Twelve real-world messages and web pages — some genuine, some scams built exactly the way criminals build them. Most people miss several. Take the 2-minute test, then learn the tells. Free, no sign-up.
All brands shown are fictional. No real pages are loaded — this is a safe simulation.
A free test by SafeToOpen.
If you missed a few, you’re normal. Modern scams are built by professionals — and several of the traps in this quiz are designed to beat the advice people are usually given.
A suffix that hijacks the domain, an “rn” pretending to be an “m”, a Cyrillic letter identical to a Latin one. Only the domain reveals who owns a site — and sometimes even that is near-impossible to read by eye.
The padlock and “https” only mean the connection is encrypted, not that the site is honest. Most phishing pages have one now. A fake login can sit behind a perfectly valid padlock.
A “From” address can be forged in seconds, and a real consent page can be turned against you. Checking the sender or the URL isn’t always enough — which is exactly why automatic checking matters.
Twelve scenarios drawn from the scams we see most — across text messages, email and the web. Every one is a safe, fictional re-creation of a technique criminals really use.
Scam text messages (smishing). A missed-delivery notice, a “suspicious payment” alert from your bank, a message from a new number claiming to be family. Text scams work because they arrive on the device you trust most and push you to act in seconds. The quiz asks you to judge a few of these the way you would in real life — quickly, with little to go on.
Lookalike web addresses. The single most reliable tell is the domain — but reading it is harder than it sounds. A scam address can bury the real brand in a subdomain (civicbank.com-verify.net), swap an “m” for an “rn”, or use a foreign letter that looks identical to an English one. You’ll be asked to pick the genuine address out of a convincing line-up.
Fake logins and the padlock myth. A padlock and “https” only mean the connection is encrypted — not that the site is honest. Most phishing pages have one today. Some questions show a polished sign-in page behind a perfectly valid padlock and ask whether it’s safe to type your password.
Pop-ups that fake a whole browser. One of the trickiest techniques draws a fake browser window — address bar and all — inside an ordinary web page, so the “trusted” address you see is really just a picture. If this one fools you, you’re in good company; it’s built to beat exactly the checks people are taught to make.
Email impersonation. A “From” name is trivial to forge, and a real-looking message can carry a link to a fake site. Other questions ask you to weigh an email’s sender, wording and links together — because no single signal is enough on its own.
Throughout, one answer keeps coming up: sometimes the honest response is “I can’t tell.” Admitting that on a small screen, in a hurry, isn’t failure — it’s the realistic starting point for staying safe. When you finish, you’ll see which traps caught you and why, with a short explanation for every question.
Three short guides that turn the lessons in this quiz into habits.
The red flags that give a phishing email away — and the checks that catch the rest.
READ GUIDE →Why brand-new scam pages slip past traditional filters, explained simply.
READ GUIDE →A calm, step-by-step guide to limiting the damage in the next few minutes.
READ GUIDE →Read the web address right to left: only the domain (the part just before the first single slash) tells you who really owns it — everything else can be faked. Be extra wary of urgency (“act within 24 hours”), requests to “re-enter” payment or login details, and links that don’t match the brand’s real domain. When unsure, open the app or type the address yourself instead of clicking.
No. The padlock only means the connection is encrypted — it says nothing about who owns the site. The large majority of phishing pages now use https and show a padlock. Judge the domain, not the padlock.
Only partly. Traditional tools rely on lists of already-reported bad sites and files, so brand-new phishing pages slip through until someone reports them. SafeToOpen analyses each page and email as it loads, so it can catch scams that have never been seen before.
Yes — completely free, no sign-up, no name or email. We record just two things about each play — the final score and the country it was played from — to help us improve the questions. All brands shown in the quiz are fictional.
Smishing is phishing sent by SMS text message. It’s one of the fastest-growing forms of fraud because texts feel personal and urgent, and a phone’s small screen hides the warning signs a desktop would show. Several questions use texts because that’s where many people are now most likely to be caught off guard.
Most people miss several — the questions are deliberately hard, and a few are built to beat the usual advice. Treat a low score as useful information, not a verdict on you: even security professionals get caught by a good lookalike at the wrong moment. The point is to learn the tells, and to let automatic checking cover the times your eyes can’t.
Nobody catches every scam, every time — especially not at 11pm on a phone. SafeToOpen checks every page and email automatically, in real time, so you don’t have to be perfect.