How to tell if a website is a scam: 11 red flags and the checks most people miss

1. The URL doesn't match the brand

This is the single most reliable check, and most people still miss it. Scammers register domains that look correct at a glance but are not. Three flavors show up again and again:

• Typosquatting: amaz0n.com (zero instead of o), paypa1.com (one instead of l), netfl1x-billing.com. Your eye fills in the correct letter because your brain expects it.
• Homograph attacks: Cyrillic and Greek letters that render identically to Latin ones. The а in аpple.com can be Cyrillic. Looks identical, goes to a different server.
• Subdomain tricks: microsoft.security-login.com is NOT a Microsoft site. The real domain is whatever sits directly before the .com. Read URLs right to left. security-login.microsoft.com would be Microsoft. microsoft.security-login.com is owned by whoever registered security-login.com.

Before you type a password, look at the address bar and find the last dot before the first slash. That is the real domain. If it is not the brand you think you are on, close the tab.

2. The TLD is sketchy

Not every top-level domain is equal. Some registrars sell domains for under a dollar with no verification. Scammers buy them in bulk, burn them in a week, and move on. The TLDs that dominate abuse reports in 2026:

• .xyz, .top, .click, .buzz, .live
• .store, .shop, .online, .ltd
• .sbs, .rest, .cfd, .icu

These are not automatically bad. Plenty of legitimate projects use .xyz. The rule is contextual: a major bank, government agency, or Fortune 500 company will not send you to a .xyz login page. Microsoft does not use .click. Your bank does not use .sbs. Chase uses chase.com. When the brand is serious but the TLD is cheap, the mismatch is the signal. Legit corporate domains are almost always .com, .org, .net, or a country code like .co.uk.

3. The SSL certificate is free and brand-new

The padlock in the address bar used to mean something. Now it means the site bought or generated a TLS certificate, which anyone can do for free in under 60 seconds using Let's Encrypt. A padlock does NOT mean the site is safe. It means traffic between you and the site is encrypted, even if the site itself is a scam.

Click the padlock and look at certificate details. Two things worth checking:

• Issuer: Let's Encrypt, ZeroSSL, and Google Trust Services are free. Banks and enterprises usually use paid Extended Validation (EV) certificates from DigiCert, Sectigo, or Entrust.
• Validity period: If the certificate was issued 3 days ago and the site claims to be your bank of 20 years, something is wrong. Real bank certs are renewed on cycles, but the domain has a long history.

A three-day-old Let's Encrypt cert on a page asking for your login is a yellow flag on its own, and a screaming red flag when combined with any other item on this list.

4. The page asks for too much, too soon

Real companies already have your data. Scammers need to collect it. That asymmetry shows up in what the page asks for before doing anything useful.

A legitimate bank login page asks for your username and password. Maybe a 2FA code. That is it. A scam login page often asks for your username, password, Social Security number, date of birth, mother's maiden name, card number, CVV, and a "verification" PIN, all on the same screen, before you have done a single transaction.

Reframe it this way: real companies LOSE data over time and ask you to confirm only what they need. Scammers GAIN data and want everything in one shot because they only get one chance. If the form asks for more than feels proportional to the action, stop.

5. Urgency language that doesn't make sense

"Your account will be suspended in 30 minutes unless you verify." "Unusual sign-in detected. Confirm now or lose access." "Final notice: refund expires at midnight."

Banks do not work this way. Governments do not work this way. Couriers do not work this way. Real institutions give you days or weeks, use registered mail for anything legally serious, and make you call their published number. The shorter the deadline and the higher the emotional temperature, the more likely it is a scam. Artificial time pressure exists for one reason: to shut down the part of your brain that would otherwise check the URL.

If a message is pushing you to act in under an hour, that urgency IS the signal. Close the tab, open a new one, type the brand's real URL yourself, and log in normally. If the alert is real, you will see it there too.

6. Grammar, punctuation, and pixel-perfect copycats

"Look for bad grammar" was solid advice a decade ago. AI has ended that era. Scam pages in 2026 are often written better than the real brand. Grammar alone will not save you.

What still works is looking for inconsistencies a real design team would never ship:

• Logo slightly the wrong shade or stretched by a few pixels
• Button corners rounded differently than the rest of the brand's site
• Two fonts that do not belong together
• Footer links that all go to the same placeholder page, or to #
• Social media icons with no links behind them
• Copyright date from two years ago

The cheat code: open the real brand's site in a second tab and put the two side by side. Fakes fall apart within 10 seconds when you can A/B them. Scammers optimize for the first impression, not the audit.

7. The domain is brand new

Banks and real companies have owned their domains for 15 to 30 years. Scam domains are usually days or weeks old.

Check it in 20 seconds at whois.domaintools.com or who.is. Paste the domain, look at the "Registered On" date. If a site claiming to be Bank of America was registered last Tuesday, you are done. Close the tab.

Rule of thumb: any domain under 90 days old claiming to be a well-known brand is a scam until proven otherwise. Real brands do not quietly migrate to a two-week-old domain without a press release.

