Twelve real-world messages and web pages — some genuine, some scams built exactly the way criminals build them. Most people miss several. Take the 2-minute test, then learn the tells. Free, no sign-up.
If you missed a few, you’re normal. Modern scams are built by professionals — and several of the traps in this quiz are designed to beat the advice people are usually given.
A suffix that hijacks the domain, an “rn” pretending to be an “m”, a Cyrillic letter identical to a Latin one. Only the domain reveals who owns a site — and sometimes even that is near-impossible to read by eye.
The padlock and “https” only mean the connection is encrypted, not that the site is honest. Most phishing pages have one now. A fake login can sit behind a perfectly valid padlock.
A “From” address can be forged in seconds, and a real consent page can be turned against you. Checking the sender or the URL isn’t always enough — which is exactly why automatic checking matters.
Three short guides that turn the lessons in this quiz into habits.
The red flags that give a phishing email away — and the checks that catch the rest.
READ GUIDE →Why brand-new scam pages slip past traditional filters, explained simply.
READ GUIDE →A calm, step-by-step guide to limiting the damage in the next few minutes.
READ GUIDE →Read the web address right to left: only the domain (the part just before the first single slash) tells you who really owns it — everything else can be faked. Be extra wary of urgency (“act within 24 hours”), requests to “re-enter” payment or login details, and links that don’t match the brand’s real domain. When unsure, open the app or type the address yourself instead of clicking.
No. The padlock only means the connection is encrypted — it says nothing about who owns the site. The large majority of phishing pages now use https and show a padlock. Judge the domain, not the padlock.
Only partly. Traditional tools rely on lists of already-reported bad sites and files, so brand-new phishing pages slip through until someone reports them. SafeToOpen analyses each page and email as it loads, so it can catch scams that have never been seen before.
Yes, it’s completely free and there’s no sign-up. Your answers and score stay in your browser — nothing is stored or sent anywhere. All brands shown in the quiz are fictional.
Nobody catches every scam, every time — especially not at 11pm on a phone. SafeToOpen checks every page and email automatically, in real time, so you don’t have to be perfect.