Listen to this post: How to Spot Fake Websites Before You Enter Any Details
You click a “parcel tracking update”, a paid ad, or a message that says your bank needs you to “verify” something. The page loads fast, looks polished, and your fingers are already hovering over the keyboard.
That moment, right before you type, is where scams win or lose.
Phishing now sits at roughly one million attacks per quarter globally, and UK reporting shows real money losses across recent years. The good news is you don’t need special tools or tech skills to protect yourself. You need a short, repeatable check that works when you’re tired, rushed, or on your phone.
Spot a fake website in 30 seconds with these high-signal checks
Think of this like a pre-flight check. You’re not judging vibes. You’re checking facts.
Here’s a quick “scan and decide” view:
| Check | What you do in seconds | Red flag that should stop you |
|---|---|---|
| Domain | Read the main domain slowly | Extra words, weird endings, sneaky subdomains |
| HTTPS | Look for the padlock, then click it | Padlock present but domain doesn’t match |
| Outside proof | Search the name plus “scam” | Lots of warnings, or the site barely exists online |
| Payment/login | Pause before you type | Asking for too much, too soon |
If you want an official UK checklist to compare against, see the UK government’s fake website guidance. Now, the key checks that catch most fakes.
Read the web address like a detective, not a shopper
Most people glance at a URL the way they glance at a shop sign. Scammers count on that.
The simplest rule: the real brand name is usually right before the ending, like .com or .co.uk. That’s the “main domain”.
- Real:
amazon.co.uk(main domain isamazon) - Suspicious:
amazon-deals.co.uk(extra word bolted on) - Dangerous:
amazon.deals.fakesite.com(main domain isfakesite, not amazon)
Common traps to watch for:
Misspellings: amazoon, micros0ft, barclayss
Look-alikes: swapping letters for numbers, like paypa1 (that’s a one)
Odd endings: something.com.co, or a country ending that doesn’t fit the business
Extra words: “verify”, “secure”, “support”, “refund”, “delivery” stuck into the address
A habit that saves people: if you’re going to log in or pay, type the site yourself (or use a bookmark you already trust). Links in texts and ads are like lifts offered by strangers. Sometimes they’re fine. Sometimes they’re not.
Treat the padlock as a seatbelt, helpful but not proof
The padlock (HTTPS) is like a seatbelt. It helps protect what you send, but it doesn’t prove the driver is safe.
Scam sites can and do use HTTPS. Getting a certificate is cheap, and often automated. So don’t stop at “there’s a padlock, I’m fine”.
Do this instead:
Click the padlock (or the site info icon) and look for the domain name. You’re checking one thing: does the certificate show the same site you think you’re on?
Also be wary of “trust badges” and fake security seals. If a badge looks like proof, try clicking it. On scam sites, it often goes nowhere, or it links back to the same page like a prop.
Before you type anything, take 10 seconds for an external reality check:
- Search the brand or site name plus “scam” and read a couple of results.
- Paste the link into a URL scanner like VirusTotal, ScamAdviser, or URLVoid (use them as a second opinion, not a final judge).
The on-page clues scammers can’t hide for long
Once the page loads, don’t get hypnotised by design. A fake site doesn’t need to be ugly anymore. AI tools can produce clean layouts, tidy logos, and convincing product pages in minutes. So you’re looking for behaviour, consistency, and missing basics.
Pressure tactics, weird forms, and deals that don’t feel real
Scam pages push you into action before you think. The pressure can look friendly or threatening, but the goal is the same: rush you past the URL check.
Watch for:
- Countdown timers that reset when you refresh
- “Only 2 left” messages on every item
- Pop-ups that block the page until you “claim” something
- Threats like “account will be closed today” or “delivery returned in 2 hours”
Forms are where the danger spikes. A genuine login might ask for a password. A scam login often asks for more than it should, like:
- Your bank PIN
- Full card details plus the security code
- A one-time SMS code (while you’re still on the page)
- Photo ID for a “simple verification” on a random site
Modern lures are also creeping in. Fake CAPTCHAs can be used to trick you into copying commands or installing junk, and QR codes in emails or posters can bounce you to a look-alike site. The rule stays simple: don’t enter anything until the URL checks out.
Missing basics: contact details, policies, and believable reviews
Legit sites leave a trail. They have real-world details because customers need returns, support, and legal policies.
Red flags you can spot in under a minute:
- No physical address, or an address that’s just a vague place name
- Only one contact method (often a web form), no clear support email or phone
- Returns and privacy pages that look copied, broken, or full of odd grammar
- Footer links that don’t work (Terms, Privacy, Contact)
- Product photos that look lifted from big retailers, but with no brand consistency
Reviews can be a tell too. If every review is five stars, short, and strangely similar, treat it like a stage set. For more examples of what to look for, Which? has a useful guide on spotting scam websites.
A quick cross-check helps: look the company up on an independent review or business listing site and compare contact details. If the phone number or address doesn’t match, stop.
If you’ve already entered details, do these steps now
Panic wastes time. Speed helps.
Lock down accounts fast and report it in the right place
- Close the tab and don’t keep clicking around.
- Go to the real site by typing the address yourself (not using the link you clicked).
- Change your password right away, and change it anywhere you reused it.
- Turn on two-factor authentication if it’s available.
- Check “recent activity” and log out of other sessions if the site offers it.
If you entered card details, call your bank using the number on the back of your card, not a number on the website. Ask to freeze the card (or freeze it in your banking app), and monitor statements closely.
If it was a work login, tell IT or your security team immediately. The quicker they know, the more they can contain.
In the UK, you can forward scam texts to 7726 to help networks block them. Save evidence too (URL, screenshots, the message that led you there), then report it through the right channels. If you want more practical examples of scam-site tactics, Which? also covers seven ways to spot a scam website.
Conclusion
Fake websites don’t just look convincing, they’re built to catch you at the exact second you’re about to type. Slow down at that moment.
Hold onto three anchors: the URL (main domain first), security signals (HTTPS helps, but it’s not proof), and on-page behaviour (pressure, odd forms, missing basics). Share this checklist with someone who gets lots of delivery texts or bargain ads, because the next link they click might be the one that counts.
