eSafety 101
Published on
Start hereDigital safety basics · Part 10

How to Check a Website Before You Trust It

Quick read

For everyone

Main point

Main point: do not trust a website just because it looks professional.

Scammers can copy logos, colours, layouts, product photos, reviews, and login pages. A fake website can look very similar to a real one.

Before you enter passwords, card details, bank details, identity documents, or personal information, check:

  • Did you arrive through a link in a message, ad, search result, or QR code?
  • Does the website address look exactly right?
  • Is there a small typo, extra word, strange ending, or lookalike character?
  • Is the site asking for money, passwords, security codes, or personal information?
  • Can you reach the same website by typing the address yourself or using the official app?

Be especially careful if the website is connected to a payment, invoice, delivery fee, account warning, refund, prize, investment, or urgent problem.

A safer habit: when the website matters, do not rely only on the link that brought you there. Find your own way to the official site or app.

A little deeper

For curious readers

Context

So far in this series, we have focused on slowing down, recognising pressure, verifying important requests, and being careful with messages, links, attachments, QR codes, and personal information.

Now we are looking at the place many scams try to send you next: a website.

Websites can feel trustworthy because they look official. They may have a logo you recognise, a clean design, a padlock icon, customer reviews, product photos, contact forms, or words that sound professional.

But appearance is not proof.

A scammer can create a fake website that copies a real bank, delivery company, government service, online store, streaming service, charity, investment platform, or login page.

The question is not only “Does this website look real?”

A better question is:

“How did I get here, and what is this website asking me to do?”

Step 1: Check how you arrived

Be more cautious if you arrived through:

  • A link in an unexpected message.
  • A link in an email or text about an urgent problem.
  • A QR code.
  • A social media ad.
  • A search result marked as sponsored.
  • A marketplace message.
  • A pop-up warning.
  • A link from someone you do not know.

These paths are not always unsafe, but scammers often use them to guide people to fake pages.

Step 2: Check the website address

Look carefully at the address in the browser.

A fake website address may include:

  • A small typo.
  • An extra word.
  • A different ending.
  • A strange subdomain.
  • A long confusing address.
  • A lookalike character, such as a letter from another alphabet that looks similar to an English letter.

For example, a fake address might use a character that looks like the letter o, but is actually a different character. At a quick glance, the address may appear correct, but the browser treats those characters as different.

Step 3: Understand what the padlock means

A padlock or HTTPS is a good sign, but it does not prove the website is real.

It means the connection between your browser and the website is encrypted. It does not prove that the website is legitimate, trustworthy, or controlled by the organisation it appears to represent.

A fake website can still have a padlock.

This is why you still need to check the website address, how you arrived there, and what the website is asking you to do.

Step 4: Check what the website wants

Be careful if the website asks you to:

  • Sign in.
  • Enter card details.
  • Pay a fee.
  • Confirm bank details.
  • Upload identity documents.
  • Provide a security code.
  • Approve a sign-in.
  • Download software.
  • Share personal information that does not seem necessary.

The more sensitive the request, the more carefully you should check the website.

Step 5: Find your own way there

If the website is for a bank, government service, delivery company, store, or important account, avoid using the link if you are unsure.

Instead:

  • Open the official app directly.
  • Type the website address yourself.
  • Use a saved bookmark.
  • Search for the organisation carefully and avoid sponsored results if you are unsure.
  • Call using a number from an official source, not from the suspicious page.

Step 6: Be careful with payments

A website may be fake even if the payment page looks normal.

Be extra careful with deposits, invoices, delivery fees, urgent account fees, marketplace payments, investment platforms, and payment instructions sent by message.

If you are paying a large amount, such as a house deposit, vehicle deposit, contractor invoice, school fee, holiday booking, or business invoice, verify the payment details through a separate trusted contact method before sending money.

A simple rule:

If a website is asking for money, passwords, identity documents, bank details, or security codes, take the time to check it properly.

Technical notes

For confident users

Technical

Fake websites are commonly used for phishing, credential theft, payment fraud, malware delivery, investment scams, fake online stores, identity theft, OAuth consent abuse, session theft, and account takeover.

A website should be assessed by looking at the source of the visit, the actual domain, the requested action, the authentication or payment flow, and the consequences of being wrong.

The source of the visit matters.

A user who arrives through an unsolicited email, SMS, QR code, pop-up, sponsored ad, social media ad, marketplace message, or compromised account is following a path that may have been controlled by an attacker.

Search results also deserve caution. A malicious or misleading website may appear through an advertisement, search-engine optimisation, or a cloned page that targets a specific brand, product, government service, or support query.

The domain matters more than the page design.

