1. Home
  2. Blog
  3. Security
  4. How to Check if a Website Is Safe Before...
Security

How to Check if a Website Is Safe Before You Click

Learn how to check if a website is safe before you click. Read the real domain, verify the age and hosting, and spot phishing in 30 seconds with free tools.

How to Check if a Website Is Safe Before You Click
Copied!

To check if a website is safe before you click, do four quick things: read the actual domain carefully (not the display text), hover to preview where a link really goes, look up the domain's age and hosting, and never enter passwords or payment details on a site you can't verify. A padlock in the address bar is not proof of safety. The most reliable signals are a clean matching domain, a real registration history, and hosting that makes sense for the brand.

Every day, people lose money and data not because they were careless, but because a link looked legitimate for the two seconds it took to click it. The good news: spotting a dangerous site takes about thirty seconds once you know what to look at. This guide gives you the whole checklist, and the free tools that make each check instant.


Why "it has a padlock, so it's safe" is dangerous advice

Let's kill the biggest myth first, because it gets people hurt.

For years we were told to "look for the padlock." That padlock (HTTPS) only means one thing: the connection between you and the site is encrypted, so nobody can eavesdrop on the data in transit.

It says nothing about who runs the site or whether they're honest.

Here's the uncomfortable truth: the vast majority of phishing sites now have that padlock. Free certificates are, well, free and instant, so a scammer setting up a fake login page gets HTTPS in about sixty seconds. The padlock tells you your conversation with the thief is private. It does not tell you the person you're talking to isn't a thief.

So by all means, be suspicious of a site without HTTPS. But never treat the padlock as a green light. It's the floor, not the ceiling.

Signal 1: Read the domain like your money depends on it

Because sometimes it does. The domain name is the single most important safety signal, and it's the one scammers work hardest to disguise.

Read right-to-left from the real domain. The true identity of a URL is the part immediately before the first single slash. In accounts.google.com/login, the real domain is google.com. In google.com.secure-login.xyz, the real domain is secure-login.xyz — and Google has nothing to do with it. Scammers stuff a trusted name into the subdomain precisely because people read left to right and stop at the first familiar word.

Watch for lookalike tricks:

  • Typosquatting: arnazon.com, paypa1.com, micros0ft.com. One character off, easy to miss at a glance.
  • Extra words: apple-support-account.com, netflix-billing-update.com. Real companies use their own domain, not a hyphenated phrase.
  • Wrong endings: the real brand is .com but the link is .net, .info, .shop, or something exotic.
  • Homograph attacks: characters from other alphabets that look identical to Latin letters, so аpple.com (with a Cyrillic "а") reads as normal but is a completely different address.

If a link is disguised or shortened, expand it before you trust it. A URL decoder reveals what an encoded link actually contains, and our post on URL encoding and why links break explains how attackers hide destinations inside messy-looking URLs.

Signal 2: Hover before you click

On a computer, this is the fastest safety check there is, and it costs nothing.

Hover your mouse over any link without clicking and look at the bottom corner of your browser. It shows the real destination. If the visible text says www.yourbank.com but the hover preview shows secure-verify-92x.com, you have your answer. Close the tab.

The mismatch between what a link says and where it goes is the defining feature of phishing. Email clients and websites let the visible text be anything at all, so the text is decoration — the hover preview is the truth.

On a phone, press and hold the link (don't tap) and most apps will show you the real URL in a preview. It's clumsier than a hover, but it works.

Signal 3: Check the domain's age

This is where a lot of scams fall apart instantly, and almost nobody thinks to check it.

Most phishing and scam sites are brand new. They get set up, used for a few days or weeks, and abandoned before they're blacklisted. So a domain claiming to be an established brand, or a "store" with hundreds of reviews, that was actually registered eleven days ago, is waving a giant red flag.

Run the domain through a domain age checker. If a supposedly reputable business is running on a domain that's a few weeks old, something is wrong. Our explainer on what domain age is and why it matters covers how to read the result.

