Complete guide

How to Check If a Website Is Safe: The Complete 8-Step Guide

Why verification matters

Online fraud is not a niche risk. US consumers reported losing more than $10 billion to fraud in 2023 according to the Federal Trade Commission — the first time reported losses crossed that threshold — and the FBI's Internet Crime Complaint Center (IC3) recorded $12.5 billion in reported cybercrime losses the same year. Much of this fraud runs through convincing look-alike websites that survive only days before being replaced.

The good news: scam sites are cheap and disposable, and that shows up in verifiable technical signals. The eight checks below take about five minutes by hand, or seconds with an automated trust scan.

1. Check the connection security (HTTPS) — then discount it

The address should start with https:// and show no certificate warning. Encryption protects your data in transit, and any site asking for a password or card number over plain HTTP is disqualified immediately.

But HTTPS is now table stakes, not a trust signal. Per Google's Transparency Report, around 95% of pages loaded in Chrome use HTTPS — and free certificates take minutes to obtain, so phishing sites overwhelmingly have the padlock too. Our SSL certificates guide explains exactly what the padlock does and doesn't prove.

2. Verify the exact domain spelling

Typosquatting — registering a domain one character away from a major brand — remains one of the most effective phishing techniques. amaz0n.com, paypa1.com and g00gle.com read correctly at a glance. Check character by character, and be suspicious of brand names on unusual extensions: an established retailer is on .com, not .tk or .ml — extensions that appear disproportionately in abuse statistics because they were long free to register.

SiteReviewChecker measures the edit distance between a scanned domain and major brands automatically, and caps the score of close imitations regardless of their other signals — see the methodology.

3. Look up the domain age — the strongest single signal

Domain age is the strongest statistical predictor of fraud. Legitimate businesses hold domains for years; scam domains are typically registered days before use and abandoned once blocklisted. Industry phishing-landscape studies consistently find that maliciously registered domains are put to use within days of registration.

You can check any domain's registration date yourself with an RDAP lookup (the modern, standardized successor to WHOIS, defined in RFC 9083) — for example at rdap.org. As a rule of thumb: a domain under 30 days old asking for money or credentials deserves extreme caution; under a year is still a caution flag for a shop claiming to be established.

4. Look for real contact information

Legitimate businesses are reachable: a physical street address (not just a P.O. box), a working phone number, and a named legal entity. Verify independently — look the address up on a map, search the phone number, and check any company registration number against the official registry. Scammers avoid accountability, so missing, fake or unverifiable contact details are among the ten most common scam signs.

5. Check the privacy policy and terms of service

Every legitimate site that handles personal data publishes a privacy policy and terms of service, usually linked in the footer — in many jurisdictions (GDPR in the EU, CCPA in California) it's a legal requirement. Missing or boilerplate legal pages with the wrong company name are a strong negative signal, which is why transparency pages are worth 6 of the 100 points in our scoring model.

6. Check email authentication (SPF, DKIM, DMARC)

This is the check almost nobody does by hand — and one of the most revealing. A real organization configures its domain to send and receive mail: MX records, an SPF policy (RFC 7208), DKIM signing (RFC 6376) and a DMARC policy (RFC 7489). Disposable scam domains almost never bother. You can inspect these DNS records with any DNS lookup tool — or let our scanner read them for you; they account for 20 of the 100 points in the trust score.

7. Research reviews and reputation

Search the site name plus "reviews" and plus "scam". Check Trustpilot, Google reviews and the Better Business Bureau. Read the pattern, not the average: a burst of five-star reviews posted in the same week is as suspicious as consistent one-star complaints about undelivered orders. And no footprint at all is itself a warning — an established business leaves traces.

8. Run an automated trust scan

Steps 1–7 by hand take about five minutes per site. SiteReviewChecker runs them — and more — in seconds: 24+ signals across four weighted categories (domain reputation 35 pts, connection security 25 pts, email & DNS 20 pts, transparency & content 20 pts), producing a 0–100 score with every signal shown and independently verifiable. No paid reputation APIs, no black boxes. See how trust scores work and how AI systems rate websites for the background.

The 60-second checklist

CheckRed flag
Address barNo HTTPS, or a certificate warning
Domain spellingLook-alike of a known brand; brand name on .tk/.ml-style TLD
RDAP registration dateDomain younger than 30 days
Contact pageNo physical address or working phone
Footer legal linksNo privacy policy or terms of service
Payment methodsWire transfer, gift cards or crypto only
Price and urgencyToo-good-to-be-true prices, countdown pressure
Reputation searchScam complaints — or no footprint at all

Frequently asked questions

How can I quickly tell if a website is fake?

Check three things in under a minute: the exact domain spelling (scammers register look-alikes such as amaz0n.com), the domain registration date via an RDAP/WHOIS lookup (most scam sites are under 30 days old), and whether the site publishes a real physical address and working contact details. An automated scanner such as SiteReviewChecker checks all three, plus 20+ more signals, in seconds.

Does HTTPS mean a website is safe?

No. HTTPS only means the connection is encrypted, not that the site is legitimate. Free certificates take minutes to obtain, and the Anti-Phishing Working Group reports that the large majority of phishing sites now use HTTPS. Treat a missing padlock as a red flag, but never treat its presence as proof of safety.

How do I find out when a domain was registered?

Use an RDAP or WHOIS lookup (for example rdap.org, or the registrar’s own lookup) and read the "registration" or "creation" date. Domain age is the single strongest statistical predictor of fraud: legitimate businesses tend to hold domains for years, while scam domains are typically days or weeks old and are abandoned once blocklisted.

What should I do if I already entered my details on a scam website?

Act immediately: change the password anywhere you reused it, contact your bank or card issuer to block or dispute charges, enable two-factor authentication on affected accounts, and report the site — in the US at reportfraud.ftc.gov and ic3.gov. Speed matters most for payment details.

Sources

Check a website right now

Run a free SiteReviewChecker scan — a 0–100 trust score from 24+ verifiable signals, in seconds.

Related guides