The padlock icon means encrypted connection, not trustworthy website. Over 83% of phishing sites use HTTPS. To verify identity, inspect the SSL certificate itself.
Not sure about a website? IsThisAScam.to checks SSL certificates automatically in its 6-layer analysis.
Certificate Contents
Subject (domain), issuer (CA), validity period, certificate type (DV/OV/EV), and public key.
Think it might be a scam?
Paste it here for a free, instant verdict.
Free · No signup required · Cmd+Enter to scan
How to View
- Chrome: Padlock > "Connection is secure" > "Certificate is valid"
- Firefox: Padlock > "Connection secure" > "More information" > "View Certificate"
- Safari: Padlock > "Show Certificate"
Certificate Types
- DV (Domain Validation): Free, minutes to obtain. Verifies domain control only. Used by both legit and scam sites.
- OV (Organization Validation): Verifies organization identity. Costs money, takes days. Organization name appears in certificate. Scam sites rarely invest in OV.
- EV (Extended Validation): Most rigorous. Extensive legal identity verification. Gold standard for financial sites.
Red Flags
- Certificate mismatch (domain does not match)
- Expired certificate
- Self-signed certificate on a production site
- Free DV certificate on a site claiming to be a major bank
SSL Checker Tools
SSL Labs (ssllabs.com/ssltest), SSL Shopper, crt.sh for certificate history.
Practical Example
chase-secure-login.com: DV cert from Let's Encrypt (Chase uses EV from DigiCert), issued 2 days prior, no organization listed. Every indicator: phishing.
See website safety guide and domain age.
Received something suspicious? Check it now for free →