Most people have a rough mental roadmap for checking whether a website is legitimate. Look for the padlock. Check for spelling mistakes. Be wary of domains that look newly registered. Avoid anything that feels rushed or generic. That checklist made sense when it was written. It no longer does.
In short: what still helps:
- Search the company name followed by "review" or "scam" and see what comes up
- Try the contact details: a working phone number or email that gets a real response is a good sign
- Check whether the founders or team named on the site are verifiable on LinkedIn or elsewhere
- Look at the legal pages: does the company name in the privacy policy match the one on the homepage?
- Run a reverse image search on product photos to check whether they are lifted from stock libraries
- Look up the domain in a free WHOIS tool to see when it was registered
Whilst these steps are valuable, it remains important to understand exactly how sophisticated modern scam tactics have become, and how detecting them now requires a holistic approach. The rest of this article explains why, and what better detection looks like.
The way scam websites are built, deployed, and used to target people has changed substantially over the past few years, and the gap between what people are told to look for and what actually signals danger has grown into a genuine problem. In 2025, the Anti-Phishing Working Group (APWG) tracked over 3.8 million phishing attacks across the year, with more than one million recorded in the first quarter alone. Behind those numbers are websites that, in many cases, would pass every item on the standard checklist without issue.
The three warning signs that no longer work
The padlock icon. For years, the presence of a padlock in your browser's address bar (indicating an HTTPS connection, meaning the data between you and the site is encrypted) was treated as a basic trust signal. Security guides told consumers to look for it. That advice has outlived its usefulness. SSL certificates, the technology behind the padlock, are now free and can be obtained automatically in minutes. Criminals running fraudulent websites get them as a matter of routine. Security researchers and anti-phishing organisations have consistently documented that a large and growing proportion of phishing sites now operate over HTTPS. The padlock tells you the connection is encrypted. It says nothing about whether the site on the other end is legitimate.
Spelling mistakes and bad grammar. The telltale signs of a poorly written scam email or webpage, awkward phrasing, broken sentences, generic language, were once a reliable filter. That filter has been bypassed. In an analysis of over 67 million simulated phishing exercises, the security firm KnowBe4 found that more than 80% of the phishing templates used AI-generated content, and that AI-crafted lures produced significantly higher engagement rates in controlled testing than manually written equivalents. The result in real-world attacks is messages and pages that read fluently, match the tone of legitimate brands, and use the recipient's name and relevant personal details. The grammar check is no longer useful.
A newly registered domain. Basic scam-checking tools have long flagged recently registered domains as a risk signal. The assumption was that legitimate businesses have history; scam sites are thrown up quickly. Criminals have adapted in two ways. The first is straightforward: register domains months or years before using them, specifically to age them past the threshold. The second is more difficult to counter: increasingly, criminal operations compromise existing, long-established websites and host fraudulent pages under those domains. In that scenario, a domain-age check actively misleads you, because the old domain signals safety while hosting something dangerous.
What scam websites actually look like now
The practical effect of these changes is that a scam website in 2026 can have a valid padlock, a fluent professional tone, a reasonable-looking domain, and a polished visual design. AI tools have made it straightforward to generate realistic product pages, fake customer reviews, professional imagery, and convincing legal disclaimers without design or development skills.
The data on how effective this has become is uncomfortable. Research into phishing behaviour consistently finds that a substantial portion of people who click a malicious link go on to enter their credentials on the fraudulent page, often more than half in controlled studies. The FTC reported that U.S. consumers lost a confirmed minimum of $12.5 billion in reported fraud losses in 2024, up significantly from the year before. These losses reflect not crude, obviously suspicious websites but operations polished enough to persuade millions of ordinary people.
How you arrive at a scam website has also changed
The website is only part of the problem. The path to it has become more sophisticated at the same time.
Phishing messages (fraudulent emails or texts designed to trick someone into clicking a link) used to be easy to screen out. AI has largely closed that gap. Beyond email, criminals now use targeted social media advertising, fake sponsored posts, and compromised accounts belonging to people the recipient knows. The combination of a convincing inbound message and a convincing destination website is considerably harder to catch than either element alone.
What you can do yourself to check a website
Before turning to any tool, there are several checks worth running manually. None of them is foolproof on its own, but together they give you a more complete picture than a padlock and a spell check.
Search the company name alongside "scam", "review", or "complaint". This takes thirty seconds and surfaces problems that many other checks miss. If a business has defrauded people, reports tend to appear on consumer complaint forums, Reddit, or watchdog sites. The absence of any search results at all can itself be a warning sign for a company claiming to be established.
Verify the contact details. Send an email or call the number listed. Scam operations often use contact forms that go nowhere, email addresses on free providers that do not match the company name, or phone numbers that ring out. A real business can be reached.
Check whether the people behind it are verifiable. If a website has an "About" page naming founders or a team, search for those people on LinkedIn or in professional directories. A company that claims to have been operating for several years but whose founders have no traceable history elsewhere is worth treating with caution.
Read the legal pages carefully. Privacy policies, terms of service, and return policies on fraudulent sites are often copied from other sources with names and details inconsistently replaced. Check that the company name used in the legal pages matches the trading name, that a registered address is provided, and that the terms are specific enough to describe an actual business rather than a generic template.
Reverse image search the product photos. Many scam retail sites lift images from legitimate retailers or stock libraries. Right-clicking an image and running a reverse search through Google Images or TinEye will often reveal if the same photo appears on dozens of other sites, which is a strong indicator the site is not what it claims.
Look up the domain registration date. Free WHOIS lookup tools will tell you when a domain was registered. A site claiming to be an established company but registered three months ago warrants further scrutiny. It is not proof of fraud on its own, but it is a relevant data point.
These steps address what you can observe and verify directly. They have limits, particularly when scammers have invested in aging a domain, building fake social proof, or generating convincing founder profiles. That is where the broader problem lies.
What checking a website actually requires now
If the old checklist is unreliable, what does work? The honest answer is that confirming whether a website is safe now requires the kind of analysis that a quick visual scan cannot provide.
It means looking at whether the people or company named on the site are verifiable. It means checking contact details against known records. It means reading the legal pages for the specific language patterns that fraudulent operations tend to reuse. It means cross-referencing the domain against financial regulatory databases and known fraud infrastructure. It means looking at the actual content of the site, not just its technical metadata.
That kind of analysis is not something most people can run manually on every site they visit. In a detailed post on their blog, the team at scaminfo.ai sets out how they have built a platform to run exactly this kind of multi-variable review programmatically, combining standard technical checks with AI analysis of actual page content, regulatory database lookups, and pattern matching across a wide range of fraud indicators. The approach is considerably more comprehensive than domain-age and SSL checks alone, and it reflects where scam detection needs to go to remain useful.
The checklist has not kept pace. The tools are starting to.
The standard consumer advice about spotting scam websites was built for a different era. It described real patterns that genuine scammers once exhibited. Those patterns are no longer reliable signals, because the tools available to criminals have made them easy to fake.
The appropriate response is not to stop being careful online. It is to update what careful looks like: relying less on surface signals that can be replicated cheaply, and more on tools built to look at the full picture.
Comments
Loading comments…