Attackers may use:

  • Typosquatting: small spelling changes in a domain.
  • Combosquatting: adding extra words to a trusted brand name.
  • Misleading subdomains: placing a trusted-looking word before the real domain.
  • Different top-level domains: using a different ending from the legitimate site.
  • Shortened links: hiding the final destination.
  • Redirect chains: sending the user through one or more intermediate pages.
  • Compromised legitimate websites: hosting malicious content on a real site that has been abused.
  • Lookalike characters: using characters that visually resemble normal letters.

A common mistake is looking at the wrong part of the address.

In a URL, the important ownership boundary is usually the registrable domain, not every word shown in the address. For example, in a long address with many dots and slashes, a trusted-looking word may appear in a subdomain, path, query string, or page title without meaning the site is controlled by that organisation.

Lookalike characters can make this harder.

Some fake domains use Unicode characters from other alphabets that visually resemble normal ASCII letters, such as characters that look like a, e, o, p, or c. This is often discussed as an IDN homograph or lookalike domain technique. The address may look familiar to a human reader, but it is technically a different domain.

Some browsers display certain internationalised domains as punycode, beginning with xn--, when they detect potential risk or mixed-script usage. This can help, but it is not something users should rely on as their only protection.

HTTPS is necessary, but not sufficient.

A padlock or HTTPS means the connection between the browser and the website is encrypted. It does not prove that the website is legitimate, trustworthy, or controlled by the organisation it appears to represent.

Attackers can obtain certificates for malicious domains. A fake website can have HTTPS, a polished design, and a realistic-looking login or payment form.

The requested action matters.

Higher-risk actions require stronger verification. These include:

  • Entering usernames and passwords.
  • Providing multi-factor authentication codes.
  • Approving sign-in prompts.
  • Entering card or bank details.
  • Uploading identity documents.
  • Downloading software.
  • Paying invoices, fees, deposits, or investments.
  • Updating saved payment details.
  • Changing account recovery settings.
  • Granting access through an OAuth consent screen.
  • Installing browser extensions, mobile profiles, or remote access tools.

Login flows deserve extra care.

Some phishing sites simply collect usernames and passwords. More advanced attacks may proxy the real login page, capture multi-factor authentication codes, trick the user into approving a sign-in, or attempt to steal session tokens.

A password manager can help because it usually only offers to autofill credentials on the matching domain. If the password manager does not recognise the site, that can be a useful warning sign.

Payment flows deserve extra care too.

A fake website may use:

  • A fake checkout page.
  • A real payment processor connected to a scammer.
  • Bank transfer instructions.
  • Cryptocurrency wallet details.
  • Gift card requests.
  • A fake investment dashboard.
  • A fake invoice or deposit page.
  • A payment page reached from a QR code or message link.

Some payment methods are much harder to reverse than others. Bank transfers, cryptocurrency, gift cards, and some marketplace payments can be difficult or impossible to recover once sent.

QR codes are website links in image form.

A QR code can hide the destination until it is scanned. Attackers can place QR codes in emails, letters, posters, parking meters, restaurant menus, fake notices, or stickers placed over legitimate codes.

QR codes should be treated like links. If scanning a code leads to a page asking for payment, login details, identity documents, card details, or security codes, verify the destination before continuing.

Useful technical controls include:

  • Password managers that only autofill on matching domains.
  • Browser safe-browsing warnings.
  • DNS filtering or protective DNS.
  • Email and link scanning.
  • Endpoint protection.
  • Multi-factor authentication.
  • Security keys for important accounts.
  • App-based access instead of message links.
  • Bookmarks for high-value services.
  • Domain monitoring for businesses.
  • DMARC, SPF, and DKIM for reducing email impersonation of owned domains.

These controls help, but none of them are perfect.

A useful model is to separate four things:

  • Appearance: how professional the website looks.
  • Address: where the browser actually is.
  • Action: what the website wants the user to do.
  • Verification: how the user confirms the site or request independently.

Appearance is the weakest signal. Verification is the strongest.

For important accounts and payments, use a known-good path: the official app, a typed website address, a saved bookmark, a trusted contact, or a verified phone number from a previous reliable source.

The safest habit is to pause, check the address, consider the requested action, and verify separately before entering sensitive information or sending money.

Disclaimer: All content on this website is general in nature and is not in any way advice. While we strive to ensure the accuracy and relevance of the content, we make no representations or warranties of any kind, express or implied, about the completeness, accuracy, reliability, suitability, or availability with respect to this website or the information, products, services, or related graphics contained on the website for any purpose. Therefore, any reliance on such information is strictly at your own risk.

In no event will we be liable for any loss or damage, including, without limitation, indirect or consequential loss or damage, or any loss or damage arising from loss of data or profits arising out of, or in connection with, the use of this website. Through this website, you can link to other websites that are not controlled by this website. We have no control over the nature, content, and availability of those sites. The inclusion of any links does not necessarily imply a recommendation or endorse the views expressed within them.