It's natural that as the internet has grown in size and complexity, so to have the scams and tricks that criminals play to try and steal your information for insidious purposes.
This guide aims to show you what to look out for when visiting websites and how to spot the dodgy ones.
Broadly, unsafe websites are websites designed to extract information – either personal or financial – from unsuspecting victims through some sort of scam or trick.
Some unsafe websites will look like poor copies of genuine websites they're trying to mimic. Many use reputable brands to try and convey legitimacy to their victims. Other unsafe sites go for original designs but include things like 'trust badges'. These badges make up the little banner of credit card symbols you often see before paying.
As you can see, it's pretty easy to get a hold of these online, and it's not like you have to prove your check out is safe, in this instance, to get the badge. It's a good reminder that you can't just trust a name because you've heard of it previously.
How to check if a website is safe?
The important thing to remember with the below tips is that most of them don't provide full certainty a website is safe, but rather good indicators that one is.
This means they should be taken as mutually supportive; in other words, you should be using them in combination with one another rather than relying solely on a single method or criterion.
Check for the 'S' on the end of HTTPS
One indication that a site is probably safe is whether it uses the secure scheme, also known as (HTTPS://), now often symbolized with a green padlock in the address bar and known as an SSL certificate. However, the operative word in the previous sentence is, unfortunately, 'probably' – we can no longer say with assurance that this definitely means a site is safe.
The APWG (Anti-Phishing Working Group) revealed that an SSL was used in the URL of 77.6% of the phishing sites they detected in the second quarter of 2020, a number that rose to 80% in the third quarter. This is no longer a good criterion for determining the authenticity of any given website.
According to the report, approximately 40% of phishing sites have free SSL certification from authority Let's Encrypt. The long and the short of this situation is that now, it's more likely than not that a given phishing website will have a green padlock/HTTPS URL. However, it's still advisable to stay away from sites without this certification – and you can tell because it'll say 'not secure' in the address bar.
Check the URL
Some scammers bank on unsuspecting users misspelling the web addresses of genuine, popular websites. They take over website domains that might be just one letter or symbol different from the URL of a widely-visited site. So if you do suddenly find yourself on a suspicious-looking site, definitely have a look to see if you made an error in the address bar.
If you are going through a link on another site or in the body of an email address, hovering over the link with your mouse can often reveal where the link is going to take you. If it looks suspicious – including having a spelling error, for example – then just don't click it!
You can also run the URL through a website safety checker. There are some nifty free sites out there that will scan URLs you plug into their page for viruses and malware. Virustotal is recommended by several cybersecurity firms. However, if there's little information about their site available, a free checker may struggle. To learn more, check out our how to spot a fake website guide for more information about how to read URLs.
Again this is simply another indicator, rather than a full-proof method of knowing, but googling whether a website is legitimate is certainly a savvy move if you suspect it might not be. There are a number of reputable websites set up to provide precisely this service, one notable one being TrustPilot.
Asking Google or any other search engine whether a website URL is legitimate may return limited information – that's a big red flag, especially if the website claims to be an appendage of a reputable, well-known company.
Another thing you can do is simply google the website's URL (in the search bar of a search engine, not the address bar of your browser) followed by the word 'scam'. This may get you an answer pretty quickly if it's been particularly successful and hit a lot of victims.
Check the contact information
Check to see whether the contact information listed on a website is legitimate. Do emails to the email address actually send? When you search for the company address (providing it is real) does the location look plausible? You could even ring their phone number – whether (or how) they answer will give you a good indication of their legitimacy.
If you are using this method to check whether a website is safe and you do get an answer, never give out any personal information over the phone. Remember, you're using this call to help you to determine whether the website or operation is a scam – you aren't phoning up to buy their product or hand over any money. Remain skeptical throughout and don't take a good conversation as proof the business is legitimate.
Adjust your browser's safety options
Every browser you use will have slightly different safety settings that will likely need adjusting to suit your needs. These settings can be a good tool to help you decide whether a website is safe.
These are not always the default setting either – as you can see above in Google Chrome, for example, you can turn on the enhanced protection version of the safe browsing tool, which checks website URLs for you and gives you an advanced warning on dangerous activity.
Download and install antivirus software
Like browsers, antivirus software will have features that will help you to determine whether a website is in fact safe to visit. Many will provide you with warnings about websites either on search result pages or when you click on the site link itself, whilst others will bar you from entering without bypassing a warning screen that highlights the dangers associated with your imminent visit.
Some antivirus software will be more useful than others – check to see if your provider has an anti-phishing certificate, for example, because this will really help you out if it does.
Check the spelling
Another indication that a website is safe is flawless spelling and grammar. Legitimate businesses will want to look as professional as possible for customers, so most will have spell-checked the text that appears on their website thoroughly.
If you're spotting error after error, it's highly unlikely anyone with any level of relevant training or skill has looked at the site – which suggests it might belong to something other than a real business that has a reputation to uphold.
Other types of 'safety'
Some websites might be perfectly legitimate, yet still, clash with user conceptions of 'safety'. Some users will consider sites unsafe if they have shady practices when it comes to data. Control over private information is, for many people, intimately linked to safety.
Spotting fake websites
One easy way to protect yourself and confirm a website is safe is to become familiar with what scam websites tend to look like and the features they often share.
Remember, the vast majority of scammers do not have the time, resources, or technical know-how to create sites that are exact replicas of legitimate ones, especially if they're trying to target victims from countries where they don't speak the language. It's also important to remember that scammers' targets are primarily people who aren't the most clued up with computers and technology – so knowing what to look for, in a way, is one of the best defenses. Bearing this in mind, you should leave a site immediately if it:
- Has so many pop-ups you can't smoothly navigate the website.
- Redirects you to a completely different website.
- Provokes warnings from your search engine.
- Immediately slows down your mouse movement.
- Keeps refreshing itself without instruction.
- Is claiming to be a legit brand's site but has spelling errors en masse.
- Has countdown timers and threats of service revocation.
- Unusual payment methods, like paying in Google Play gift cards.
Other red flags
Other signs that may be indicators of shady activity and should lead to browsing with extreme caution include:
- Ridiculously low prices, or free offers on expensive products.
- Weird uses of caps/exclamation marks to inject urgency
- A lack of user reviews, or blatantly fake ones from bots.
- Pop-ups with pornographic imagery/adverts of a sexual nature.
- Poor design/odd color and font combinations.
- Looking more like a site from the early 2000s than 2024.
Conclusion: use your common sense
Legitimate websites will never ask for your personal information unless it really needs it. They won't ask you to input it into a flashing pop-up, demand you enter it before a timer runs out to avoid punishment, or ask for your financial information when there's nothing to pay for.
If you're being threatened with arrest, service revocation, or a fine, you wouldn't find out through a spontaneous website visit, through clicking on a link in an email riddled with spelling errors or a phone call you've had to make because a pop up has frozen your computer. Remember, that's not how legitimate businesses communicate with their customers.
Genuine companies will be more than happy to go to great lengths to show you they're the real deal, both in correspondence and on their website. I know, for example, when an email is really from my bank because they prove who they are by showing me information only they could know.
You likely visit hundreds of legitimate websites every month, so you do know what one looks and feels like through experience, and you know what legitimate correspondence is like too. Always ask yourself 'would a legitimate company do this, and have legitimate websites ask me to do this before?' If the answer isn't a definite 'yes', it's time to leave.