Skip to main content

How to check if a website is legit

minute read

    It's alright to worry about a website's legitimacy, especially given how rampant scammers and online thieves seem to be on today's internet. Phishing and scams can be everywhere, and staying safe online can be challenging. In general, the goal of both phishing and other scams on the internet is to steal sensitive information quickly and misuse it, often for financial gain.

    “Scam" is a pretty broad term in an online context. An online scam may begin with a fake email or text message that leads to a fake website, which is any illegitimate site used for fraud or a malicious purpose. “Phishing" is a specific fraud tactic used to obtain information illegitimately. To reveal this information, bad actors typically use text messages and emails, the designs of which can be very deceiving.

    We've compiled a list of what you can look for to tell if a website is legitimate:

    • Study the address bar and URL.
    • Investigate the SSL certificate.
    • Check the website for poor grammar or spelling.
    • Verify the domain.
    • Check the contact page.
    • Look up and review the company's social media presence.
    • Check for the website's privacy policy.
    • Look for questionable links within an email.

    Study the address bar and URL

    This should be at the top of your browser, and you're looking for a few things:

    • Misspellings: A misspelling in any portion of the web address almost always indicates a website is not legitimate.
    • https: The “s" in “https" stands for “secure," and seeing that “s" should give you some assurance that the website's protocol is secure. You might have to click the address bar in your browser several times to view this portion of the URL. Unfortunately, “https" is not always a guarantee the site is secure. Bad actors have learned to spoof this security protocol.
    • Uncommon domain extension: Subtle differences can be difficult to spot, especially if you don't usually visit a website. Do you have a PayPal account? If not, you may not know that the correct domain is “.com," not ".net."

    Investigate the SSL certificate

    “Https:" is just one indicator of a website having a secure protocol. However, the most popular web browsers today recognize a website's Secure Sockets Layer (SSL)—commonly called a security certificate. If so, your browser would display an icon of a closed padlock in the address bar.

    Sometimes, the SSL can be spoofed. You can usually select the padlock icon to view if the connection is secure, as well as the details of the certificate.

    Check the website for poor grammar or spelling

    Websites can have typos, but they rarely appear on legitimate company websites—especially not on the home page. Even though excessive spelling, punctuation and grammar errors are less common on scam sites nowadays, look carefully. It's not wise to assume a language error is a company's honest mistake.

    Verify the domain

    Subtle changes are hard to notice, such as a zero instead of a capital letter "O." Some are harder to spot, but one indicator of an illegitimate site could be multiple "" sequences in the URL.

    There should be only one domain in the web address. You might see something you recognize, like "" However, there shouldn't be more than one ".com," ".org," ".net," etc. For example, a Chase website wouldn't be “" The last domain in the address ( is incorrect.

    Check the contact page

    It's not difficult to copy a company's designs, logos and branding on the front page to fool you. A legitimate company, however, would not withhold the ways you can contact them. You may be viewing a scam website if you cannot find contact information about a company.

    If you do find contact information, you're still not in the clear. Is there only one contact option? Is it a generic contact form? In general, if it seems that the website is not thoroughly providing contact information, or it's directing you to other sites, the whole website could be dangerous.

    Look up and review the company's social media presence

    Sometimes social media is a legitimate way of contacting a company. Even if one doesn't use social media this way, most companies now have some regular presence and activity on these sites. Again, it's not hard to copy links and addresses to create a legitimate appearance.

    Consider visiting social media sites directly to confirm a company's presence and activity. Here are a couple things to do once you're there:

    • Examine the followers. The number and the quality are both important. For example, the followers could have empty profiles. If they don't appear legitimate, the company account likely isn't.
    • Read the content. A fake account may have off-topic content or shallow replies, such as a lot of emojis. Too many stock photos and posts without any actual text are other common signs of an illegitimate social media account.

    Check for the website's privacy policy

    Laws and regulations require most companies to provide basic legal information on their websites, such as a privacy policy or data collection policy. Links to these policies often appear at the bottom of every page of a website.

    If you can't find this information, you may not be viewing a legitimate website.

    Look for questionable links within an email

    Sometimes the goal of a phishing email is not only to get you to click a link to a website. Instead, scammers want you to click another link once you're on the fake site. That link could have malware or request your personal information.

    In general, don't trust links in text messages or emails that you aren't expecting. Always visit the official website directly to make sure you're not being sent to a fake website. It can help to do this on another device, so you can compare the sites.

    Although many legitimate companies communicate digitally, updating or submitting your personal info should require a sign-in or some other verification. Ask yourself if you do business with the company whose link is in the email. If you have never been a PayPal customer, you should not get emails that say your PayPal account is locked.

    When people provide sensitive information on illegitimate websites, there are often serious consequences, such as identity theft.

    When in doubt, get out of there

    Through increasingly sophisticated techniques, many online thieves are finding it easy to falsify websites and send fraudulent emails and text messages. Accordingly, it's reasonable to be suspicious of websites, no matter how polished they may appear at first glance.

    Seriously consider leaving any site that looks strange to you. Errors and misspellings on the site and in the web address are pretty clear warning signs, but you'll want to keep the entire list of tips above handy when practicing credit card safety.

    What to read next