Red Flags of a Fake Website: 12 Checks Before You Trust It

Scam sites are getting harder to eyeball. Modern phishing kits clone Stripe, Amazon, and major banks pixel-for-pixel, and a free Let's Encrypt certificate gives them the same padlock as your bank. If you're judging legitimacy by how the page looks, you've already lost. The good news: fake sites almost always leak signals at the infrastructure level — DNS, headers, redirects, and certificate metadata — that take less than two minutes to check.

Here's a practical checklist you can run on any suspicious URL before submitting a form, clicking a payment button, or trusting an email link.

1. Inspect the Domain Before Anything Else

The URL bar is where most scams give themselves away. Attackers rely on you skimming it.

Look for lookalike characters and subdomain tricks

• Homoglyphs: arnazon.com (rn looks like m), paypa1.com (1 instead of l), or Cyrillic а in place of Latin a.
• Subdomain misdirection: paypal.com.secure-login.ru — the real domain here is secure-login.ru, not paypal.com.
• Hyphenated brand domains: apple-support-billing.com is almost never legitimate.
• Unusual TLDs: A bank using .top, .xyz, or .click is a strong red flag.

Check the registration date

Run a WHOIS lookup. A "20-year established retailer" with a domain registered 14 days ago is a scam. Legitimate businesses almost always have domains older than 1–2 years. Pair this with privacy-protected WHOIS records — common for small sites, but suspicious when the site claims to be a major brand.

2. Verify the SSL Certificate Properly

The padlock only means the connection is encrypted, not that the site is honest. What you actually want to inspect is who the certificate was issued to and by whom.

1. Click the padlock and view certificate details.
2. Check the Subject field — does it match the brand?
3. Look at the Issuer. Free DV certs (Let's Encrypt, ZeroSSL) are fine for blogs but unusual for major banks or payment processors, who typically use OV or EV certificates from DigiCert, Sectigo, or GlobalSign.
4. Check the validity period. Certs valid for only 90 days that were issued yesterday on a brand-new domain are textbook phishing infrastructure.

You can run a quick external audit with AXOX Hub's SSL Checker to see issuer, expiry, chain validity, and supported protocols without poking through browser menus.

3. Trace Redirects and Final Destinations

Phishing links love to bounce. A shortened link in an SMS might pass through 3–4 redirects before landing somewhere completely different from what it advertised.

Before clicking anything suspicious, run the URL through a redirect analyzer to see the full hop chain. Watch for:

• Redirects that cross multiple unrelated domains
• Final destinations on different TLDs than the starting link
• Hops through known URL shorteners stacked together (a classic obfuscation tactic)
• Redirect chains that end on raw IP addresses

4. Read the HTTP Response Headers

Legitimate sites — especially e-commerce and financial — almost always set basic security headers. Scam sites rarely bother.

Headers worth checking

• Strict-Transport-Security — missing on a "bank" site? Suspicious.
• Content-Security-Policy — absent or wide open on a checkout page is a warning sign.
• Server — a major retailer's site responding with default nginx/1.18.0 and no caching layer suggests a thrown-together VPS deployment.
• X-Powered-By revealing raw PHP versions on a supposed Fortune 500 site is unusual.

Run the URL through AXOX Hub's HTTP Header Checker to see the full response in one view — it'll surface missing security headers in seconds.

5. Audit the Content for Tell-Tale Cracks

Even well-cloned sites tend to break in predictable spots.

• Broken internal links: Click the footer links — Careers, Press, Investor Relations. Fakes often 404 or loop back to the homepage.
• Missing legal pages: No real Terms, Privacy Policy, or business address. Or a Privacy Policy lifted verbatim from another company (paste a paragraph into Google).
• Generic stock photos for "team" or "office" pages — reverse image search them.
• Awkward copy: Mixed currencies, mismatched languages, prices that are 60–80% below market for branded goods.
• Customer service: Gmail/Outlook contact addresses on a "corporate" site, no phone number, or a phone number that doesn't connect.

6. Cross-Check Payment and Trust Badges

Trust badges are images. They prove nothing on their own.

1. Click the Norton, McAfee, BBB, or Trustpilot badge — real ones link to a verification page on the badge provider's domain.
2. If clicking does nothing, opens a larger image, or links to a page on the same suspect domain, the badge is fake.
3. Search the company on Trustpilot directly rather than trusting the embedded widget — fakes often clone star ratings as static images.

7. Test the Checkout Without Submitting Real Data

If you're still unsure, probe the checkout flow:

• Does it accept obviously invalid card numbers (e.g., 4111 1111 1111 1111) as "valid"? Real payment processors reject these instantly.
• Does the payment form load from a known processor domain (Stripe, Adyen, Braintree) in an iframe, or is it a raw form posting to the site itself? Raw forms collecting card data on no-name domains are a massive red flag.
• Are they asking for unusual data — full SSN, ID upload, bank login credentials — for a simple purchase?

8. Check Reputation Databases

Before trusting a domain, query it against:

• Google Safe Browsing (built into Chrome warnings, but also via Transparency Report)
• VirusTotal — paste the URL for a multi-engine reputation check
• PhishTank for known phishing campaigns
• URLVoid or similar aggregators

One clean report isn't proof of safety — new scam domains haven't been flagged yet — but a hit from any of these is enough to walk away.

Run the Quick Audit Yourself

Most fake sites collapse under 60 seconds of technical scrutiny. If you want a fast first pass on any suspicious URL — certificate details, redirect chain, headers, and domain signals in one place — try the free Link Safety Scanner and HTTP Header Checker on AXOX Hub before you click, log in, or pay.