How to check if a website is safe

If a website isn’t secure, you risk exposing your personal information every time you visit it. Cybercriminals often disguise malicious pages to look trustworthy, making it easy to fall into phishing traps or download malware by mistake.

This guide walks you through how to spot warning signs, check important site details, and use tools like website safety checkers, WHOIS lookups, and web protection services.

Whether you’re browsing for fun or entering sensitive information, these steps will help you avoid scams, phishing traps, and malware—and give you more control over your online safety.

Why you should check website safety before clicking

Checking a site’s safety helps protect your data, privacy, and device. Unsafe sites can host malware, phishing scams, or fake offers designed to trick you into revealing personal or financial information.

Common risks of unsafe websites

• Malware infections: Sites may install viruses, ransomware, or spyware on your device without your knowledge.
• Phishing scams: Fake login pages and forms can trick you into giving up passwords, credit card numbers, or other sensitive info.
• Data theft: Unsafe sites often lack encryption, making it easier for attackers to intercept what you type or upload.
• Browser hijacking: You might get redirected to sketchy pages, see constant pop-ups, or have your homepage changed.
• Financial fraud: Scam sites can impersonate legitimate stores or services to steal your money during fake transactions.
• Identity theft: Information you provide could be used to impersonate you or open accounts in your name.
• Adware and unwanted software: Some sites force downloads or flood you with malicious ads that slow down your system.

Examples of real-world online scams

Online scams take many forms, and unsafe websites often play a central role in making them work. One common example is the fake PayPal login page. These pages are designed to look exactly like the real thing, often linked from phishing emails that warn of suspicious activity on your account. Once you enter your login details, attackers instantly capture your credentials.

Another tactic involves creating fake versions of entire websites, including the domain. Case in point: scammers have increasingly targeted AI platforms, including ChatGPT. According to recent cybersecurity reports, around 1 in every 25 newly registered domains that mimic ChatGPT are fake and malicious. 

These sites often promise free or early access to the tool but instead deliver malware, phishing forms, or prompt you to install harmful browser extensions. Because they often use convincing branding and similar URLs, it’s easy to mistake them for the real thing, especially when they appear in ads or search results.

Similarly, during the COVID-19 pandemic, even public health and government websites were faked. Scammers used them to collect personal information under the pretense of offering financial relief or vaccine registration.

13 ways to check if a website is safe

Staying safe online requires vigilance. Modern browsers and security services warn you when a site is dangerous—for example, Google Safe Browsing protects users by flagging known malicious websites. But even with these defenses, scams and fake sites abound, so it’s wise to double-check before trusting a site.

1. Look for HTTPS and SSL certificates

Always check for the HTTPS padlock icon in the address bar. HTTPS means the connection is encrypted, which prevents eavesdroppers from reading your data in transit. 

In fact, browsers like Chrome explicitly mark non-HTTPS sites as “Not Secure.” A padlock icon or the “https://” prefix shows that data (like passwords or credit card details) is sent securely.However, don’t mistake HTTPS for complete proof of site legitimacy. Many scam sites now use SSL encryption, too: one study found 83% of phishing pages have valid SSL certificates.

2. Double-check the URL (watch for typosquatting)

Carefully inspect the site’s URL (web address). Attackers often register lookalike domains (a practice called typosquatting) that differ by just one letter or character. For example, they might add an extra letter, like “exaample.com,” or substitute an “l” with a lowercase “l.” These fake domains are intentionally similar to reputable sites.

Do note that if you spotted a WWW2 type of website, it doesn’t mean that it’s fraudulent. If you land on a WWW2 page, it usually means that the site’s main server is overloaded, so your traffic has been sent to a second server. 

Always perform a URL inspection. Be especially alert for subtle tricks: some attackers use unicode homographs (characters from other alphabets that look identical), so a URL appears correct while the computer sees something different. When in doubt, manually retype the known correct domain or search for the official site name to ensure you haven’t landed on a spoof site.

3. Use website safety checker tools

If you’re unsure, run the URL through a domain reputation service or safety scanner. These tools (often provided by security companies or search engines) aggregate data from malware blacklists and scanning engines. For example, Google’s Safe Browsing status page will report if a site is currently flagged as dangerous or recently compromised.

