It means Google's automated systems have identified the site as serving malware, phishing pages, or other unwanted software. If a site is on Safe Browsing, you should not enter any information on it or download anything from it. The list isn't perfect — brand-new scams may not be on it yet — but a hit is essentially a definitive 'no'.

How old does a website need to be to be considered trustworthy?

There's no hard cutoff, but most fraud rings register new domains and run them for less than six months before abandoning them. A domain that's been around for several years and shows consistent activity in the Wayback Machine is much harder to fake. New isn't disqualifying — every legitimate business starts somewhere — but a brand-new domain should clear a higher bar on the other signals.

Can AI-generated reviews fool me?

Sometimes, but they have tells. AI reviews tend to be uniformly positive, similar in length, vague about specifics (sizing, delivery, returns), and free of the small frustrations real customers always mention. If you read ten reviews and learn nothing concrete about the product, assume the set is generated. Cross-check on independent review platforms, and look for forum discussion the brand has no say over.

What should I do if I think I've already been scammed by a fake website?

Move fast. Contact your bank or card issuer immediately and request a chargeback — the sooner you act, the better your chances of recovering the money. Change any passwords you used on the fraudulent site, especially if they're shared with other accounts. Report the site to Google Safe Browsing, the FTC (in the US), Action Fraud (in the UK), or the equivalent agency in your country. And keep screenshots of everything in case you need them later.

How to Tell if a Website Is Legit: The Complete Guide

If you're trying to figure out whether a specific website is safe before you hand over money, personal information, or your time, you've come to the right place. The short answer is that there is no single test — but there is a short list of signals that, taken together, almost always tell you the truth.

This is the checklist we use to power verified.fyi itself, explained for humans, with the parts that matter most highlighted first. By the end you'll know what to look at, what to ignore, and where most of the old advice ("look for the padlock") has stopped working in 2026.

The 30-second test

If you're in a rush, do this first. It catches the majority of obvious scams without any tooling.

Read the URL out loud. Most scams live on domains that look almost-right at a glance: an extra hyphen, a swapped letter, a .shop or .top in place of .com, or a brand name embedded in a subdomain (amazon.payments-secure.com, not payments.amazon.com). Your eye glosses over these; your voice doesn't.
Run the domain through a trust checker. Drop the URL into the verified.fyi homepage and let it scan WHOIS, SSL, blocklists, DNS, hosting, archived history, and on-page content. A bad trust score in 30 seconds is a faster signal than anything else on this list.
Notice how the site makes you feel. Genuine commerce sites rarely shout. If you're being rushed ("only 2 left! buy in the next 10 minutes!"), love-bombed ("you've been specially selected"), or asked for unusual personal information before you've even seen a product, treat it as a red flag — legitimate businesses rarely need any of it.

If all three of those come back clean, the site is probably fine. If any one of them is off, keep reading.

Why the old advice no longer works

A lot of "how to spot a scam website" articles are still telling readers to look for things that haven't been reliable in years. Skip these:

"Look for the padlock." Every domain on the internet can get a free SSL certificate from Let's Encrypt in about five minutes. The padlock now means the connection is encrypted, not that the site is honest. The vast majority of phishing sites have a padlock.
"Check for spelling and grammar errors." This used to be a useful tell, but scammers now run their copy through ChatGPT before publishing, so the grammar will be fine even when nothing else about the site is.
"Make sure they have a contact page." Anyone can paste a Gmail address and a Google Maps screenshot onto a page. A contact page on its own tells you nothing. What matters is whether the details lead back to a real, registered business.
"Check if the site has been around for a while." This one still matters — but only if you know how to check it (Wayback Machine, WHOIS creation date) rather than trusting whatever copyright year the footer claims.

The signals that have replaced these are deeper and harder to fake. They're what the rest of this guide covers.

The deep checklist — what actually matters

Domain signals

The domain name itself carries an enormous amount of information.

