Fake websites are everywhere, and they’re getting harder to spot. The Anti-Phishing Working Group recorded close to 900,000 unique phishing websites in a single quarter of 2025, and other reporting tracked nearly 1.8 million new phishing and fake sites in just half of 2024. [1][2] Most are designed to look exactly like a real bank, retailer or login page.
The good news: a handful of checks will screen out the large majority. Run through this before you trust a site with anything sensitive.
1. Read the URL carefully — it’s the best tell
Look at the web address, specifically the part just before the first single slash. The real domain is the last word before that slash:
account.google.com— really Google.google.com.secure-login.net— not Google. The real domain issecure-login.net.
Watch for typos and look-alikes: micros0ft.com (zero for o), arnazon.com (rn for m), or an extra word like paypal-verify.com. Attackers register these by the thousands precisely because a quick glance misses them.
2. Don’t rely on the padlock
The padlock (HTTPS) once felt like a safety signal. It isn’t one anymore. Around 80% of phishing sites now use HTTPS, because criminals can get a certificate for free in minutes. [3] The padlock means your connection is encrypted — not that the site is honest. Treat it as table stakes, not proof.
3. Check how old the domain is
Scam sites are usually brand new — registered, used for a few hours or days, then abandoned. Roughly 90% of phishing sites are registered within the last 12 months. [4] A site claiming to be an established brand but running on a domain registered last week is a major red flag. (A free URL scanner can show you a domain’s age in seconds.)
4. Look for the basics a real business has
- A findable privacy policy and contact details — a real address, phone or email, not just a form.
- Working internal links (scam pages often have dead links everywhere except the form).
- Prices that aren’t too good to be true — extreme discounts and countdown timers are classic bait.
- Reviews that exist off-site. Search “is [site] legit?” and see what comes up.
5. Be wary of how you got there
If a link in an email, text or ad sent you to a login or payment page, slow down. The safest move is to ignore the link and navigate to the site yourself — type the address or use your own bookmark.
The check that catches the rest
Here’s the honest limitation of any manual checklist: the best fakes are built to pass it. Perfect clone, valid HTTPS, near-identical URL. You can’t expect to out-inspect a professional scammer every time, on every device, in a hurry.
That’s why the most reliable approach is to let software inspect the page for you — analysing its structure, behaviour and domain in real time, and warning you before you enter anything. SafeToOpen Browser Security does exactly this, and can flag a dangerous page even if it was created minutes ago and appears nowhere on any blocklist.
Check every site automatically
SafeToOpen inspects pages as they load and blocks fake or malicious ones — including brand-new sites no blocklist has seen.
How Browser Security works →The takeaway
Read the real domain, ignore the padlock-as-proof, check the domain’s age, and look for the signs of a real business. Those steps catch most scams. For the convincing ones engineered to slip through, a real-time page-analysis layer is the backstop that makes the difference.