← Blog / Trust Basics

How to Check if a Website Is Legit: A Practical Checklist

Before you enter your email, payment info, or personal data into any website, run through these 10 verification steps. Some take seconds.

July 2, 2026 8 min read by Jask

Every time you’re about to trust a website — whether that means entering your email, clicking “buy,” or signing up for a free trial — you’re making a decision with very little information. The site looks professional. The copy is polished. The testimonials seem real.

But none of those things are hard to fake anymore.

A $50 template and a stock photo subscription can make an empty shell look like a thriving company. This guide gives you a practical, repeatable checklist for separating legitimate sites from well-designed traps.

1. Check the Domain Name Carefully

The single fastest signal. Scammers rely on your eyes glossing over URLs.

What to look for:

  • Extra words tacked onto a known brand: paypal-secure-login.com instead of paypal.com
  • Subtle misspellings: arnazon.com (notice the “r” instead of second “a”) or coinbse.io
  • Unusual TLDs for businesses that shouldn’t have them: a “US bank” on .tk, .xyz, or .top
  • Hyphen abuse: netflix-payment-verify.com

Rule of thumb: If the domain feels slightly off, it’s probably off on purpose.

2. Look for HTTPS — But Don’t Stop There

The padlock icon means the connection between you and the server is encrypted. It does not mean the server is trustworthy.

HTTPS is free and takes five minutes to set up. Every phishing site has it now. Treat it as a baseline requirement, not a trust signal. If a site doesn’t have HTTPS in 2026, that’s an immediate red flag. But its presence tells you nothing about the people behind the site.

3. Scan the Content for Substance

Legitimate businesses have real content. Not just marketing copy — actual substance.

Red flags:

  • Every page is less than 200 words
  • The “About Us” page describes values but names no one
  • The blog has three posts, all published the same week, all generic enough to apply to any industry
  • The FAQ answers questions no one would actually ask

Green flags:

  • Detailed documentation or help articles
  • Specific, verifiable claims (real numbers, real partners, real addresses)
  • Content that demonstrates domain expertise you can’t get from ChatGPT

4. Verify the Contact Information

A real business can be reached. Check the footer and contact page.

Real business: Physical address, professional email (@theirdomain.com not @gmail.com), phone number that works, responsive support.

Shell business: A contact form with no other details, a Telegram handle as the primary contact method, a Gmail address, or nothing at all.

If the only way to reach them is through a messaging app, ask yourself why.

5. Check Domain Age and Registration

New domains aren’t automatically scams, but a “10-year-old investment firm” registered three months ago is lying.

You can check domain registration history through WHOIS lookups, or just use Valdos — domain age and registration data are part of every audit report.

Patterns that should concern you:

  • Registered in the last 90 days but claims years of history
  • Registered for only one year (legitimate businesses register for multiple)
  • Privacy protection on a site that claims to be a large public company

6. Search for External Mentions

If a business is real, people have talked about it. Not just on the business’s own website — on independent platforms.

Where to check:

  • Reddit (search the company or domain name)
  • Trustpilot and similar review platforms
  • Twitter/X
  • Hacker News (for tech products)
  • Industry-specific forums

What should worry you: Zero external mentions for a company claiming thousands of customers. Or worse — complaints from people who got scammed.

What should reassure you: Organic discussions, reviews with nuanced opinions (not all five stars), mentions from sources the company doesn’t control.

7. Examine the Testimonials

Fake testimonials are the most common form of manufactured trust. Here’s how to spot them:

  • Too perfect: Every testimonial is five stars, written in the same tone, published within a short window
  • Stock photos: Reverse image search the reviewer’s avatar. If it’s a stock photo, the review is fabricated
  • Generic praise: “This product changed my life!” without any specific details about how
  • No verifiable identity: Testimonials from “Sarah K.” with no link to a real profile

Real testimonials tend to be imperfect. They mention specific use cases, mix praise with minor complaints, and come from people you can find online.

8. Evaluate the Monetization Model

How does this site make money? If the answer is unclear, that’s a problem.

Transparent:

  • Clear pricing page with actual numbers
  • Obvious revenue model (subscriptions, ads, one-time purchase)
  • Terms of service that explain what you’re paying for

Opaque:

  • No pricing visible — you have to “schedule a call”
  • Free trial that requires a credit card, with unclear cancellation terms
  • Multiple upsell layers hidden behind the initial offer
  • A “limited time” discount that’s been running for months

When a site hides how it makes money, it usually means the answer would scare you.

9. Check the Technical Foundation

You don’t need to be a developer to notice when a site is technically suspicious.

Quick checks:

  • Does the site load fast? Legitimate businesses invest in hosting. Slow-loading sites on cheap infrastructure often indicate a low-budget operation.
  • Are there broken links? A real business with web traffic fixes these. A throwaway scam site doesn’t care.
  • Is there a privacy policy and terms of service? Missing legal pages is a red flag for any commercial site.
  • Does the site work without JavaScript? If the entire site is blank when JS fails, it might be hiding thin content behind a framework.

10. Trust Your Gut — Then Verify

Your subconscious picks up on inconsistencies faster than your conscious mind processes them. If something feels off — the design is too generic, the promises are too big, the urgency is too manufactured — there’s usually a reason.

But don’t stop at gut feeling. Run the domain through an audit tool. Paste the URL into Valdos and let the engine surface what your gut can’t articulate.

Putting It All Together

You don’t need to run all ten checks every time. Here’s a quick triage flow:

  1. Domain name (2 seconds) — Does it look right?
  2. External mentions (30 seconds) — Can you find independent discussions?
  3. Substance test (60 seconds) — Does the content prove expertise?
  4. Monetization (30 seconds) — Is the pricing transparent?

If a site passes all four, it’s probably fine. If it fails any one of them, dig deeper with the full checklist.

The goal isn’t paranoia. The goal is informed trust — knowing why you trust a site, not just trusting it because it looks nice.


Want to automate this process? Paste any URL into Valdos and get a full trust audit in under 10 seconds — domain reputation, technical signals, monetization analysis, and AI-powered fraud detection.

Check any website in 10 seconds

Paste a URL. Get a full trust audit — domain reputation, fraud signals, monetization analysis.

Run a free scan