Is This Website Safe? 9 Checks to Run Before You Click

Every day, attackers spin up thousands of look-alike domains designed to steal credentials, drop malware, or scam shoppers. Before you log in, enter a card number, or download a file, it pays to spend 30 seconds vetting the URL. Here are the practical checks I run — and the ones I recommend to anyone asking how to check if a website is safe to visit.

1. Inspect the URL Before You Trust the Page

Phishing relies on visual tricks. The page may look identical to PayPal or Microsoft 365, but the URL gives it away.

• Check the exact domain: paypa1.com, paypal-secure.co, and paypal.com.login-id.net are all impostors.
• Look for IDN homograph tricks: Cyrillic а looks identical to Latin a. Paste the URL into a plain text editor to spot odd characters.
• Watch for excessive subdomains: The real domain is always the part directly before the TLD (e.g. .com, .net).
• Beware of URL shorteners: Expand bit.ly, t.co, or tinyurl links before clicking.

2. Verify HTTPS — But Don't Stop There

A padlock no longer means a site is trustworthy. Free certificates from Let's Encrypt are available to anyone, including scammers. What HTTPS does confirm is that traffic is encrypted in transit — not that the operator is legitimate.

What to actually check on the certificate

• The certificate's Common Name or SAN matches the domain you typed.
• The certificate is not expired and is issued by a recognized CA.
• For banks or payment sites, look for an Extended Validation (EV) certificate that names the legal entity.

You can pull this data manually in your browser, or run a domain through AXOX Hub's SSL Checker to see the issuer, expiry, chain validity, and supported protocols in one view.

3. Scan the Link With a Reputation Engine

Before clicking any unfamiliar link, run it through a multi-source scanner. Reputation engines aggregate data from antivirus vendors, phishing feeds, and sandbox detonations.

1. Copy the full URL (don't open it).
2. Paste it into the Link Safety Scanner on AXOX Hub to check it against threat databases and analyze structural red flags like suspicious TLDs, recent registration, or hidden redirects.
3. Cross-reference with Google Safe Browsing and VirusTotal for a second opinion.

If two or more engines flag the URL, treat it as hostile — even if the page looks polished.

4. Trace the Redirect Chain

Malicious links rarely send you directly to the payload. A typical phishing kit will bounce you through 3–5 hops: a tracker, a cloaker that checks your user agent, then the fake login page. If a hop returns a non-standard status or sends you to an unrelated domain, that's a strong red flag.

Use a redirect checker to follow every 301, 302, 307, and meta-refresh hop without opening the page in a real browser. Look for:

• Redirects that switch from HTTPS to HTTP mid-chain.
• Hops through unfamiliar domains in countries unrelated to the brand.
• Final destinations that don't match the link text or sender's claim.

5. Check Domain Age and WHOIS Data

A bank that has existed for 80 years should not have a domain registered last Tuesday. Run a WHOIS lookup and check:

• Creation date: Domains under 90 days old, paired with brand impersonation, are highly suspicious.
• Registrar: Bulletproof or privacy-shielded registrars are common with scams.
• Country mismatch: A "UK retailer" hosted on a registrar in a region with weak abuse enforcement deserves extra scrutiny.

6. Read the HTTP Response Headers

Headers reveal a lot about how seriously the operator takes security. Legitimate sites — especially those handling logins or payments — typically set:

• Strict-Transport-Security with a long max-age
• Content-Security-Policy restricting script sources
• X-Frame-Options or frame-ancestors to prevent clickjacking
• X-Content-Type-Options: nosniff

A "bank" with no security headers, mixed content warnings, or an exposed Server: Apache/2.2.15 banner from 2010 is almost certainly not a real bank. AXOX Hub's HTTP Header Checker surfaces these in seconds.

7. Look for Real-World Trust Signals

Beyond technical checks, scan the site itself:

• Contact information: Real businesses publish a physical address, phone number, and company registration number.
• Privacy policy and terms: Boilerplate copied from a generator with placeholder text like [Company Name] is a giveaway.
• Working internal links: Phishing kits often have dead navigation — clicking "About" just reloads the login page.
• Spelling and grammar: Sophisticated kits still slip up, especially on error messages and footer copy.
• Third-party reviews: Search "sitename.com" scam or check Trustpilot, but weight reviews against domain age — a 3-week-old domain with 400 perfect reviews is fake.

8. Test in an Isolated Environment First

If you absolutely must visit a suspect site — for example, to confirm a customer report — don't do it from your main browser.

• Use a private window with no extensions and no saved credentials.
• Better: open it inside a browser sandbox like urlscan.io or Browserling, which renders the page server-side and shows screenshots, network requests, and detected technologies.
• Never enter real credentials, even "to see what happens." Use throwaway data if a form needs testing.

9. Cross-Check Payment and Login Pages Specifically

Payment and login flows are where most damage happens. Apply extra scrutiny:

1. Confirm the domain on the checkout page matches the merchant's main domain — not a third-party subdomain you've never heard of.
2. Look for the payment processor's iframe (Stripe, Adyen, PayPal) loading from its official domain, not a self-hosted form.
3. If a login page asks for your full password plus your email password plus a SMS code, close the tab. No legitimate site asks for credentials to a different service.

Quick Red-Flag Checklist

Run through this before clicking, logging in, or paying:

• Domain spelled exactly right, with no extra words or hyphens
• HTTPS active, certificate matches the domain, not expired
• Domain older than 6 months for any brand you recognize
• Clean redirect chain with no protocol downgrades
• Security headers present on login and checkout pages
• Real contact details and working internal links
• No reputation flags from Safe Browsing, VirusTotal, or similar

If any two of those fail, walk away. The cost of skipping a legitimate site is zero; the cost of submitting credentials to a phishing page can take months to unwind.

Want to vet a URL right now? Run it through the free Link Safety Scanner on AXOX Hub — it combines reputation data, structural analysis, and redirect tracing in a single report.