Checking If a Site Is Real

Why Verification Matters

Attackers create fake versions of real websites to steal credentials, payment info, and personal data. Learning to verify sites before trusting them is one of the most valuable security skills you can develop.

Check the URL First

The web address is your most reliable indicator:

• Look at the domain name carefully (the part before the first slash)
• Watch for misspellings: "arnazon.com" vs "amazon.com"
• Watch for extra words: "amazon-login-secure.com" is not Amazon
• Check the domain extension: "amazon.net" is not the real Amazon
• Subdomains can be misleading: "amazon.com.fake-site.net" is fake-site.net, not Amazon

Tip: In a URL like "https://www.secure.bank.example.com/login", the actual domain is "example.com". Everything before it is a subdomain controlled by example.com's owner.

Look Up the Domain

Use WHOIS lookup tools to check when a domain was registered:

• Legitimate businesses usually have domains registered for years
• Scam sites often use domains registered days or weeks ago
• Check if the registrant information matches the claimed business

Search for Reviews and Reports

• Search the site name plus "scam" or "reviews"
• Check the Better Business Bureau (bbb.org)
• Look for the company on Trustpilot or similar review sites
• Search for the company on social media to see real customer interactions

Examine the Site Itself

• Look for a physical address and phone number
• Check if the About, Contact, and Privacy Policy pages exist and make sense
• Look for professional design and correct spelling
• Test if links work and lead to real pages
• Check if the site has been around (use the Wayback Machine at archive.org)

Use Online Verification Tools

• Google Safe Browsing: Check if Google has flagged the site
• VirusTotal: Scan the URL against multiple security databases
• urlscan.io: See a screenshot and analysis of the site
• Scamadviser.com: Get a trust score for online stores

Trust Your Password Manager

If you use a password manager and it does not offer to fill in your credentials, that is a strong signal you might be on a fake site. Password managers match the exact domain, so they will not autofill on phishing pages.

When to Be Extra Careful

• You clicked a link in an email or message
• The site asks for sensitive information
• You found the site through an ad
• The deal seems too good to be true
• Something just feels off

Key Takeaways

• Always check the URL before entering sensitive information
• New domains are more likely to be scams
• Search for reviews and scam reports
• Use verification tools when in doubt
• Trust your password manager's autofill behavior