SecurePass← All Articles
Best Practices8 min readMay 25, 2026

How to Spot Fake Websites: A Practical Guide to Avoiding Phishing and Scam Sites

Fake websites are designed to look exactly like legitimate ones. Learn the tell-tale signs of phishing and scam sites — from suspicious URLs and missing HTTPS to pressure tactics and login page red flags — so you never hand your credentials to an attacker.

Why Fake Websites Are So Effective

Modern phishing sites are no longer the typo-riddled, obviously suspicious pages of the early internet. Today's attackers use copied HTML, stolen CSS, and genuine brand logos to build near-pixel-perfect replicas of banking portals, email login pages, and e-commerce checkout screens. Some deploy SSL certificates so the padlock icon appears in your browser. Others use lookalike domain names that are one character off from the real thing — a difference most people never notice.

The goal is simple: get you to type your username and password into a form that submits directly to an attacker's server. With those credentials in hand, they log into your real account within minutes. High-value targets — banking, email, Apple ID, Amazon — are mimicked most often, but social media, cloud storage, and workplace tools are common too. Knowing how to identify a fake site before you type anything is one of the highest-return security skills you can develop.

Check the URL Before Anything Else

The URL bar is your most reliable signal. Legitimate websites always serve content from their actual domain — and that domain is hard to fake if you know what to look for. The key is reading the domain from right to left, identifying the root domain before the first single slash.

Take "paypal.com.account-verify.net/login" as an example. Scanning left to right, "paypal.com" looks trustworthy. But the actual domain is "account-verify.net" — PayPal has nothing to do with it. The attacker has simply made "paypal.com" a subdomain of their fake site. Always identify the last segment before the path (the part between the last dot and the first forward slash): that's the actual domain you're visiting.

Watch for lookalike domain names that use character substitution or misspelling: "arnazon.com" (rn looks like m), "paypa1.com" (the number 1 instead of lowercase L), "g00gle.com" (zeros instead of O's). Also watch for homograph attacks using international characters: "аpple.com" where the "а" is a Cyrillic character, not Latin — visually identical but a completely different domain. Copy the URL and paste it into a plain text editor to reveal substituted characters.

Legitimate banks, email providers, and major retailers will never contact you by email with a link to a login page. If you receive a message claiming your account needs attention, navigate directly to the site by typing the domain into your browser — never click the link in the message.

HTTPS Is Necessary But Not Sufficient

Many people believe that the padlock icon in the browser address bar means a website is safe. This is a dangerous misconception. HTTPS (the padlock) means that the connection between your browser and the server is encrypted — but it says nothing about whether that server is legitimate or malicious. Attackers routinely obtain valid SSL certificates for their fake sites, which means phishing pages frequently show a green padlock.

What HTTPS does guarantee is that your data isn't being intercepted in transit. What it doesn't guarantee is that you're talking to the right server in the first place. A fake site can have HTTPS, a padlock, and a certificate from a recognized authority — and still harvest your credentials the moment you submit the form.

Check the certificate details by clicking the padlock icon and selecting "Certificate" or "Connection is secure → Certificate is valid." For high-security sites like banking, look for an Extended Validation (EV) certificate that shows the legal company name in the certificate details. Most legitimate banking sites use EV certificates; phishing sites rarely do because the verification process involves proving legal identity.

Red Flags on the Page Itself

Beyond the URL and certificate, the page content itself often reveals fake sites. Common tells include urgency and fear language designed to bypass rational thinking: "Your account has been suspended," "Unusual sign-in detected — verify now or lose access," "Your payment failed — update your billing information within 24 hours." Legitimate services rarely threaten immediate consequences that require bypassing your normal security habits.

Look at the overall quality of the page. Blurry logos, slightly off brand colors, unusual fonts, and misaligned elements suggest a page assembled from screenshots or copied assets rather than the genuine source. Check the footer — real company websites have working links to their privacy policy, terms of service, and contact page. Fake sites often have these as dead links or copied text that leads nowhere.