Rough rule of thumb: a legitimate, established brand's domain is usually years old. A scam is usually months or days old. Age isn't a guarantee of safety on its own — but a very young domain pretending to be an old brand is one of the most reliable warning signs there is.

Signal 4: See where the site is actually hosted

You can go one level deeper and check the infrastructure behind the domain. This catches scams that look perfect on the surface.

Resolve the domain to its IP with a domain-to-IP tool, then run that IP through an IP lookup to see the hosting provider and rough location. Our guide on finding where a website is really hosted walks through the whole process.

What you're looking for is a mismatch:

  • A "major bank" hosted on a cheap shared server in a country where it doesn't operate.
  • A "official brand store" on a residential IP block or an anonymous hosting provider known for abuse.
  • An IP that a reverse check shows is shared with dozens of other spammy-looking domains.

None of these is proof by itself — plenty of legitimate small sites use budget hosting. But when the hosting story doesn't match the brand the site claims to be, that gap is meaningful. A real bank does not run its login page off a $3-a-month shared host.

Signal 5: Look at the site itself with fresh eyes

Sometimes the page gives itself away once you actually look.

  • Sloppy language. Spelling errors, broken grammar, and stilted phrasing on a supposedly professional site. Big companies pay people to proofread. Scammers often don't.
  • Pressure and urgency. "Your account will be closed in 24 hours." "Only 2 left, claim now." Manufactured urgency exists to stop you thinking. Real companies rarely threaten you into acting in the next five minutes.
  • Prices that are too good. A brand-new iPhone at 70% off, from a site you've never heard of, is bait. If it seems too good to be true, it is.
  • No real contact details. No physical address, no working phone, no company registration, contact "form" only. Legitimate businesses are findable.
  • Broken or missing pages. No privacy policy, no terms, dead links, placeholder text. A rushed scam site skips the boring pages.
  • Weird payment methods. Insistence on bank transfer, gift cards, crypto, or wire only, with no normal card option. This is a huge one. Reversible payment methods are the scammer's enemy.

Any one of these can happen on a legitimate site having a bad day. Two or three together is a pattern.

Signal 6: Verify the link preview and social footprint

When a link is shared to you, the preview card that appears (the image and title) can itself be a clue. A legitimate site usually has a clean, correct preview. A hastily built scam often has a broken or missing one.

You can check what a URL actually broadcasts to the world with a link preview extractor — it shows the title, description and image the site publishes, without you having to visit it. Our post on why link previews don't show an image explains the technical side, but for safety purposes, a missing or mismatched preview on a "big brand" link is one more small strike against it.

Beyond that, search the brand name plus the word "scam" or "review." Real businesses have a footprint: independent reviews, social accounts with history, news mentions. A scam usually has either nothing, or a suspicious burst of five-star reviews all posted in the same week.

Putting it together: the 30-second safety check

Here's the whole thing as a fast, repeatable routine. You don't need to run every step every time — escalate as your suspicion grows.

  1. Read the real domain. The part before the first single slash. Does it match the brand exactly, with the right ending?
  2. Hover (or long-press) the link. Does where it goes match what it says?
  3. Check the domain age. New domain pretending to be an old brand? Stop.
  4. Check the hosting if you're still unsure. Does the provider and location make sense for who they claim to be?
  5. Scan the page. Urgency, typos, weird prices, strange payment methods?
  6. Search the brand + "scam." What does the wider internet say?
  7. When in doubt, don't type anything. Never enter a password or card number on a site that failed any of the above. Go to the real site directly by typing the known address yourself.

That last point is the master rule. If you're ever unsure whether an email or link is really from your bank, your delivery company, or a service you use, don't click the link at all. Open a new tab, type the address you already know, and log in there. You lose thirty seconds. You keep your account.

Real-world scenarios

The "your package couldn't be delivered" text. You get an SMS with a link about a parcel. Long-press the link: it goes to dhl-redelivery-fee.top, not dhl.com. Domain age check: registered four days ago. That's a textbook scam harvesting card details for a fake "redelivery fee." Delete it.

The too-cheap online store. A social ad shows designer goods at 80% off. The domain is a random string of words. Domain age: three weeks. Hosting: an anonymous provider. Payment: bank transfer only. Every signal points the same way. It's a fake shop that will take your money and vanish.