Age. Most scam sites are under six months old. You can check this for free via WHOIS lookup, or skip the manual work — every verified.fyi report shows the creation date in the trust report and weights it heavily in the score.
WHOIS transparency. Established businesses tend to register their domains under their company name and a real corporate address. Scams almost universally use WHOIS privacy services that hide the registrant. Privacy alone isn't damning (lots of legitimate small operators use it), but combined with other signals it tilts the picture.
Registrar choice. Reputable brands tend to register through GoDaddy, Cloudflare, Squarespace, Gandi, or similar mainstream registrars. A lot of fraud rings use specific cheap-and-permissive registrars that have a long track record of looking the other way. You don't need to memorize the list — the trust score will reflect it.
TLD patterns. A .com doesn't guarantee anything, but a .shop, .top, .xyz, .click, or .online is statistically more likely to be a scam, simply because those TLDs are cheap and have less oversight. Treat them as a higher bar of evidence rather than an automatic disqualifier.
Brand confusion. The domain paypal-secure-login.com is not run by PayPal. Neither is paypa1.com. Type the brand name into your address bar fresh rather than trusting links you've been sent.

Security infrastructure

Beyond the padlock, what the site is actually running on tells you a lot.

Blocklists. Google Safe Browsing, VirusTotal, and several reputation databases publish lists of known-bad domains. They lag a little — a brand-new scam might not be on them yet — but a hit on any of these is a firm "no". verified.fyi cross-references all of these automatically.
Certificate age and issuer. A certificate issued an hour ago, by Let's Encrypt, for a domain registered yesterday is a classic mark of an opportunistic scam. A certificate that's been quietly renewed for years from a paid CA suggests an established operator.
DNS and hosting. Who runs the nameservers? Where is the site hosted? Real businesses tend to use Cloudflare, AWS, Google Cloud, Vercel, or similar mainstream providers. Throwaway scams often live on hosts that are either obscure or known for not responding to abuse reports.
Open mail records. A domain with proper SPF, DKIM, and DMARC records configured is a domain whose owner cares about email deliverability — usually because they actually send transactional email to real customers. A naked domain with no email auth at all isn't proof of fraud, but it's a tell.

Page content and presentation

The site itself leaks more than its operators realize.

Stock photos and stolen images. Reverse-image-search the hero image and a couple of "team" photos. If the founder's smiling face also appears in a Bulgarian dentistry advert from 2017, you've found your answer.
Template fingerprints. A huge share of one-off scam stores are Shopify or WooCommerce clones built from the same three templates. If the layout, fonts, and product-card design look identical to other sites you've recently been suspicious of, they probably share a builder.
Inconsistent currency, language, or tax behavior. A "UK-based" retailer that shows prices in USD with no VAT, ships only via untraceable couriers, and has an "About us" written in a slightly off dialect of English is almost certainly not based in the UK.
Legal pages that are obviously copied. Open the privacy policy and terms. Paste a distinctive sentence into Google in quotes. If it returns dozens of unrelated sites, the page is boilerplate that was never reviewed by anyone — not necessarily fraud, but a sign that whoever runs the site doesn't take compliance seriously enough to write their own.

Business identity

Genuine businesses are findable in the real world.

Company registration. If the site claims to be a registered company, look it up in the relevant national registry (Companies House in the UK, the state Secretary of State in the US, etc.). Most of these are free to search. A real company with a current filing status is far harder to fake than a website.
Physical address. Drop the listed address into Google Maps and Street View. A residential semi-detached, an empty lot, or a registered-agent service is not where a real e-commerce operation is run from.
Phone number. Call it. If it rings to a real human who knows what the business is, that's a strong signal. If it's disconnected, goes to a generic voicemail, or rings to a different company entirely, that's a strong signal in the other direction.
Real people. Cross-reference any named executives, founders, or staff on LinkedIn. Look for inconsistencies between the bio on the site and the work history on LinkedIn. AI-generated headshots tend to have subtle tells around earrings, hairlines, and backgrounds.

Reputation signals

What other people say about the site — on platforms the site itself doesn't control — is one of the most reliable filters available.

