Online Safety

How to Spot a Fake Website Before You Get Scammed

A practical checklist to run before you enter a password, card number, or download anything — plus a simple decision flow for when to trust a site and when to close the tab.

How do you spot a fake website before you get scammed? Before you type a password, enter a card number, or download a file, pause and check three things: the full URL in your browser's address bar (not the logo on the page), how you got there (unexpected email, text, or ad is a red flag), and whether the site is pushing urgency or asking for more information than it should. If any of those checks fail, close the tab — do not enter anything — and open the real site yourself by typing the address or using a bookmark you already trust.

That thirty-second habit stops most phishing sites cold. The rest of this guide walks through exactly what to look for, a printable-style checklist you can run every time, and a decision flow for the moment you're unsure.

Why fake websites fool smart people

Scam sites don't look "fake." They copy real bank login pages, shipping notifications, and store checkout flows almost pixel-for-pixel. Attackers register domains that differ from the real one by a single character — paypa1.com instead of paypal.com, or amazon-security.net instead of amazon.com — and hope you won't notice while you're distracted.

They also lean on pressure: "Your account will be locked in 15 minutes," "Unusual sign-in detected," "Your package couldn't be delivered." Urgency is the point. It pushes you past the checks you would normally run. Email remains a major delivery channel — it was the contact method in 25% of fraud reports to the FTC in 2024 when victims identified how scammers reached them (FTC Consumer Sentinel Network Data Book). The good news is that fake sites leave fingerprints. Once you know what to scan for, the scam becomes visible again.

Checklist: 12 tells of a fake website

Run through this list before you enter personal information or pay. You don't need to memorize it — bookmark this page or screenshot the checklist for quick reference.

Fake website checklist

  • Wrong domain — The address bar shows a misspelling, extra word, or different extension (.net instead of .com). Read every character.
  • Subdomain trick — Something like paypal.secure-login.xyz puts the real brand in a subdomain; the actual site is secure-login.xyz.
  • You arrived via a link — Email, text, social ad, or QR code sent you here. Close it and go to the site directly instead.
  • Artificial urgency — Countdown timers, threats to lock your account, or "act now" language designed to skip your judgment.
  • Asks for too much — A delivery notice shouldn't need your full Social Security number. A password reset shouldn't ask for your current card PIN.
  • Sloppy details — Broken English, blurry logos, mismatched fonts, or a copyright date years out of date.
  • Missing or fake contact info — No physical address, a generic support email, or a phone number that goes nowhere.
  • Only payment methods you can't reverse — Wire transfer, cryptocurrency, gift cards, or Zelle for a "refund" are classic scam payment rails.
  • Prices that make no sense — A $900 laptop for $89 is bait. If the deal feels impossible, assume it's a trap.
  • No real reviews elsewhere — Search the store name plus "scam" or "reviews." A site with zero independent presence is suspicious.
  • Browser warning — Chrome or Firefox flags the page as dangerous. Do not click through; treat it as confirmed.
  • Padlock alone isn't proof — HTTPS means the connection is encrypted, not that the owner is honest. Scammers get certificates too.

If two or more items on that list apply, stop. Do not enter information, do not pay, and do not download files from the page.

How to verify the URL (the step most people skip)

The address bar is your ground truth — not the logo, not the page title, not what the email said the link would be. On desktop, click the address bar and read the full domain from left to right. On mobile, tap the address bar to expand it before you trust what you see.

Look specifically at the part just before the first single slash. In https://www.chase.com/login, the real site is chase.com. In https://chase.secure-verify.io/login, the real site is secure-verify.io — not Chase.

When in doubt, close the tab entirely. Open a new tab, type the company's known address yourself (or use an existing bookmark), and log in from there. If there really was a problem with your account, you'll see it once you're on the genuine site. The FTC's guide on recognizing phishing scams makes the same recommendation: don't use the link you were sent.

Decision flow: when to trust vs. when to leave

Use this sequence every time you're about to enter sensitive information. It takes under a minute once you've done it a few times.

  1. Stop and breathe. Urgency is a tactic. If something says you must act in the next ten minutes, that alone is a reason to pause.
  2. Check how you got here. Did you type the address, use a saved bookmark, or follow a link from email, text, or an ad? If it's a link, assume it's unsafe until proven otherwise.
  3. Read the full URL. Expand the address bar. Confirm the domain matches the company exactly — spelling, extension, and all. If anything is off, leave.
  4. Run the checklist above. Two or more red flags means stop. One serious flag (wrong domain, browser warning, gift-card payment) is enough on its own.
  5. Verify out of band. Close the tab. Open the real site directly or call the company using a number from your card or their official site — not a number shown on the suspicious page.
  6. Trust the site only if all checks pass. You arrived on your own, the domain is correct, nothing on the checklist fired, and the request is reasonable for what you're doing.
  7. If anything still feels wrong, leave anyway. Your instinct counts. You can always come back later through a path you control.

When you leave, don't click "back" on the suspicious page — close the tab. If you already submitted something before realizing, see our guide on what to do if you clicked a phishing link for step-by-step recovery.

Turn on your browser's safety settings

Modern browsers maintain lists of known phishing and malware sites and can warn you before a page loads. They won't catch every brand-new scam on day one, but they stop a large share of repeat attacks — and they're free.

Treat a browser warning as final — don't override it because the page "looks fine." If you need to reach a site that was flagged, navigate there independently (type the address yourself) and contact the company through official channels if you're still blocked.

If you already entered information on a fake site

Don't panic, but don't wait. If you typed a password, change it immediately from a device you trust — starting with that account and every other account that reused the same password. Turn on multi-factor authentication if you haven't already. If you entered payment details, call your bank or card issuer and ask them to watch for fraud or issue a new card.

For a full recovery sequence — disconnecting, scanning, reporting, and monitoring — follow our step-by-step guide: What to Do If You Clicked a Phishing Link. The same steps apply when you realize a site was fake, even if you didn't technically "click a link."

Frequently asked questions

Can a fake website have HTTPS and a padlock?

Yes. HTTPS only encrypts the connection between your browser and the server — it does not prove the site owner is legitimate. Scammers obtain certificates routinely. Always verify the domain name itself, not just the padlock icon.

What is the fastest way to check if a website is real?

Close the tab and open the site yourself by typing the official address or using a bookmark you already trust. Compare the URL character by character. If you arrived via email or text, never use the link that was provided.

What should I do if I already entered my password on a fake site?

Change that password immediately from a device you trust, starting with the account you entered and any account that reuses the same password. Enable multi-factor authentication, then work through a full recovery checklist — see our phishing recovery guide for the complete sequence.

Do browsers block fake websites automatically?

Chrome and Firefox can warn you about known phishing and malware sites when Safe Browsing or phishing protection is enabled — but they cannot catch every new scam on day one. Treat browser warnings as a stop sign, not as proof a site is safe when no warning appears.

Why do fake websites look so convincing?

Attackers copy real logos, layouts, and login pages almost pixel-for-pixel. They also use urgent language — account suspended, payment failed, limited-time deal — to push you past the checks you would normally run. The design is meant to feel familiar; the domain and the link path are where they slip up.

The bottom line

Learning how to spot a fake website comes down to a short habit: read the real URL, question how you arrived, and refuse to rush. Run the checklist before you enter anything sensitive, follow the decision flow when you're unsure, and keep your browser's phishing protection turned on. Scammers count on you moving too fast to notice the details — slowing down is the countermove.