How to Verify a Website is Legitimate: 8 Checks
Google detects approximately 10,000 new phishing websites every day. These sites impersonate banks, stores, government agencies, and popular services with pixel-perfect accuracy. The average phishing site exists for only 21 hours before being taken down — just long enough to harvest hundreds of credentials. Knowing how to verify a website's legitimacy before entering any information is one of the most practical digital survival skills you can develop.
These eight checks take less than two minutes combined and can prevent the vast majority of fake website fraud.
Want to check a website instantly? Paste the URL into our free scanner →
Check 1: Examine the URL Carefully
The URL is the single most reliable indicator of a fake website. Scammers use domains that look similar to legitimate ones at a glance but contain subtle differences:
- paypa1.com (number "1" instead of letter "l")
- arnazon.com ("rn" looks like "m")
- wellsfargo-secure.com (extra words added)
- apple.com.verify-id.net (real domain is "verify-id.net," not "apple.com")
- goоgle.com (Cyrillic "о" instead of Latin "o")
The key rule: look at the domain name immediately before the first single slash. In "https://accounts.google.com/signin," the domain is "google.com." In "https://google.com.fake-site.net/signin," the domain is "fake-site.net."
Check 2: Look for HTTPS (But Don't Stop There)
HTTPS (the padlock icon) means the connection between your browser and the site is encrypted. This is necessary for security but not sufficient for legitimacy. Over 80% of phishing sites now use HTTPS because free SSL certificates are easy to obtain. A padlock doesn't mean the site is trustworthy — it only means your data is encrypted in transit (even if it's being sent to a scammer).
Got a suspicious email?
Paste it here for an instant analysis.
Free · No signup required · Cmd+Enter to scan
Conversely, any legitimate site handling logins or payments will always use HTTPS. If a site asking for your password doesn't show the padlock, close it immediately.
Check 3: Check the Domain Age
Legitimate businesses have domains registered for years. Phishing sites typically have domains registered days or weeks ago. Use whois.domaintools.com or who.is to check when a domain was registered. If a "bank" website was registered last Tuesday, it's fake.
This check is especially useful for online stores. A shopping site claiming to have been in business for 10 years but with a domain registered 3 months ago is almost certainly fraudulent.
Check 4: Search for the Company
Search the company name plus "scam," "fraud," or "review" on Google. Check the Better Business Bureau (bbb.org) for complaints. Look for the company on Trustpilot, Sitejabber, or ScamAdviser. A legitimate business leaves a digital footprint — news articles, social media presence, customer reviews across multiple platforms, and business registration records.
If a company seems to exist only on its own website with no independent mentions anywhere, treat it with extreme caution.
IsThisAScam's 6-layer detection system performs many of these checks automatically. Paste any URL into our scanner, and it analyzes domain age, SSL certificates, reputation databases, and known scam patterns in seconds.
Check 5: Inspect the Contact Information
Legitimate businesses provide real contact information: a physical address, phone number, and email from their own domain (not a Gmail or Yahoo address). Verify the address exists on Google Maps. Call the phone number. Send a test email.
Red flags:
- Only a contact form with no email address or phone number
- A generic address like "123 Business Street, New York, NY"
- An email address from a free provider (support@gmail.com instead of support@companyname.com)
- No contact page at all
Check 6: Review the Website Quality
While scam sites have improved dramatically, many still show telltale signs:
- Spelling and grammar errors throughout the site
- Broken links or pages that lead to "under construction" notices
- Prices dramatically below market value ("90% off all items")
- Stock photos used for team member profiles
- Privacy policy and terms of service that are copied from other sites or don't match the company name
- Missing or inconsistent branding
However, don't rely on this check alone. Professional scam sites can be visually perfect — especially AI-generated ones.
Check 7: Check Payment Methods
Legitimate e-commerce sites offer multiple payment methods including credit cards with established processors (Stripe, PayPal, Square). Be wary of sites that only accept:
- Wire transfers or bank transfers
- Cryptocurrency
- Gift cards
- Cash App, Venmo, or Zelle for business transactions
- Western Union or MoneyGram
Credit cards provide the strongest buyer protection. If a site doesn't accept major credit cards, proceed with extreme caution.
Check 8: Use Website Scanning Tools
Several free tools can assess a website's legitimacy:
- IsThisAScam.to — Our comprehensive 6-layer analysis covering domain, content, and behavior patterns
- Google Transparency Report (transparencyreport.google.com) — Check if Google has flagged the site as unsafe
- VirusTotal (virustotal.com) — Scans URLs against 70+ security engines
- ScamAdviser (scamadviser.com) — Trust score based on domain data, company info, and user reports
- URLVoid (urlvoid.com) — Checks domains against multiple blacklists
When You're Still Unsure
If a website passes some checks but fails others, err on the side of caution. The cost of avoiding a legitimate site is minor inconvenience. The cost of trusting a fake site can be devastating.
For more on safe online transactions, check our guides on safe online shopping and recognizing phishing.
Received something suspicious? Check it now for free →