How to Tell If a Website Is Legitimate

So how do you tell if a website is legitimate? Check a few things before you buy or sign up: the web address and how old the domain is, whether the connection is secure, the contact information and policies, and what other people say about the company elsewhere. No single signal proves a site is safe, but together they tell you whether to trust it or close the tab.

12 Ways to Check If a Website Is Safe

Work through the checks below the next time a site gives you pause. Some take a few seconds, like scanning the web address or looking for specific icons. Others, like reading the policies or searching for reviews, are worth the extra minute when sensitive information is involved. Start at the top and stop trusting a site the moment too many red flags pile up.

1. Look for the “S” in HTTPS

If HTTPS sounds familiar, it should – many website URLs begin with “https” instead of just “http” to indicate that they are encrypted. This security is provided by an SSL certificate, which stands for Secure Sockets Layer certificate. It protects sensitive information entered into that website as it travels from the site to a server through a secure connection.

A bonus to having that security certificate is the visual indicator it provides. In Chrome, the traditional padlock icon has been replaced with a "tune" icon. Clicking this icon reveals site settings and connection details, such as certificate information and permissions. Other browsers may still display a padlock or similar icon to indicate a secure connection.

Without an SSL certificate, that information is exposed and easily accessible by cybercriminals. It’s important to note that HTTPS isn’t the only sign of a secure website, but it’s a good sign that the website owner cares about your safety. Whether you’re logging in, making a payment, or just entering your email address, check that the URL starts with “https.”

2. Watch for suspicious URLs and typosquatting

Cybercriminals often register fake websites with URLs that look nearly identical to legitimate ones. These domains might contain subtle misspellings, swapped letters, or extra characters that are easy to miss at first glance. Always double-check the website address before clicking or entering personal information. If something looks slightly off—like amaz0n.com instead of amazon.com—it’s best to steer clear.

3. Read the “About Us” page

A professional website should clearly state who they are and what they do. Look for an “About Us” page that outlines the company’s mission, values, and leadership team. While it’s not a guarantee of website safety, transparency about ownership and operations is often a sign that the site is legitimate. A lack of company background or vague details may be a sign of an unsafe site.
 

4. Check the website's important policies

A site's policies are some of the clearest signals you have. They tell you how a business handles your data, your money, and your orders, and whether it follows the law at all. Before you buy or sign up, look for two in particular.

Start with the privacy policy. It should clearly explain how the site collects, uses, and protects your information. Nearly every legitimate website has one, since data privacy laws in countries like Australia and Canada require it, and the EU enforces stricter rules still. A site that publishes a real privacy policy is telling you it cares about staying compliant and keeping your data safe. Read it before you hand anything over.

Then check the return and refund policy if the site sells products. Real stores spell out how returns work, when you get your money back, who pays for shipping, and how long delivery takes. You can usually find this in the footer or at checkout. A few things should stop you cold:

• No return or refund policy anywhere, or one buried where you cannot reach it
• Blanket "all sales final" terms on every item with no explanation
• A policy copied word-for-word from another store, sometimes with the wrong company name
• Refund steps that ask you to pay a fee before you see any money

Read the Terms of Service as well. Scam websites often skip it or pad it with text that has nothing to do with what they sell. Clear policies written for that specific store are a good sign you are dealing with a real business, not a front built to take your cash and disappear.

5. Find their contact information

If finding a website's contact information makes that site seem more trustworthy to you, you're not alone. Stanford's Web Credibility Guidelines recommend making your contact information easy to find, including a phone number, physical address, and email address, because doing so shows there is a real organization and real people behind the site. Ideally, a safe website will display an email address, a phone number, a physical address if they have one, and active social media accounts. These won't necessarily provide protection, but they indicate that there's likely someone you can reach out to if you need assistance.

6. Search for reviews and scam reports

What do other people say about the site? Their experience is one of the hardest things for a scammer to fake. Real businesses leave a trail of feedback on platforms they cannot control, like Trustpilot, the Better Business Bureau, and Reddit. Search the company name along with words like scam, complaint, or refund, and read what comes back.

Here is what the results tell you:

• A legitimate website usually has a mix of reviews built up over months or years, including a few critical ones, because no real business pleases everyone.
• A fake site often has almost no footprint at all, or a sudden wave of glowing five-star reviews posted within days of each other.
• Watch for reviews that repeat the same phrases or read like ad copy, since those are often planted.

Pay attention to how the company handles criticism as well. A real business tends to reply to unhappy customers and try to fix the problem. Scammers go silent or delete the complaint. If your search turns up warnings from other shoppers who lost money, take them seriously and shop elsewhere.

7. Verify their trust seal

If you see an icon with the words “Secure” or “Verified,” it’s likely a trust seal. A trust seal indicates that the website works with a security partner. These seals are often an indicator that a site has HTTPS security, but they can also indicate other safety features, like the date since the site’s last malware scan.

Although 79 percent of online shoppers expect to see a trust seal, the presence of the seal isn’t enough. It’s also important to verify that the badge is legitimate. Fortunately, it’s easy to do – simply click the badge and see if it takes you to a verification page. This confirms that the site is working with that particular security firm. It doesn’t hurt to do your own research on the company supplying the badge, too!

