FakeOrLegitCheck now

How to Check if a Website Is Legit

Most fake websites do not look obviously fake. They copy the colors, fonts, and product photos of a real brand, register a domain that is almost the real one, and rely on you not slowing down for 30 seconds to actually look at it. The good news is that the same handful of patterns repeat across thousands of scam sites. Once you know what to check, you can rule a site in or out in less time than it takes to load it.

This guide walks you through the practical signals you can verify yourself, in plain English, with no security background needed. We will look at the URL, the page, the brand cues, and the trust signals that real businesses actually publish. At the end you will know what to do when something looks off, and when to use the FakeOrLegit checker to confirm.

FakeOrLegit is operated by Aura Bionics Inc., based in Ontario, Canada. We are not affiliated with any of the brands referenced here. This guide is informational and does not guarantee that any specific site is safe or unsafe - always make your own decision.

Warning signs

  • The address bar shows http:// instead of https:// - meaning the connection is not encrypted. This alone does not prove a scam (scam sites use HTTPS too), but a real bank, retailer, or government site never serves you over HTTP in 2026.
  • The domain name mixes a well-known brand with extra words, like "paypal-secure-login.shop" or "amazon-customer-service.help". Real brands use their primary domain (paypal.com, amazon.com) for sign-in, never a stacked variant on a different TLD.
  • The site uses a high-risk top-level domain such as .shop, .xyz, .top, .click, or .icu for a service that would normally use .com or .gov. Some of these TLDs have legitimate uses, but they are heavily over-represented in scam reports.
  • The page pushes you to log in, pay, or share information urgently to avoid losing access. Real account-action requests are almost never time-bombed to 15 minutes or 24 hours.
  • Search results for the domain show no recent reviews, or the WHOIS shows it was registered in the last 30 days. New domains are not always scams, but a brand-new domain claiming to be a 20-year-old company is a strong signal.
  • The contact page has no real street address, no human phone number, and no business registration details. Legitimate companies publish at least one of these because they have to.
  • Internal links and checkout buttons go to a completely different domain than the page you started on. A real merchant keeps you on the same root domain through purchase.
  • Spelling and grammar are slightly off in places a real brand would never miss - the headline, the footer, the order confirmation copy.
  • The favicon is wrong or generic. Brands obsess over their favicon; scammers tend to forget it.

What to do

  • Type the brand name into Google with the word "scam" and skim the recent results. If a domain is being abused, someone has usually posted about it on Reddit or Trustpilot within hours.
  • Hover over links to see the real destination before you click. On mobile, long-press the link to preview the URL.
  • Use the FakeOrLegit website checker to scan the URL against our heuristics and brand-impersonation database. See our methodology if you want to understand how the score is computed.
  • If you are about to log in, go to the official site by typing the address yourself. Never log in via a link in a text or email.
  • If you are about to pay, use a credit card. Never use debit, wire, or crypto for a first-time merchant - credit cards give you chargeback rights.
  • If you have already entered information and now suspect a scam, change that password immediately (and any password you reuse) and enable two-factor authentication.
  • Report the site to Google Safe Browsing (google.com/safebrowsing/report_phish/), the FTC (reportfraud.ftc.gov), and if a specific brand was impersonated, that brand's abuse team.

FAQ

Does HTTPS mean the site is safe?
No. HTTPS only means the connection between your browser and the server is encrypted - the lock icon does not tell you anything about the operator. The vast majority of phishing sites now use HTTPS because anyone can get a free certificate.
Is a long domain always a scam?
Not always. Some legitimate businesses use long domains (think: support.help.example-saas.com). The pattern to watch for is a well-known brand name stacked with extra words on a different TLD.
What is a high-risk TLD?
A top-level domain (the .com, .org, .net part) that is disproportionately used by scam operators because it is cheap and weakly moderated. The exact list changes; we update ours quarterly from public scam-report data.
What if I already paid?
If you paid by credit card, dispute the charge with your bank as soon as possible. If you paid by wire, crypto, or gift card, the funds are usually gone - file an FTC report immediately so the case is on record.
How does FakeOrLegit calculate the risk score?
See our methodology page. In short: a layered model that combines URL heuristics (HTTPS, TLD risk, hyphen count, punycode, urgency tokens), a 50-brand impersonation allow-list, and a cost-controlled AI risk analysis. Domain reports are cached 7 days.

Run a check now

If a specific link or message triggered this guide, paste it for an instant risk report.

Check a websiteCheck a message

Related guides

Foundational

Fake Delivery Text Scams: What to Watch For

Fake USPS, FedEx, UPS, and DHL delivery texts are the single most common consumer scam. Here is exactly how to spot them.

Read guide →
Foundational

PayPal Scam Emails: Common Warning Signs

Phishing emails pretending to be from PayPal are one of the oldest and most polished scams online. Here is how to spot a fake.

Read guide →
Foundational

Online Shopping Scam Warning Signs

Fake shops copy real brands, take your payment, and ship nothing - or counterfeits. Here is the 30-second checklist that catches most of them.

Read guide →
Foundational

Facebook Marketplace Scam Warning Signs

Marketplace is convenient but has no built-in escrow. Here is the short list of patterns every buyer and seller should know.

Read guide →
Brand impersonation

Fake Amazon Account Locked Email or Text

Amazon "account locked" scams are everywhere. Here is how to spot the fake and protect your account.

Read guide →

Disclaimer

FakeOrLegit provides automated risk signals based on publicly observable patterns. We do not guarantee that any site, email, or message is safe or unsafe. Always use your own judgment, and contact the real institution directly to verify any request before sharing personal or payment information.