How to Check If a Website Is Safe (7 Checks, 2026)

The URL is your first and most important signal. Attackers go to great lengths to make fake URLs look real, so you need to know exactly what to look for.

The real domain is the part immediately before the first single slash. In https://accounts.google.com/login, the domain is google.com — accounts is a subdomain (fine). But in https://google.com.accounts-verify.net/login, the domain is accounts-verify.net — and google.com is merely a subdomain of a malicious site.

Watch for these specific tricks: • Typosquatting: arnazon.com, paypa1.com, faceb00k.com • Hyphen insertion: pay-pal.com, amazon-secure.com • TLD swaps: amazon.net, paypal.co instead of paypal.com • Extra words: amazon-account-help.com, netflix-billing-update.com • Lookalike characters: rn looks like m at small font sizes (rnicrosoft.com)

Legitimate companies almost never put extra words in their domain name. "Amazon" doesn't send you to amazon-shipping-notifications.com — they send you to amazon.com.

The padlock icon in your browser's address bar means the connection is encrypted. It does not mean the website is trustworthy. Approximately 83% of phishing websites now use HTTPS and display the padlock.

What you should actually check: click the padlock icon to view the certificate details. Look for:

• •Issued to: Does the certificate belong to the company you expect? A legitimate PayPal page will have a certificate issued to PayPal, Inc. A phishing site might have a certificate issued to a random name or "Let's Encrypt" for a suspicious domain.
• •Validity dates: Is the certificate currently valid? Expired certificates are a red flag.
• •Certificate type: Extended Validation (EV) certificates include the company's legal name. While not all legitimate sites use EV certificates, a site claiming to be a major bank that doesn't have one is suspicious.

SafeSearchScan's SSL Checker gives you a full breakdown of any site's certificate in seconds — without needing to visit the site yourself.

The fastest and most reliable method is to paste the URL into a dedicated safety checker that queries multiple threat intelligence databases simultaneously. This catches threats that individual methods miss.

SafeSearchScan's URL Checker queries: • Google Safe Browsing — the database behind Chrome's built-in warnings • URLhaus — database of URLs used for malware distribution • PhishTank — community-sourced phishing URL database • Multiple additional threat intelligence feeds

The key advantage is that a single threat database can have gaps. A newly registered phishing site might not yet be in Google Safe Browsing but is already flagged by URLhaus. Cross-referencing multiple sources dramatically reduces the chance of a dangerous site slipping through.

This takes about 20 seconds and should become habitual before visiting any unfamiliar link — especially ones received via email, text message, or social media.

Every domain name has a WHOIS record that shows when it was registered and by whom. This is particularly useful for catching scam sites, because fraudsters routinely register new domains to avoid the bad reputation of their previous ones.

What to look for in a WHOIS record: • Registration date: Legitimate businesses rarely ask for payment on websites created less than 6 months ago. If a site claiming to be a well-known retailer was registered 3 weeks ago, it's almost certainly a scam. • Registrant country: A UK government website registered through a Chinese registrar is suspicious. • Privacy protection: Most legitimate businesses don't hide all their contact details. While personal privacy protection is normal, a "business" with completely hidden registration data is a warning sign. • Registrar: Is the domain registered through a reputable registrar?

SafeSearchScan's WHOIS Lookup shows you all this information instantly. A brand-new domain combined with an urgent request for payment or personal information should immediately raise your suspicion level to near-certain scam.

Before trusting a website you've never used, spend 45 seconds checking what others say about it. Scam sites leave traces.

Effective search queries to run: • "[site name] scam" or "[site name] reviews" — look for patterns in results, not individual complaints • "[site name] site:trustpilot.com" — check the Trustpilot rating and look at negative reviews specifically • "[site name] site:reddit.com" — Reddit communities are often first to flag scam sites • "[site name] BBB" — the Better Business Bureau flags problematic businesses

What to watch for in reviews: • A high volume of 5-star reviews posted within a very short timeframe (fake reviews) • Reviews that are vague and don't describe a real product experience • No reviews at all for a site that claims to have been operating for years • Multiple people reporting similar issues (items not delivered, difficulty getting refunds, data misuse)

One negative review rarely means much. A pattern of the same complaint from multiple people is a reliable signal.

Legitimate businesses are contactable. Fraudulent websites typically either have no contact information, or provide fake details that don't check out when verified.

What a legitimate site should have: • A physical address that exists and matches the claimed business location (verify in Google Maps) • A working phone number (call it — does a real business answer?) • An email address on the company's own domain, not a free webmail service like gmail.com or yahoo.com • A real "About Us" page with specific, verifiable information — not generic stock-photo text • Company registration details for the jurisdiction they claim to operate in (UK: Companies House, US: state business registry)

Red flags to watch for: • Contact form only — no phone number or address • Address is a residential property, a UPS Store mailbox, or doesn't exist • "Customer service" email is a personal Gmail address • No About page, or an About page with no specific details about who runs the company • The site is in English but the physical address is in a country with no obvious connection to the business

Modern browsers (Chrome, Firefox, Safari, Edge) are all connected to safety databases and will show interstitial warning pages for known dangerous sites. If your browser shows a red warning page, trust it and go back.

Beyond browser warnings, pay attention to your own instincts. If something about a website feels off, it probably is. Common gut-check signals:

• •The deal is suspiciously good (70% off designer goods, lottery winnings)
• •The site appeared in an unsolicited email or text message
• •You're being asked for payment via bank transfer, cryptocurrency, or gift cards
• •There's excessive pressure to act within a time limit ("offer expires in 12 minutes")
• •The site's writing quality is poor or the design looks hastily assembled
• •The site asks for more information than is necessary (requesting your social security number to create a free account)

Scammers are constantly improving their craft, but the fundamental pressure tactics haven't changed. Any time a website creates urgency, fear, or an offer that seems too good to be true — slow down and verify before proceeding.