← Blog / Scam Detection

How to Spot a Fake Website: 11 Warning Signs Anyone Can Check

Fake websites are getting harder to detect. Here are 11 concrete warning signs — from URL tricks to manufactured trust signals — that anyone can check in under a minute.

July 7, 2026 9 min read by Jask

You find a website with a great deal. The design looks clean, the product photos are sharp, and the checkout page has a padlock icon. It feels safe enough to enter your credit card.

But what you’re actually looking at might be a fake website — built in an afternoon, designed to take your money and disappear.

The problem isn’t that fake websites exist. The problem is that they’ve gotten good. A $50 template, stock photos, and an AI-generated “About Us” page can make an empty shell look like a legitimate business. Here are 11 warning signs that cut through the polish.

1. The Domain Name Is Almost — But Not Quite — Right

This is the single fastest signal, and scammers rely on your eyes glossing over it.

Common patterns:

  • Subtle misspellings: arnazon.com (the “r” replaces the second “a”), paypa1.com (the number 1 replaces the letter l), coinbse.io (missing the “i”)
  • Extra words on a known brand: paypal-secure-login.com or netflix-payment-verify.com
  • Subdomain tricks: login.paypal.com.secure-verify.net — the real domain is secure-verify.net, not PayPal
  • Unusual TLDs: A “US-based bank” on .tk, .top, .xyz, or .click should be an immediate stop. Cheap or free TLDs are the go-to for throwaway scam domains

If the domain feels slightly off, it’s probably off on purpose.

2. The HTTPS Padlock Is Meaningless

Many people still believe the padlock icon means a site is trustworthy. It doesn’t.

HTTPS encrypts the connection between your browser and the server. That’s all. It says nothing about who runs the server. HTTPS certificates are free through Let’s Encrypt, and setup takes five minutes. Every phishing site has a padlock in 2026.

Rule: The absence of HTTPS is a red flag. The presence of HTTPS tells you nothing about trustworthiness.

3. The Content Has No Substance

Legitimate businesses produce content that demonstrates real expertise — detailed help docs, specific product specs, a blog with dates showing consistent activity over time.

Fake websites have content that could describe anything:

  • Marketing copy that uses vague phrases like “innovative solutions” and “industry-leading” without explaining what the product actually does
  • An “About Us” page that lists company values but names zero people
  • A blog with three posts, all published the same week, all generic enough to apply to any industry
  • An FAQ that answers questions no one would actually ask

Test: Try to find one specific, verifiable fact on the site. A real address. A real team member with a LinkedIn profile. A specific technical detail. If everything is vague, that’s by design.

4. The Contact Information Is Thin or Missing

A real business can be reached through multiple channels. Check the footer and contact page.

Green flags: A physical address, a professional email (@theirdomain.com, not @gmail.com), a phone number that actually works.

Red flags: A contact form with no other details. A Telegram handle as the only contact method. A WhatsApp number with no business presence. Nothing at all.

If the only way to reach a business is through a messaging app, ask yourself why.

5. The Testimonials Look Manufactured

Fake testimonials are the most common form of manufactured trust. Here’s how to spot them:

  • Too perfect: Every review is five stars, written in the same enthusiastic tone, published within a short window
  • Stock photos: Reverse image search the reviewer’s avatar. If the photo appears on a stock photo site, the review is fabricated
  • Generic praise: “This product changed my life!” without any specific details about how or why
  • No verifiable identity: Reviews from “Sarah K.” or “John D.” with no link to a real profile, no history, no other activity

Real reviews tend to be imperfect. They mention specific use cases, mix praise with minor complaints, and come from people you can find online.

6. The Domain Was Registered Recently

New domains aren’t automatically scams — every legitimate business started with a new domain. But a site claiming “10 years of experience” whose domain was registered 45 days ago is lying.

You can check domain registration data through WHOIS lookups (who.is or whois.whois.com). Or run the URL through Valdos — domain age and registration history are included in every free audit.