Other checkers, like VirusTotal, SSL Trust, and URLscan, scan for known malicious code or phishing content. Such scanners won’t catch 100% of threats, but they can quickly identify obvious problems. If the checker reports the site as unsafe, or if you see a phishing warning, it’s best to avoid the site entirely.

4. Look up the domain with WHOIS

The WHOIS lookup tool can be used to check a domain’s registration details. It reveals when the domain was created, who registered it, and its expiration date. Legitimate businesses usually have established domains, while brand-new domains—only days or weeks old—can be suspicious. Fake sites often don’t stay online long, so domain age is a quick way to spot risk.

WHOIS also shows the registrant’s name and country. If this info doesn’t match the company’s claims (like a “U.S.” business with a foreign owner), it’s a warning sign.

If WHOIS shows “Privacy Protected” or generic info, it’s not definitive alone (many legitimate domains use WHOIS privacy by default), but it’s worth noting with other red flags. Overall, WHOIS helps confirm if the site is owned by who it says and how long it’s been active.

5. Read website user reviews and news

Look up user feedback about the site. Search online for the site name plus terms like “reviews,” “complaints,” or “scam.” If the site is well-known, there may be forum posts and blog articles discussing it. Be wary if you find mentions of hacking, fraud, or data breaches. A string of “fraud alert” posts or consistent negative comments is a strong warning sign.

Additionally, pay attention to any reports of missing orders, malware downloads, or theft of personal data. Legitimate companies may have negative reviews too, but a pattern of serious complaints is a red flag.

Conversely, any glowing reviews on the site itself could be fake. Fraudsters often fabricate their own testimonials. Trusted advice is to read both on-site and off-site reviews, looking especially for mentions of fraud or identity theft, and to check for news on the company too.

6. Check for a privacy policy and legal pages

Legitimate websites—especially those handling personal data or payments—usually have clear privacy policies, terms of service, and other legal pages. These documents explain how your data is collected, used, stored, and shared. In many places, such as under Europe’s GDPR, these policies are legally required. A missing or overly brief privacy policy can be a red flag.Good policies use clear language and provide specific details about what information is gathered and how it’s protected. If a site lacks a privacy statement or offers vague, unhelpful text, it may not be trustworthy. 

7. Avoid websites with excessive pop-ups or redirects

Watch out for aggressive or persistent pop-ups. If a site floods your screen with windows you can’t easily close or keeps redirecting you to unrelated pages, it’s usually a sign of malicious behavior. Legitimate sites rarely use excessive pop-ups. Be especially cautious if a pop-up asks for personal or financial info or urges you to download software by warning your device is at risk—these are common scareware tactics.

Also, avoid pop-ups advertising unrelated products or unbelievable deals. Safe sites let you browse with minimal interruptions, so if you see excessive ads or unsolicited warnings, close the site immediately.

8. Analyze design and language 

Examine the site’s appearance and writing. Professional companies typically have polished, coherent websites. Conversely, scam sites often have telltale mistakes: poor layout, low-resolution images, broken links, and lots of typos or odd phrasing. For example, if you’re on a shopping site and notice awkward phrasing or basic errors, that’s a strong sign the site might be fake. 

These red flags often point to rushed or careless construction, which is common in fraudulent websites that aim to look legitimate at a glance. Trust your eyes and instincts, but stay cautious: with AI, it’s now easier than ever for scammers to build convincing fake websites.

9. Investigate payment options and checkout security

Trustworthy sites use secure, recognized payment methods—this is especially important on shopping sites. If a store looks suspicious or fake, leave immediately. Check that the checkout page uses HTTPS and accepts well-known options like credit cards, which often provide buyer protection. 

Avoid sites that only accept hard-to-trace payments like wire transfers, cryptocurrency, or gift cards, as these are usually irreversible. Financial experts recommend using credit cards or payment services with fraud protection. If a site’s only payment option is something untraceable, that’s a clear red flag.

If you land on a suspicious site, check it against this list of 25 fake shopping sites. Even if it’s not listed, stay cautious—scam tactics change all the time.

10. Verify company details and contact information

Check that the site clearly identifies itself. Legitimate businesses provide real-world details like a company name, physical address, and phone number. Look for an “About Us” page or contact info in the footer. Missing or incomplete contact details are a warning.Ideally, the site lists a physical address (not just a P.O. Box), a phone number or live chat, and an email or contact form. Verify these independently—if the address or number doesn’t match or leads to unrelated businesses, that’s suspicious.

