How To Tell If a Website Is Fake: 12 Warning Signs

What Are the Red Flags of a Fake Website?

While scammers can use fake emails, text messages, and phone calls to target their victims, almost every phishing scam shares one common element: a fake website.

Scammers set up fake sites to mimic familiar login pages, online shopping sites, and information or payment request forms. Links to these pages are included in scam messages or even posted online to trap unsuspecting browsers. 

In the first half of 2023 alone, the Anti-Phishing Working Group (APWG) discovered nearly 3 million new phishing websites [*]. 

Fake sites can steal your information and your money or infect your device with malware. To stay safe, you need to know what these sites look like and how you can avoid them.  

In this guide, we’ll explain the risks of fake websites, warning signs to look out for, and what steps you should take if you fall victim.

What Are the Risks of Visiting Fake Websites?

Fake websites are pages designed to intentionally mislead visitors. These include scam websites with fake goods and services, look-alike phishing websites, and malicious websites containing malware and viruses.  

Links to these scam sites are found in pop-ups and social media ads, as well as in phishing emails and text messages. They may even appear in search engine results for common search terms. 

While visiting a fake site isn't always dangerous, it can still put you at risk. 

Here are some of the risks of visiting a fake website: 

• You could pay for non-existent goods from a fake e-commerce store. Scammers use ads on social media to promote fake stores with too-good-to-be-true deals. If you try to buy, you’ll either lose your money, receive counterfeit products, or have your credit card details stolen.
• You could give up sensitive information that can be used for identity theft. By creating sites that mimic legitimate companies, scammers can con personal data out of you. With your contact information or financial information, they can steal your identity and your money.
• Scammers could trick you into providing your login credentials and passwords. Many scammers set up fake login web pages to trick you into giving up your email address, usernames, and passwords. They can then log in to your accounts, lock you out, and use your information for other online scams. 
• You could unknowingly download malware, ransomware, or other viruses. Fake sites can hide malware and other viruses in pop-ups, legitimate-looking links, and downloadable files. Some sites even trigger drive-by downloads that infect devices without requiring any clicks at all. 

The bottom line: Fake websites are often a small part of a larger scam. If you’ve visited or engaged with a suspicious site, you should take steps to secure your identity and online accounts. 

How To Tell If a Website Is Fake

1. Check the URL closely for spelling mistakes
2. Don’t be fooled by legitimate-looking subdomains
3. Inspect the site’s security certificate
4. Consider how you found the website in the first place
5. Use Safe Browsing tools or a website checker
6. Look for spelling, grammar, and formatting issues
7. Be wary of poor-quality design or photos
8. Check the domain age and ownership
9. Search for user reviews and potential scams
10. Check the “About,” “Shipping,” and “Privacy Policy” pages
11. Research the company’s social media and online presence
12. Look for payment red flags

Fake websites are getting more numerous and harder to identify. Follow these steps to make sure you’re not getting fooled by a fraudulent site:

1. Check the URL closely for spelling mistakes

Many fake websites appear to have legitimate URLs, but actually contain slight variations or spelling mistakes. This may include small misspellings or characters that look similar to others in order to spoof real URLs, such as replacing the letter "o" with the number "0."

For example, fraudsters targeted PayPal customers with the URL, “PayPaI.com” — with the uppercase "I" looking nearly identical to a lowercase "l" on some Windows computers [*].

Pro tip: Use a plain text editor to look for letter replacements in URLs. Hackers have been known to substitute special characters and letters from other languages to make their spoofed website URLs look official. Try copying and pasting the URL text to a plain text editor to make sure it’s not spoofed.

2. Don’t be fooled by legitimate-looking subdomains

Every website has a primary domain name, such as “Amazon.com.” A subdomain is an extension to the primary domain, such as “advertising.amazon.com.” Regardless of the extension, the primary domain always stays the same.  

Some fake websites trick victims by changing the order of the domains, such as in Microsoft.fakewebsite.com (in this example, “Microsoft” is the subdomain, not the official domain). Others use official-looking domain names that are altogether different from the official organization, but most people just don't know enough to question the authenticity. 

Pro tip: Always double-check the URL. Before clicking or submitting anything on a website, perform a quick Google search to reveal the company's proper URL and domain name to make sure you're going to the right place.

3. Inspect the site’s security certificate

Most reputable, modern-day websites have Secure Sockets Layer/Transport Layer Security (SSL/TLS) certificates — which establishes a secure and encrypted connection between your device and the server. While not mandatory for all websites, online stores and retailers should always have SSL certificates to protect personal and financial data.