Patterns that should concern you:

  • Registered in the last 90 days but claims years of history
  • Registered for only one year (legitimate businesses typically register for multiple years)
  • Privacy protection on a site that claims to be a large public company

7. There’s No Pricing Transparency

How does this site make money? If the answer is unclear, the business model might be designed to extract money from you before you understand what you’re paying for.

Transparent:

  • Clear pricing page with actual numbers
  • Obvious revenue model — subscriptions, ads, one-time purchases
  • Terms of service that explain what you get and how cancellation works

Suspicious:

  • No pricing visible — you have to “schedule a call” or “request a quote” to learn the cost
  • A “free trial” that requires a credit card, with cancellation terms buried in fine print
  • Multiple upsell layers hidden behind the initial offer
  • A “limited time” discount that’s been running for months

When a site hides how it makes money, it usually means the answer would scare you away.

8. There Are Zero External Mentions

If a business is real, people have talked about it somewhere other than the business’s own website.

Where to check:

  • Search the domain or company name on Reddit
  • Check Trustpilot and similar review platforms
  • Search [site name] review and [site name] scam
  • For tech products, check Hacker News and Product Hunt

No external mentions for a company claiming thousands of customers is a major red flag. Real businesses leave traces. Scam operations don’t, because they haven’t been around long enough to generate them.

9. The Urgency Feels Manufactured

Legitimate businesses create value. Scam sites create pressure.

Watch for:

  • Countdown timers that reset when you refresh the page
  • “Only 3 spots left!” on a product that’s supposedly been available for months
  • “Offer expires in 10 minutes!” — but the same offer is there tomorrow
  • Pop-ups interrupting you with “14 people just bought this!” notifications

Manufactured urgency prevents rational thinking. If a deal genuinely expires in 10 minutes, it probably wasn’t a good deal in the first place.

10. The Technical Signals Don’t Add Up

You don’t need to be a developer to notice technical red flags:

  • Slow loading: Legitimate businesses invest in hosting. Consistently slow loading often indicates a low-budget operation
  • Broken links and images: A real business with traffic fixes these. A throwaway scam doesn’t care
  • No legal pages: Missing privacy policy, terms of service, or refund policy is a red flag for any commercial site
  • JavaScript-dependent everything: If the entire site is blank when JavaScript fails, it might be hiding thin content behind a framework

On the flip side, some technical signals can indicate real investment:

  • Properly configured DNS records (SPF, DMARC) showing email security awareness
  • A CDN and optimized assets showing infrastructure investment
  • Semantic HTML structure showing competent development

11. Your Gut Says Something Is Off

Your subconscious picks up on inconsistencies faster than your conscious mind processes them. The design is too generic. The promises are too big. The product photos look like they’re from a template. The tone is slightly too eager.

If something feels off, there’s usually a reason. But don’t stop at gut feeling — verify. Run the URL through an automated trust audit that surfaces signals your gut can’t articulate: domain registration data, DNS infrastructure, content quality metrics, monetization analysis, and AI-powered fraud detection.

Quick Triage: The 30-Second Check

You don’t need to run all 11 checks every time. Here’s a fast triage flow:

  1. Domain name (2 seconds) — Does it look right? Any subtle misspellings?
  2. External mentions (20 seconds) — Can you find independent discussions on Reddit or review sites?
  3. Substance test (10 seconds) — Does the content prove real expertise?
  4. Monetization (5 seconds) — Is the pricing transparent?

If a site fails any one of these, dig deeper. If it fails two or more, leave.

The Bottom Line

Fake websites work because they exploit the gap between how things look and how things are. A professional design takes minutes to deploy. A padlock icon takes five minutes to set up. A testimonial takes seconds to fabricate.

The signals that matter — domain history, infrastructure quality, content substance, external reputation — require either manual investigation or an automated tool. That’s what Valdos does: it reads the signals your eyes can’t see and translates them into a transparent 0-100 score.

Run a free trust audit on any website →


Want to verify a website before you trust it? Paste any URL into Valdos for a full trust audit — domain reputation, fraud detection, monetization analysis, and AI-powered risk scoring in under 10 seconds.

Check any website in 10 seconds

Paste a URL. Get a full trust audit — domain reputation, fraud signals, monetization analysis.

Run a free scan