Don’t Trust the Padlock: How to Check If a Website Is Actually Safe

Learn to check if a website is safe in under 2 minutes — five tools and signals that spot fake sites before you enter your password or payment details.

That green padlock next to a URL is the internet’s most misunderstood icon. Most people treat it as a seal of trust — proof the site is legitimate and safe. In reality, HTTPS only means your connection to the server is encrypted. It says nothing about whether that server belongs to a real business. Fraudulent sites carry valid SSL certificates every day.

Knowing how to check if a website is safe before typing your email, password, or card details takes under two minutes and can save you from phishing traps and credential theft. These four checks work on any device — no downloads required.

Quick Answer

To verify a website is safe: read the full URL for lookalike tricks (paypa1.com vs. paypal.com), run it through Google Safe Browsing at transparencyreport.google.com/safe-browsing/search, check the domain’s creation date with WHOIS, and scan it on VirusTotal. All four checks take under two minutes and require no account or app.

Why HTTPS Doesn’t Mean a Site Is Safe

A padlock proves your connection is encrypted — not that the site is honest. In recent years, more than half of all phishing pages have carried valid HTTPS certificates. Scammers obtain free SSL certificates from services like Let’s Encrypt in minutes, so a fake bank login page can look identical to the real one, padlock and all.

Pro tip: Click the padlock (or “Connection is secure”) in your browser’s address bar. A legitimate bank or retailer typically shows a certificate issued to its registered company name — look for that detail in the certificate view before entering sensitive data on any unfamiliar site.

Check the URL for Lookalike Tricks

Before anything else, read every character in the address bar. Common spoofing tactics include paypa1.com (digit 1 for the letter L), amazon-secure-signin.com, or bankofamerica.login-verify.net — where the actual registered domain is login-verify.net, not bankofamerica.

Red Flags to Look For

  • Extra words or hyphens inserted before .com
  • Country-code tricks: amazon.com.suspicious-host.net
  • Digit-for-letter swaps: 0 for O, 1 for l, rn for m

If you arrived from an email link, this check matters most. Phishing emails that route to lookalike domains are one of the most common account-takeover vectors — our guide to recognizing phishing emails covers the email-side warning signs in detail.

Run the URL Through Google Safe Browsing

Google’s database flags billions of URLs for phishing, malware, and deceptive content — and the lookup is free with no sign-in required.

  1. Copy the full URL from your browser’s address bar.
  2. Open the Google Safe Browsing Transparency Report.
  3. Paste the URL into the search box and press Enter.
  4. “No unsafe content found” means you’re clear; any warning is a hard stop — leave the site immediately.

Troubleshooting tip: Brand-new scam sites may not yet be indexed. If the URL arrived unsolicited or the domain looks freshly registered, combine this check with the VirusTotal scan below for a second opinion.

Check the Domain Age with WHOIS

Legitimate businesses don’t register a domain the week before launching a convincing checkout page. A recently created domain is a significant red flag.

  1. Go to lookup.icann.org or whois.domaintools.com.
  2. Enter just the root domain name (e.g., example.com — no https or path).
  3. Find the Created Date field in the results.

A site presenting itself as an established retailer but showing a domain registered weeks ago has something to hide. Real companies also publish a physical address and working phone number — missing contact details are a warning sign on their own, regardless of how polished the design looks.

Scan with VirusTotal

VirusTotal checks a URL against 90+ security engines simultaneously and typically returns results in under 30 seconds.

  1. Go to virustotal.com and select the URL tab at the top.
  2. Paste the full address and press Enter.
  3. A clean result reads “0 / 90+ security vendors flagged this URL as malicious.” Even 1–2 flags warrants caution; 5 or more is a hard stop.
Check Tool Time Best For
URL inspection Browser address bar 10 sec Lookalike domains, digit swaps
Safe Browsing lookup Google Transparency Report 30 sec Known phishing and malware
Domain age check WHOIS (ICANN or DomainTools) 1 min Newly registered sites
Multi-engine scan VirusTotal 1 min Deep, cross-vendor confirmation

If a scan flags a site where you already have an account, changing the password quickly is much easier when your credentials are stored in a dedicated manager — our guide to setting up Bitwarden for free walks through the whole process in about 10 minutes.

Common Mistakes to Avoid

  1. Equating HTTPS with legitimacy. The padlock secures the connection channel, not the site’s intent. Always run at least the Google Safe Browsing check before submitting personal data anywhere unfamiliar. Fix: treat HTTPS as a baseline, not a finish line.
  2. Glancing at the URL instead of reading it. Lookalike domains exploit fast readers. Slow down and read every character, paying close attention to hyphens, digits, and anything that appears before or after the real brand name. Fix: cover the logo and read the raw URL with fresh eyes.
  3. Checking the homepage but not the exact page you were sent. Scammers sometimes host malicious forms on subpages of an otherwise clean-looking root domain. Run VirusTotal on the full URL, not just the domain root. Fix: copy the complete URL from the address bar before scanning.
  4. Clicking through browser security warnings. Chrome, Firefox, and Edge display “Deceptive site ahead” only when they’re highly confident. These warnings are accurate the vast majority of the time. Fix: close the tab rather than clicking “Advanced” and proceeding anyway.
  5. Trusting polished design as proof of legitimacy. Scam sites routinely clone the exact layouts, fonts, and images of real brands. Visual quality is not a safety signal. Fix: run the four checks regardless of how professional the site appears.

Frequently Asked Questions

Does HTTPS guarantee a website is safe?
No. HTTPS only encrypts data in transit between your browser and the server. Scammers get free certificates in minutes, so a phishing page can display a padlock alongside a convincing fake login form with no technical difference from the real site.

What should I do if I already entered my details on a suspicious site?
Change the compromised password immediately on every account where you use it. Then enable two-factor authentication — our 2FA setup guide covers Google, Microsoft, and other major accounts. You should also check whether your email appeared in a recent data breach to catch any further exposure.

Can I run these checks on a smartphone?
Yes. Google Safe Browsing and VirusTotal are both mobile-friendly websites — no app download required. Open either in any mobile browser, paste the URL you want to check, and you’ll have results in under a minute.

Is a missing privacy policy a red flag?
Yes. Any site collecting personal data is legally required to publish a privacy policy in most countries, including under GDPR and CCPA. A missing, blank, or clearly copy-pasted policy — with no company name or contact details — is a concrete warning sign worth acting on before you proceed.

Conclusion

Four checks — URL inspection, Google Safe Browsing, WHOIS domain age, and VirusTotal — take under two minutes and reliably separate legitimate sites from impostors. The padlock tells you the channel is encrypted; these checks tell you whether the destination actually deserves your trust. Bookmark the Google Transparency Report and VirusTotal now, while you’re thinking about it, so they’re ready the moment you need them.