Sites with valid security certificates also have “HTTPS” in their URLs, and padlock icons in the address bar. These aren't safety guarantees, however, as many fake sites have SSL certificates as well. 

Pro tip: Look into the certificate specifics. Click on the padlock icon to pull up more information about the certificate, including the type of certification and information about the organization. Many scammers opt for low-cost and anonymous Domain Validation (DV) certificates, while Organization Validation (OV) and Extended Validation (EV) certificates cost more and require additional information.

4. Consider how you found the website in the first place

When in doubt, think about how you initially arrived at the site in question. 

If you typed in the URL yourself, are you sure you entered the correct website address? 

If you clicked on a link, was it from a reputable site or sender? Analyze the sender's email address, signature, and contact details to ensure that they are who they say they are. For example, if the email is supposed to be from Amazon, but it comes from a Gmail address, it’s a scam. 

Pro tip: Avoid links in most situations. Scammers have become so cunning that all links need to be scrutinized. Get in the habit of avoiding any unsolicited links included in emails and texts. Run a Google search to find the correct address and link, or carefully type in the URL yourself. 

5. Use Safe Browsing tools or a website checker

Most web browsers come with built-in Safe Browsing features that warn you when you're visiting risky sites or downloading something suspicious — including Chrome, Safari, and Firefox. You can also check a website URL before visiting by entering it into Google's Safe Browsing site status checker. 

Pro tip: Adjust your Safe Browsing settings to your liking. In your browser Settings, you can choose the level of protection you need and what warnings you want displayed. You'll find Safari's Safe Browsing options in the main Settings page, while Chrome and Firefox have it listed under Privacy and Security.

6. Look for spelling, grammar, and formatting issues

Scammers don't tend to invest the same time and money in creating and editing website content as legitimate site owners do — leading to typos, formatting mistakes, and awkward phrasing. 

The rise of AI content has made it easier for scammers to whip up passable content for sites, so you also need to be on the lookout for anything that doesn't seem authentically human.

Pro tip: Use an AI checker. While some legitimate companies use AI to create content, few rely on it completely. Though not perfect, AI detectors can help you figure out if website copy was written by a human or AI. 

7. Be wary of poor-quality design or photos

Compared to legitimate websites, scam websites usually look noticeably worse. They tend to feature messy design elements and pixelated images and photos. In addition to their low quality, these sites often use simple website templates with functionality and navigation issues. 

Pro tip: Pay attention to broken links. Scammers often race through the design process and ignore many of the links on their website templates. If you encounter broken links or sections of a site that don't work, you should think twice about sharing information on that site.   

8. Check the domain age and ownership

Scam websites don't typically stay up long, which helps make domain age informative. If you're dealing with a reputable brand that's been around for years but its website is only a few months old, you're likely visiting a fake website. 

You can find detailed domain information on sites like Whois Lookup [*], which tells you when the domain was created, who registered it, and more. 

Pro tip: Research the website owner. Once you know who created the website, you can investigate further. A Google search might reveal other scam websites they created or suspicious activity for which they've been responsible. 

9. Search for user reviews and potential scams

While online reviews may not always be the most reliable — especially with heavily curated on-site reviews — you can still learn a lot from the experiences of others.

If you question a website's legitimacy, try searching for it on sites like Trustpilot, Better Business Bureau (BBB), and Reddit to see if there are any negative reviews or scam warnings available.

Pro tip: Look out for fake reviews. Scammers employ bots to submit fake reviews about their companies and websites in order to give visitors a false sense of security. You might be able to detect fake reviews by looking for multiple posts that sound the same. Fake reviews also tend to come from new users on the platform — while lacking or going overboard on the details.

10. Check the “About,” “Shipping,” and “Privacy Policy” pages

Scam websites often ignore the finer details that go into a website, such as the “About” page or the legal information included in the terms and conditions and privacy policy descriptions. 

Try to read through the shipping information and return policy to ensure that everything stacks up. If any of these pages are missing or lacking important details, avoid dealing with this website. 

Pro tip: Verify the contact information. Double-check the company's contact details, such as its phone number and physical address. Verify this data with a Google or map search; or even give the phone number a quick call to make sure it's legitimate. 

11. Research the company’s social media and online presence

Most companies have an online presence that goes beyond  their website. The company should be mentioned in other places online or provide publicly-available information, such as press releases. Companies usually have some sort of social media presence as well, including multiple social media accounts exhibiting relatively up-to-date activity.

Pro tip: Try the social media links on the website. Legitimate companies have working links to their social media accounts on their websites — usually found in the footer. Click on these links to see if they work correctly and lead you to where they should.    