8. The contact page has a Gmail address

Real companies use email on their own domain. Support at Chase is something @chase.com, not chase-support-2024@gmail.com. If the "Contact Us" page lists a free webmail address (Gmail, Outlook, Yahoo, ProtonMail) as the only way to reach customer service, the business is either too small to trust with your card details, or it is a scam.

Same goes for phone numbers. Real companies publish a toll-free number that appears on credit card statements and in Google's knowledge panel. A random mobile number on the contact page is a warning.

9. The link came from somewhere you didn't ask for it

Unsolicited SMS, email, DM, or a Google ad you clicked instead of the organic result. Almost every successful phishing attack starts with a link YOU did not request.

Banks, couriers, tax agencies, and crypto exchanges do not cold-message you with login links. USPS does not text you a link to pay a "redelivery fee." The IRS does not email you a refund form. Coinbase does not DM you on Telegram about a security issue. When the first contact is unsolicited and it contains a link, treat the link as hostile by default. If you think it might be real, go to the service the normal way, by typing the URL or using your bookmarks.

10. "Verification" request when you just did it

You onboarded to your bank or exchange once. They did KYC. They took photos of your ID. They are done. They do not email you a year later asking you to "re-verify" your identity through a link.

The "please verify your account" email is one of the oldest tricks and still one of the most effective, because it sounds reasonable. It is not. If you have an account and something is genuinely wrong, you will see a banner after you log in normally. No legitimate exchange or bank requires re-verification through an emailed button.

11. The payment method is unusual

A real business accepts cards, PayPal, Apple Pay, or bank transfer through a recognized processor. A scammer pushes you toward:

• Gift cards (Apple, Amazon, Steam, Google Play)
• Wire transfer to a personal name
• Crypto to a specific wallet address, especially with urgency
• Zelle or Venmo to a stranger, which you cannot reverse

All of these share one property: once sent, the money is gone. No chargebacks, no disputes, no recourse. That is exactly why scammers love them. A legitimate business will always accept a method that gives you a way to dispute the charge. Anyone who refuses to take a card for anything over $50 is telling you something.

The checks most people miss

The 11 flags above catch most scams. The checks below catch the rest, and almost nobody does them.

• Hover before you click. On desktop, hovering over a link shows the real destination URL in the bottom-left of the browser. Do this before clicking anything in an email. If the visible text says chase.com but the hover preview shows ch4se-login.xyz, you just saved yourself.
• Type the URL yourself for high-stakes actions. Logging into a bank, exchange, or tax portal? Close the email, open a new tab, and type the URL or use a bookmark you made yourself. Never trust a link for anything that moves money.
• Cross-check with public blocklists. Google's Transparency Report (transparencyreport.google.com/safe-browsing) and URLhaus (urlhaus.abuse.ch) both let you paste a URL and see if it has been reported. Takes 10 seconds.
• Use an extension that checks before the page renders. The gap between clicking and the page loading is where a drive-by attack or a credential form can do damage. A well-built browser extension runs the 11 checks above plus dozens more in under a second, before the page even paints. That is the layer humans cannot provide reliably, because humans get tired.

The last one matters most because it runs every single time, not only when you remember to be careful.

Why browser extensions catch what you miss

You are human. You get tired. You check email at 11pm after a long day, you click a link because the subject line triggered a stress response, you skip the URL bar because you have done this a thousand times and the page looks right. This is normal. Attackers count on it.

A well-built extension does not get tired. It runs the same 60-plus checks on every page, every time, before the page renders. That is SafeBrowz.

• 420+ brand lookalikes tracked and matched against URL patterns, including Cyrillic and homograph variants
• 60+ scam URL patterns covering fake captchas, ClickFix prompts, wallet drainers, and fake support pages
• Multiple community blocklists including PhishTank, URLhaus, and aggregated threat feeds
• AI content analysis in 100+ languages so non-English scams are not a blind spot
• Cross-browser: Chrome, Firefox, and Edge, same protection on all three

The free tier covers the basics: brand lookalikes, URL patterns, and blocklist checks. That is enough to block the vast majority of what the average person will see in an inbox or SMS this year. Premium adds deeper AI scans, clickjacking protection, pastejack guard, and wallet drainer detection for Web3 users. Everyone gets the free version. Forever.

When even the extension isn't enough

No single layer is perfect. Defense in depth is how you actually stay safe over years, not weeks. A full stack looks like this:

• Extension that checks URLs and page content before render
• Password manager that will refuse to autofill on a lookalike domain, because it checks the exact URL
• Hardware security key (YubiKey or similar) for 2FA on your most important accounts. Phishing-resistant by design.
• Healthy skepticism for any unsolicited link, no matter how official it looks

Each layer catches something the others miss. The password manager alone would have stopped a huge fraction of historical breaches, because it simply will not fill credentials on the wrong domain. The hardware key stops even a perfect phishing page from stealing your 2FA code, because the key cryptographically binds to the real domain. The extension catches the threats that appear before you get to the login form at all. Stack them, and the blast radius shrinks to almost nothing.