11. Use your browser’s built-in security tools

Modern browsers include built-in protections like Google Safe Browsing in Chrome, which track malicious sites. When you try to visit a flagged site, the browser shows warnings like “Deceptive site ahead” or “Your connection is not private” and often blocks access. 

Keep your browser updated to ensure these protections work with the latest data. Also, enable the pop-up blocker and disable unwanted redirects in your browser settings for extra safety.

12. Be skeptical of “trust” badges (fake icons)

Many sites show icons like SSL locks, “Secure Checkout,” or secure site seals to look trustworthy, but these are easy to copy or fake. Don’t trust a badge unless you can verify it. A real seal is usually clickable and links to the certifying organization. If badges aren’t clickable, lead nowhere, or are low-quality images, be wary.

13. Install real-time web protection tools

Web protection tools like ExpressVPN’s Advanced Protection can block known malicious sites to protect you from spyware and phishing domains. Advanced Protection also blocks apps and websites on your device from contacting third parties known for tracking or harmful activity.

You might also want to invest in a good antivirus with real-time protection to increase your protection against malware downloads. To stay safe, keep your antivirus updated and run regular scans. 

Active protection can stop drive-by downloads or phishing attacks that bypass your initial checks. In short, using layered defenses significantly lowers the risk of visiting harmful websites.

How to act if you think a website is unsafe

Prevention is the best defense. If you haven’t run into a dangerous website yet, it’s worth learning safe browsing habits—this guide offers practical tips to help you stay secure. But if you’ve already landed on a suspicious site, the steps below can help you respond and minimize potential harm.

Steps to exit safely

If you accidentally landed on a suspicious site, follow the steps below to leave the website without putting your system at further risk:

1. Cut off your internet: Disconnect your device from the internet by turning off Wi-Fi or unplugging the Ethernet cable. This prevents the site from loading more harmful content or sending your data while you close it safely.
2. Close the tab immediately: Don’t click on buttons or pop-ups, even if they say “Close” or “Cancel.” These can be disguised triggers that lead to downloads or redirect you to more malicious content.
   
3. Force-close your browser: If the site is locking your screen or showing nonstop alerts, force-close the browser to stop it. On Windows, press Ctrl + Shift + Esc to open Task Manager, then end the browser task. On Mac, press Command + Option + Esc, select the browser, and click Force Quit. This will immediately shut down the session and stop the malicious page.
4. Avoid using the “Restore Tabs” feature: When you reopen your browser, it may ask if you want to restore your last session. Choose “X,” as this could reload the unsafe site you just left and expose you to the same risks again.
5. Clear your browser cache and cookies: These may contain tracking scripts or session data left by the site. Removing them helps cut off lingering connections and improves your privacy after visiting an unsafe page.

After you’ve successfully left the page, consider running a malware scan with your antivirus. Even brief exposure to a malicious page can trigger background downloads, so scanning your system helps catch and remove potential threats early.

How to report a malicious site

Reporting dangerous websites helps protect others and supports the broader effort to stop scams and malware. You can start by using your browser’s built-in reporting tools—most major browsers include this feature. In Chrome, for example, click the three dots (⋮), then go to Help and select Report an issue.

You can also report malicious sites to your antivirus provider, especially if your security software didn’t flag the threat. For more detailed steps, refer to this guide on how to report a website and help make the web safer for everyone.

Protecting your device and data after exposure

If you suspect you’ve visited an unsafe website or, worse, entered personal information or downloaded a file, act quickly:

• Run a full antivirus and anti-malware scan: Use reliable security software to check for malware, spyware, or keyloggers.
• Change passwords immediately: Start with any accounts you may have accessed while the site was open (email, banking, and any reused credentials).
• Enable two-factor authentication (2FA): Use this wherever possible to prevent unauthorized access to important accounts.
• Monitor bank accounts and credit cards: Check for suspicious charges, especially if you entered any payment information.
• Check your browser extensions: Some unsafe sites may try to trick you into installing malicious add-ons. Remove anything unfamiliar.

Also, if you entered personal info, consider placing a fraud alert or credit freeze through a credit bureau to prevent identity theft. Even if nothing bad happened immediately, it’s wise to take these precautions—some malware or phishing attempts delay their attack, so staying proactive helps limit long-term risk.