If a trust seal is legitimate, clicking on it will take you to a page that verifies the authenticity of that seal. As an example, SiteLock’s verification page looks like this.

8. Be cautious with payment methods

Most trustworthy websites that encourage online shopping will accept secure, widely-used payment methods such as credit cards, PayPal, or trusted third-party processors. If a site only accepts cryptocurrency, wire transfers, or gift cards, take caution—these non-traditional options are often used in scams because they’re difficult to trace or recover.

9. Use free website security tools

Make sure you’re not accessing a malicious website with Google Safe Browsing. This free tool helps protect internet users from visiting dangerous websites or downloading malicious files. It not only identifies and flags websites that contain malware or phishing content, warning users before they can even access them, but Google Safe Browsing also constantly updates its database of unsafe websites.

SiteLock also offers a free website scanner. Simply input your domain name, and SiteLock will conduct a free external scan, searching for known malware or malicious code while ensuring your site is up-to-date and secure. While this scan is effective at detecting visible malware in real time, certain types may require deeper investigation with server access. For a thorough check, we recommend that website owners conduct a comprehensive full scan, especially if server issues are suspected.

10. Know the signs of website malware

Even if a website has an SSL certificate, a privacy policy, contact information, and a trust badge, it may still not be safe if it is infected with malware. But how do you know if a website is infected with malware? Look for the signs of these common malware attacks:

• Defacements: This attack is easily spotted. Cybercriminals replace a site’s content with their name, logo, and/or ideological imagery.
• Suspicious pop-ups: Be cautious of pop-ups that make outlandish claims – they are likely trying to entice you to click and accidentally download malware.
• Malvertising scams: Some malicious ads are easy to catch. They typically appear unprofessional, contain grammar/spelling errors, promote “miracle” cures or celebrity scandals, or feature products that don’t match your browsing history. It’s important to note that legitimate ads can also be injected with malware by scammers, so exercise caution when clicking.
• Phishing kits: Phishing kits are websites that imitate commonly visited sites, like banking websites, to trick users into handing over sensitive information. They may appear legitimate, but spelling and grammar errors will give them away.
• Malicious redirects: If you type in a URL and are redirected to another site – especially one that looks suspicious – you have been affected by a malicious redirect. They are often used in conjunction with phishing kits.
• SEO spam: If you see odd or irrelevant links—especially in comments—it could indicate SEO spam.
• Search engine warnings: Some popular search engines will scan websites for malware and place a warning on that site if it is definitely infected with malware.

11. Pay attention to the overall quality of the site

What makes a website look fake? Often, the warning signs are small on their own but add up fast. Scammers build sites in a hurry, so the quality slips show up in places a real business would polish. Look closely at:

• Spelling and grammar mistakes in headlines, product descriptions, or the checkout page
• Broken links, images that fail to load, or pages that lead nowhere
• A blurry or stretched logo, or the same stock photo used for every product and team member
• Pop-ups that cover the screen, fake countdown timers, or constant prompts to buy right now
• A web address that does not match the brand name shown on the page

One slip can be an honest mistake. Several together point to a fake site thrown up fast to catch people off guard. Check the company social media accounts as well. Real businesses usually have profiles with a history of posts and replies, while scam websites link to empty pages or none at all.

12. Trust your instincts

Scam websites often lure visitors with prices or promotions that seem too good to be true—and they usually are. If a deal feels suspiciously generous, take a moment to evaluate the website before making a purchase. Trust your instincts: poor design, vague information, or unusual payment methods are all red flags. When something doesn’t feel right, it’s safer to walk away.

What to do if you used an unsafe website

Sometimes you spot the problem too late. Maybe you already placed an order, or you entered your login on a page that turned out to be fake. How do you even know? Watch for a missing order confirmation, no tracking number, a charge that shows up in a foreign currency, or a customer service email that bounces back. Any of those means it is time to act.

Move quickly to limit the damage. Here is where to start:

• Call your bank or card issuer right away and ask them to watch for or block suspicious charges on your credit card or debit card. Many will cancel the card and send a new one.
• Change your password on any account that uses the same login, beginning with your email and banking accounts.
• Watch your statements and credit report over the next few months for signs of identity theft.
• Report the site to the FTC at reportfraud.ftc.gov so other shoppers get a warning.

Did you only click a link without entering anything? You are probably fine, but take a few precautions anyway. Run a malware scan on your device, clear your browser data, and avoid going back to the page. Most browsers let you report a dangerous link or home page, so it gets flagged for the next person who lands there. A little caution now buys you real peace of mind later.

It’s unfortunate that not every website is trustworthy and secure, but don’t let that keep you from going online—just do it safely! Simply being able to recognize a safe website can go a long way to help protect your personal data. A secure HTTPS connection, a privacy policy, contact details, and a verified trust seal are strong indicators of a safe site. For more on protecting your information online, check out our cybersecurity resources.

Explore SiteLock’s malware removal services. If your site’s security has already been compromised, learn how we can help restore it quickly and prevent vulnerabilities.