The urgent bank email. An email says your account is locked and links you to "verify." The visible text says your bank; the hover shows secure-account-verify.info. Real domain is wrong, ending is wrong, urgency is manufactured. Don't click. Log into your bank directly instead.

The lookalike login page. A link takes you to a page that looks exactly like a service you use, asking you to log in. Before typing anything, check the address bar: accounts-google.com instead of accounts.google.com. One hyphen. That hyphen is the entire scam.

Vetting a new supplier for work. You're about to pay an unfamiliar vendor. Domain age check shows a solid multi-year history, hosting matches their stated country, the site has real contact details and a findable footprint. Green lights across the board. This use of the same tools works in reverse — confirming trust, not just catching fraud.

What these checks can and can't do

Honesty matters here, so let's be clear about the limits.

These checks are excellent at catching: phishing pages, fake shops, lookalike domains, hastily built scam sites, and most of the mass-market fraud that fills inboxes and text messages. That's the overwhelming majority of what ordinary people run into.

They're weaker against: a legitimate, established website that has been hacked and is serving something malicious without the owner's knowledge. In that case the domain is old, the hosting is real, and the footprint is genuine — because the site really is that brand. For this, keep your browser and operating system updated, since those patches close the holes such attacks rely on, and pay attention if your browser or antivirus throws a warning.

No single check is proof. Safety comes from stacking signals. One green light means little. Five green lights, and a site is very probably fine. One or two red flags, and you walk away — the cost of being wrong is far higher than the cost of caution.

A note on your own site's trustworthiness

If you run a website, the flip side is worth a thought: you want to pass these checks, not fail them. That means valid HTTPS, a domain with real history, honest contact details, clean structured content, and a correct link preview so your shared links look legitimate rather than broken. Trust signals aren't only about avoiding scams — they're about looking like the real, safe business you actually are. Getting your Open Graph tags right is a small but real part of that picture.

Frequently asked questions

Does the padlock mean a website is safe? No. The padlock (HTTPS) only means your connection to the site is encrypted. It says nothing about whether the site's owner is honest, and most phishing sites now have a padlock too. Treat it as a minimum, not proof.

How can I tell if a link is safe before clicking it? Hover over it on a computer (or long-press on a phone) to see the real destination without clicking. Compare that real URL to the visible text, and read the domain carefully. If they don't match, or the domain looks off, don't click.

How do I check if a website is legit? Read the exact domain, check its registration age, look at where it's hosted, scan the page for urgency and errors, and search the brand name plus "scam" or "review." Stack the signals rather than relying on any single one.

Is it safe to just visit a suspicious site without entering anything? Usually visiting alone is low-risk on an updated browser, but the safer habit is not to visit at all if you're suspicious. The real danger is entering credentials or payment details, so never do that on an unverified site.

Why should I check a domain's age? Because most scam and phishing sites are brand new. A domain that claims to be an established brand but was registered days or weeks ago is one of the strongest warning signs of fraud.

What should I do if I already clicked and entered my details? Change the password immediately (and anywhere else you reused it), enable two-factor authentication, contact your bank if you entered card details, and watch your accounts closely. Acting fast dramatically limits the damage.

The takeaway

Staying safe online isn't about being technical. It's about pausing for thirty seconds and reading a few honest signals before you hand over anything valuable. Read the real domain, hover before you click, check the domain's age and hosting when something feels off, and never type a password into a site you can't verify.

The tools make it fast: a domain age checker to spot suspiciously new sites, a domain-to-IP lookup and IP lookup to see who's really behind a domain, and a URL decoder to unmask disguised links. Thirty seconds of checking beats months of cleaning up after a scam. When in doubt, don't click, don't type, and go to the site you know directly.

This article is general safety guidance, not professional security advice. If you believe you've been targeted or compromised, contact your bank and relevant authorities directly.

Enjoyed this guide?

Get weekly articles on tools, SEO tricks, and developer insights — directly to your inbox. No spam ever.

More from Security