How to Check If a Website Is Safe
Before entering personal information, making a purchase, or downloading files from an unfamiliar website, a few quick checks can reveal whether the site is legitimate. Phishing sites, malware distributors, and scam shops often have easily identifiable red flags - Once you know what to look for. Use the SSL checker and WHOIS lookup to verify a site before you trust it.
Safety Check Methods
| Check | What to Look For | Tool / Method |
|---|---|---|
| HTTPS and valid SSL certificate | Padlock icon in browser; certificate issued to the correct domain; not expired or self-signed | Browser address bar; SSL checker |
| Domain age | Newly registered domains (under 1 year) are higher risk - Scam sites are created and discarded quickly | WHOIS lookup - Check "Creation date" |
| WHOIS registrant data | Legitimate businesses have coherent WHOIS data; scam sites often use privacy proxies with generic contact info | WHOIS lookup tool |
| Google Safe Browsing | Check if the URL is flagged as malware, phishing, or unwanted software in Google's database | transparencyreport.google.com/safe-browsing/search |
| VirusTotal URL scan | Scans URL against 70+ security vendor databases simultaneously | virustotal.com |
| Reputation checkers | Aggregate scores from user reports and automated scanning | Web of Trust (WOT), Scamadviser, URLVoid |
Red Flags of an Unsafe Website
- The URL uses a lookalike domain (e.g. paypa1.com, amazon-deals.net) that mimics a trusted brand.
- The SSL certificate is issued to a different domain than the one you are visiting, is expired, or uses an unrecognised CA.
- The site was registered within the past few months, especially if it claims to be an established business.
- There is no physical address, phone number, or verifiable company registration information.
- Prices are unrealistically low (too-good-to-be-true deals are a classic scam indicator).
- The payment page redirects to a different domain than the main site.
- Browser security warnings (e.g. "Deceptive site ahead") are active - Never bypass these.
Using SSL and WHOIS Tools
An SSL certificate check reveals the certificate's validity period, the issuing Certificate Authority, and the domains it covers. A WHOIS lookup shows when the domain was registered, who the registrar is, and the name servers in use. A domain registered last week claiming to be a major retailer is almost certainly fraudulent regardless of whether it has an SSL certificate - SSL/TLS only proves the connection is encrypted, not that the site owner is trustworthy.
A 60-Second Safety Check, Step by Step
| Step | What to Do | Pass Condition |
|---|---|---|
| 1 | Read the domain in the address bar, right to left from the TLD | The registered domain (the part before .com/.net) is exactly the brand you expect - Not a lookalike or a brand name buried in a subdomain |
| 2 | Click the padlock/tune icon in the address bar → Connection is secure → Certificate is valid | Certificate is issued to the domain you are on and is within its validity dates |
| 3 | Run the domain through a WHOIS lookup | Creation date is years old for an "established" brand; registrar and nameservers look coherent |
| 4 | Run the domain through the SSL checker | Valid chain from a recognised CA; the certificate covers the exact hostname |
| 5 | Search the brand name yourself and compare URLs | The site you were sent to matches the site search engines list for the brand |
Reading deceptive URLs correctly
The only part of a URL that matters for identity is the registered domain immediately left of the TLD. In paypal.com.secure-login.net, the real domain is secure-login.net - "paypal.com" is just a subdomain label anyone can create. This single reading habit defeats the majority of phishing URLs, which rely on victims scanning left to right and stopping at the first familiar word.
Why the Padlock Stopped Meaning "Safe"
Certificates are free and automated (Let's Encrypt issues them in seconds), so virtually all phishing sites now serve valid HTTPS. The padlock answers exactly one question - "Is this connection encrypted to the server named in the bar?" - And says nothing about who operates that server. Browsers have responded by demoting the padlock to a neutral settings icon in recent Chrome versions. Treat encryption as a minimum requirement, never as an endorsement, and let domain identity and domain age carry the trust decision.
What This Means for You
You do not need to vet every site you read - You need to vet every site you give something to: credentials, card numbers, personal data, or a file download. For those moments, the 60-second routine above is enough: read the domain right to left, confirm the certificate matches, and check the domain's age if anything feels off. Arriving via your own bookmark or a fresh search instead of an emailed link sidesteps most traps entirely. If you already entered a password somewhere suspicious, change it now and check your exposure with the breach check tool.
Frequently Asked Questions
Does HTTPS mean a website is safe?
No - HTTPS means the connection is encrypted, nothing more. Phishing sites routinely use free, valid certificates. Safety comes from verifying the domain itself: that it is spelled exactly right, belongs to the organisation you expect, and was not registered last week.
What is the fastest way to spot a fake shopping site?
Check the domain's creation date with a WHOIS lookup. A store claiming years of reputation but registered weeks ago is almost certainly a scam - Especially combined with steep discounts, no verifiable company details, and payment pages on a different domain.
I clicked a suspicious link - Am I infected?
Clicking alone rarely compromises a modern, updated browser. The danger comes from what happens next: entering credentials, downloading and running files, or approving permission prompts. If you only viewed the page, close it, and update your browser. If you typed a password, change it immediately.