12. Look for payment red flags

There isn't one single payment red flag that every fake website shares, so you need to be on the lookout for as many warning signs as you can. Some of the most common hints you might see include unusual payment methods, such as gift cards or cryptocurrency, or too-good-to-be-true deals, such as rock bottom flight prices on spoofed airline websites. 

Pro tip: Listen to your gut. If a deal doesn't look or feel right, just ignore it. It's not worth risking your identity or your money to proceed with a potentially fraudulent deal.

Did You Visit a Fake Website? Here’s What To Do

If scammers tricked you with a fake website that prompted you to click on a link or share personal data, you should take immediate action to protect your information and identity. 

Here are the steps you should follow:

• Review your online accounts for suspicious activity. Log in to make sure you haven't been locked out of your online accounts. Then, look for signs that your accounts might have been compromised — such as unfamiliar login attempts, password reset requests, or sent emails. 
• Check your bank accounts for signs of fraud. Look through your bank account activity and statements for unauthorized payments. Review your contact information and ensure that nothing was changed. 
• Update your passwords, and enable 2FA. Update your passwords on all of your accounts, not just the ones that might be affected. Add two-factor authentication (2FA) whenever possible to create an extra security layer for the future. 
• Freeze your credit with all three major bureaus. Once you request a credit freeze, your credit will be inaccessible to anyone, including yourself. You need to request the freeze with each of the three major bureaus individually — Equifax, TransUnion, and Experian. When you want your credit file opened again, you will need to manually lift the freeze. 
• Contact your bank and credit card company. Call the fraud departments of your bank and credit card company and inform them of the issue. Depending on the situation, they may either flag your account or close it entirely and issue you a new one. 
• Reach out to any other relevant organizations. Call any organizations that were affected by the fraud and let them know. In some cases, they can reverse the charges right then and there. 
• Scan your device for malware. Run an antivirus program on your device to identify and quarantine any malware you might have picked up on the website. If you find and remove malware, restart your device and run the antivirus again to see if the problem remains or returns. 
• Submit a complaint to the FTC. Depending on your circumstances, you either want to submit a fraud complaint at ReportFraud.ftc.gov or an identity theft complaint at IdentityTheft.gov. The FTC can also help you plan your next steps. 
• File a report with the authorities. You can file a police report at your local law enforcement office as well. A police report may be required by your bank for some fraud claims. You might also opt to submit a complaint with the FBI's Internet Crime Complaint Center (IC3).
• Report the scam website. You can report scam websites in several ways — including reporting them to Google, which has a reporting page for phishing sites and malicious software. You can also report page issues with most browsers through their Help menus. 

The Bottom Line: Stay Safe and Avoid Fake Websites

It's very unlikely that you can avoid fake websites entirely. What you can avoid, however, is making a mistake on one of these sites — such as clicking on a link, giving up private information, or sending money. 

Follow these tips to ensure that you’re staying safe online and avoiding fake websites:

• Visit important websites directly, or save them in your bookmarks. For sites such as your online bank or other sensitive websites, enter the URL directly or keep them saved in your bookmarks to ensure that you don’t end up on a spoofed version of the site. Better yet, use the company’s official mobile app. 
• Use a password manager to store and enter your credentials. It can be difficult to create and remember unique and complex passwords for all of your online accounts. Rather than reusing or storing passwords in unsafe ways, use a secure password manager to keep track of them all. 
• Protect your accounts with 2FA whenever possible. Adding 2FA to your accounts puts an additional hurdle in front of hackers and scammers. For access to an account with 2FA, they'll need your credentials and your device. 
• Check suspicious websites with Safe Browsing tools. Use a web browser or a third-party service with Safe Browsing tools to block or warn against suspicious websites. When in doubt, run the URL through a website checker. 
• Don’t use non-traditional payment options. When shopping online, stick to the primary payment options. Scam sites often use non-traditional payment methods because they're harder to track and reverse. 
• Sign up for identity and credit protection. Identity and credit protection providers monitor your information and credit file and notify you immediately if something suspicious is detected. If your data leaks on the Dark Web or someone opens an account in your name, you'll receive an alert. 

With scammers using fake websites in most of the latest phishing and vishing scams, your best defense is simply knowing how to spot and avoid them. For even more protection, consider enlisting the experts at Identity Guard.

Identity Guard's all-in-one identity theft solution helps safeguard your information and finances against fraudsters by providing Safe Browsing and phishing site protection, award-winning identity theft and credit monitoring, and $1 million in identity theft insurance. 

Don’t get burned by fake websites. Save 33% on Identity Guard today.