It's alright to worry about a website's legitimacy, especially given how rampant scammers and online thieves seem to be on today's internet. Phishing and scams can be everywhere, and staying safe online can be challenging. In general, the goal of both phishing and other scams on the internet is to steal sensitive information quickly and misuse it, often for financial gain.
“Scam" is a pretty broad term in an online context. An online scam may begin with a fake email or text message that leads to a fake website, which is any illegitimate site used for fraud or a malicious purpose. “Phishing" is a specific fraud tactic used to obtain information illegitimately. To reveal this information, bad actors typically use text messages and emails, the designs of which can be very deceiving.
We've compiled a list of what you can look for to tell if a website is legitimate:
- Study the address bar and URL.
- Investigate the SSL certificate.
- Check the website for poor grammar or spelling.
- Verify the domain.
- Check the contact page.
- Look up and review the company's social media presence.
- Look for questionable links within an email.
Study the address bar and URL
This should be at the top of your browser, and you're looking for a few things:
- Misspellings: A misspelling in any portion of the web address almost always indicates a website is not legitimate.
- https: The “s" in “https" stands for “secure," and seeing that “s" should give you some assurance that the website's protocol is secure. You might have to click the address bar in your browser several times to view this portion of the URL. Unfortunately, “https" is not always a guarantee the site is secure. Bad actors have learned to spoof this security protocol.
- Uncommon domain extension: Subtle differences can be difficult to spot, especially if you don't usually visit a website. Do you have a PayPal account? If not, you may not know that the correct domain is “.com," not ".net."
Investigate the SSL certificate
“Https:" is just one indicator of a website having a secure protocol. However, the most popular web browsers today recognize a website's Secure Sockets Layer (SSL)—commonly called a security certificate. If so, your browser would display an icon of a closed padlock in the address bar.
Sometimes, the SSL can be spoofed. You can usually select the padlock icon to view if the connection is secure, as well as the details of the certificate.
Check the website for poor grammar or spelling
Websites can have typos, but they rarely appear on legitimate company websites—especially not on the home page. Even though excessive spelling, punctuation and grammar errors are less common on scam sites nowadays, look carefully. It's not wise to assume a language error is a company's honest mistake.
Verify the domain
Subtle changes are hard to notice, such as a zero instead of a capital letter "O." Some are harder to spot, but one indicator of an illegitimate site could be multiple "word.com" sequences in the URL.
There should be only one domain in the web address. You might see something you recognize, like "chase.com." However, there shouldn't be more than one ".com," ".org," ".net," etc. For example, a Chase website wouldn't be “chase.com/bank/account.chase.org." The last domain in the address (chase.org) is incorrect.
Check the contact page
It's not difficult to copy a company's designs, logos and branding on the front page to fool you. A legitimate company, however, would not withhold the ways you can contact them. You may be viewing a scam website if you cannot find contact information about a company.
If you do find contact information, you're still not in the clear. Is there only one contact option? Is it a generic contact form? In general, if it seems that the website is not thoroughly providing contact information, or it's directing you to other sites, the whole website could be dangerous.
Look up and review the company's social media presence
Sometimes social media is a legitimate way of contacting a company. Even if one doesn't use social media this way, most companies now have some regular presence and activity on these sites. Again, it's not hard to copy links and addresses to create a legitimate appearance.
Consider visiting social media sites directly to confirm a company's presence and activity. Here are a couple things to do once you're there:
- Examine the followers. The number and the quality are both important. For example, the followers could have empty profiles. If they don't appear legitimate, the company account likely isn't.
- Read the content. A fake account may have off-topic content or shallow replies, such as a lot of emojis. Too many stock photos and posts without any actual text are other common signs of an illegitimate social media account.
If you can't find this information, you may not be viewing a legitimate website.
Look for questionable links within an email
Sometimes the goal of a phishing email is not only to get you to click a link to a website. Instead, scammers want you to click another link once you're on the fake site. That link could have malware or request your personal information.
In general, don't trust links in text messages or emails that you aren't expecting. Always visit the official website directly to make sure you're not being sent to a fake website. It can help to do this on another device, so you can compare the sites.
Although many legitimate companies communicate digitally, updating or submitting your personal info should require a sign-in or some other verification. Ask yourself if you do business with the company whose link is in the email. If you have never been a PayPal customer, you should not get emails that say your PayPal account is locked.
When people provide sensitive information on illegitimate websites, there are often serious consequences, such as identity theft.
When in doubt, get out of there
Through increasingly sophisticated techniques, many online thieves are finding it easy to falsify websites and send fraudulent emails and text messages. Accordingly, it's reasonable to be suspicious of websites, no matter how polished they may appear at first glance.
Seriously consider leaving any site that looks strange to you. Errors and misspellings on the site and in the web address are pretty clear warning signs, but you'll want to keep the entire list of tips above handy when practicing credit card safety.