Try hovering over links on the page before clicking them. The actual destination URL appears in your browser's status bar. If you're on what's supposed to be "bankofamerica.com" but links hover to show destinations at "b0famerica-login.com" or a completely unrelated domain, you're on a fake site. Similarly, check that the form's submission URL (visible in the page source) matches the legitimate domain.

Watch for requests for information that legitimate sites never ask for. No real bank will ask for your PIN, full Social Security number, and date of birth all in one step. No legitimate tech support team contacts you unsolicited asking for your password. The request itself is often the tell — attackers need specific information and design their fake forms to capture it.

Browser Tools That Help Automatically

Modern browsers include built-in phishing protection you should make sure is enabled. In Chrome and Edge, this is called Safe Browsing — check that it's set to "Enhanced protection" in your security settings. In Safari, go to Settings → Safari → Fraudulent Website Warning. Firefox has similar protection under privacy settings. These services maintain databases of known phishing URLs and warn you before the page loads.

Consider installing a reputable browser extension for additional protection. Extensions from established security vendors can add real-time phishing detection, URL reputation scoring, and alerts when you're about to submit credentials to an unverified site. Check your password manager's browser extension too — NordPass and 1Password both show whether the current site matches a saved credential's domain, acting as a double-check against phishing.

This is one of the underrated benefits of password managers: they autofill based on the exact domain where you originally saved the password. If you're on a phishing page that mimics your bank, your password manager won't offer to autofill — because the domain doesn't match. That silent refusal is often your first indicator that something is wrong with the page you're on.

What to Do If You've Already Entered Your Credentials

If you realize mid-transaction or after the fact that you submitted credentials to a fake site, act quickly. Speed is critical — attackers often use automated tools that test captured credentials within seconds of receipt.

First, go directly to the legitimate website (type the URL manually, don't click any links) and change your password immediately. If you used the same password on other sites — another reason to use unique passwords everywhere — change those too. Enable two-factor authentication if you haven't already, which may block the attacker even if they have your password. Contact the service's support team to report the incident and ask them to review your account for unauthorized activity.

If the fake site captured financial information (credit card numbers, banking credentials), contact your financial institution immediately. Most card issuers can freeze a card and issue a new number within minutes via their app. Monitor your accounts for unauthorized transactions over the next 30-90 days.

Report the phishing site to your browser vendor (most have a "Report Phishing" option), to the Anti-Phishing Working Group (reportphishing@apwg.org), and to the legitimate company being impersonated. Your report helps get the fake site flagged and blocked faster, protecting others from falling for the same attack.

Quick Reference: Fake Website Checklist

Before entering credentials on any site, run through this checklist:

  • ✅ Read the domain right-to-left — is it the actual company domain before the first slash?
  • ✅ Look for lookalike characters (rn vs m, 0 vs O, l vs 1)
  • ✅ Check the padlock certificate details for the legal company name
  • ✅ Hover over links to preview their actual destination URLs
  • ✅ Scan for urgency/fear language pressuring you to act immediately
  • ✅ Check footer links — do they work and point to the real company?
  • ✅ Verify your password manager offers to autofill (if it doesn't, the domain is wrong)
  • ✅ Ask: did I navigate here by typing the URL, or by clicking a link in an email/text?

Recommended Tools

The best defense against fake websites is a password manager that refuses to autofill on the wrong domain. We recommend NordPass (free tier available, browser extension for all major browsers) or 1Password for family use. For generating strong, unique passwords for every account — so a single site compromise doesn't cascade — use our free password generator.

See our full security tools guide for more recommendations including VPNs, antivirus software, and identity protection services.

#Phishing#Online Safety#Browser Security#Scams#URL Safety

🔒 Generate a Strong Password Now

Use our free tool to create cryptographically secure passwords for all your accounts.

Try the Password Generator →
← Back to all articles