Reviews on independent platforms. Trustpilot, Sitejabber, and the BBB (in the US) host reviews the brand can't delete. A site with no presence on any of these is suspicious. A site with hundreds of glowing five-star reviews that all sound the same is even worse — see "AI-generated reviews" below.
Forum mentions. Search Reddit (site:reddit.com brandname) and a couple of relevant niche forums. If real customers have written about their experience — good or bad — you'll find threads. Genuine scams tend to either have zero discussion or a string of "anyone else not get their order?" complaints.
The Wayback Machine. The Internet Archive's Wayback Machine shows you snapshots of a site over time. Is this domain a year-old e-commerce store with a clear product evolution, or is it an empty parked page until two weeks ago when an entire shop suddenly appeared? Many of the worst scams are recently repurposed expired domains.
Social media presence. Real businesses have social accounts with real, engaged followers. Scam-store Instagram accounts tend to have lots of followers and almost no comments, or comments that have been disabled entirely.

The new AI-age red flags

A growing share of scam sites are AI-built end-to-end. The tells are different from human-built fraud.

AI-generated product photos. Look closely at textures, hands, and reflections. AI image generators still struggle with realistic fabric weave, hand anatomy, and consistent shadow direction across composite images.
AI-written reviews. All five stars, all the same length, no specifics about size, fit, or delivery time, and a suspicious "everyone-loved-it" cadence across the whole set.
Generated "About us" pages. Look for vague founder stories ("our journey began when we noticed a gap in the market"), AI-generated team photos with off-kilter eyes, and writing that never names a single specific person, place, or year.
Chatbots posing as humans. A "live chat" that responds in under two seconds with detailed, never-confused answers is almost always a bot. Ask it something the site couldn't have anticipated ("what was the weather like at your office today?") and watch what happens.

Payment-time checks

If you've made it this far and you're still tempted to buy, slow down right before checkout. Most of the money lost to fraudulent sites is lost in the last 60 seconds.

Watch the checkout URL. A legitimate store keeps you on the same domain (or a recognized third-party processor like Stripe or PayPal). If the checkout URL is a completely unrelated domain, leave.
Insist on a buyer-protection-friendly payment method. Credit cards, PayPal, Apple Pay, and Klarna all offer some form of dispute resolution. Wire transfers, bank transfers to an account that doesn't match the business name, gift cards, and any form of cryptocurrency do not. Be suspicious of any site that won't take a reversible payment method.
Look at what the site asks for. Real retailers ask for a shipping address and a payment method. They don't ask for your passport, your Social Security or National Insurance number, or your bank login. A shop has no good reason to ask for any of that.
Check the price. A 70%-off luxury good is a classic bait. If the price is too good to be true, the product almost always either doesn't exist, is counterfeit, or will never ship.

Five non-negotiables — when to walk away regardless

These are the situations where the trust score doesn't matter, the reviews don't matter, and the design doesn't matter. Walk away.

The site is on Google Safe Browsing, VirusTotal, or any major blocklist.
The checkout redirects you to an unrelated domain with no explanation.
The site insists on a payment method with no buyer protection (wire, crypto, gift cards) for a normal consumer purchase.
You can't find a single independent mention of the brand outside its own website.
Your card or bank flags the transaction as suspicious. Banks see millions of fraud patterns, and they're often right when you'd prefer they weren't.

What verified.fyi does for you

Most of what's on this checklist takes 20–40 minutes per site to do properly by hand. That's fine when you're vetting one supplier, but not when you're a shopper choosing between five competing stores you've never heard of.

That's the gap verified.fyi closes. Every report runs 200+ of the signals above in parallel — WHOIS, SSL, DNS, blocklists, content analysis, archived history, hosting reputation, brand-similarity heuristics — and rolls them up into a single trust score with a plain-language verdict. You get the answer in under a minute, with the underlying signals visible if you want to dig into why.

Try it now: check any website's trust score
See real reports: browse recently checked sites or any of our industry leaderboards
Read the methodology: the full breakdown of every signal we run and how we weight them

You don't need to use our tool. You can do every check on this page by hand. But if you'd rather have a second opinion in seconds, that's what we're here for.