Norton, McAfee, BBB, Trustpilot — trust badges are everywhere on e-commerce sites. But do they actually prove a site is safe? Here's what each badge means and how to verify them.
You’ve seen them: the Norton Secured Seal, the McAfee TrustedSite badge, the BBB Accredited Business logo, the Trustpilot stars. They sit in website footers and checkout pages, quietly promising safety.
But here’s what most people don’t know: trust badges are largely decorative in 2026. Some mean something. Most don’t. And scammers use fake ones freely.
This guide breaks down what each common trust seal actually verifies, which ones matter, and how to tell if a badge is legitimate or stolen.
Trust badges emerged in the early 2000s when online shopping was new and people were afraid to enter credit card numbers on websites. The badges served a real purpose: they signaled that a third party had verified the site’s identity or security practices.
Two decades later, online shopping is mainstream and SSL is universal. The fear that drove trust badges has largely faded, but the badges themselves have multiplied. They’ve become visual decoration — a way for sites to look more legitimate without necessarily being more legitimate.
The problem is that anyone can copy a badge image and paste it into their site. There’s nothing technical stopping a scam site from displaying a Norton seal, and many do.
We covered this in detail in SSL Doesn’t Mean Safe, but here’s the short version: the padlock means the connection is encrypted. It does not mean the site is trustworthy. Every phishing site has one now.
Verdict: Baseline expectation. Not a trust signal.
Payment Card Industry Data Security Standard (PCI DSS) compliance is mandatory for any site that processes credit cards. If a site uses Stripe, PayPal, or another major payment processor, the processor handles PCI compliance — the merchant doesn’t need their own certification.
When you see a “PCI Compliant” badge, it usually means the site uses a compliant payment processor. This is good but not remarkable — it’s the minimum legal requirement.
Verdict: Minimum requirement, not a differentiator. Every legitimate e-commerce site has this.
These seals indicate that the site has an SSL/TLS certificate from Norton (formerly Symantec/Verisign) or DigiCert. In the past, these certificates required extended validation (EV SSL), which meant the certificate authority checked the business’s legal identity.
However: In 2026, browser UI changes have largely removed the visual distinction between EV and standard certificates. The seal now primarily confirms that the site had a valid SSL certificate at the time of the last scan.
Can it be faked? Yes. The seal is just an image unless it’s a clickable verification link that takes you to the certificate authority’s website. Even then, scammers can link to a fake verification page.
Verdict: Low value. Confirms SSL, nothing more.
McAfee TrustedSite (formerly McAfee SECURE) scans sites for malware, SSL issues, and phishing. Sites that pass the scan display the badge.
The scan runs periodically, but a site’s security status can change between scans. A site could be compromised after passing the check and still display the badge until the next scan.
Can it be faked? Yes. The badge image can be copied. Legitimate McAfee badges are supposed to be interactive — hovering over them should display a verification popup from McAfee’s servers.
Verdict: Slightly better than nothing. Confirms the site was clean at some point. Not a guarantee.
The Better Business Bureau (BBB) is a nonprofit that rates businesses based on customer complaints, transparency, and response to disputes. An “A+” rating sounds impressive.
However, BBB accreditation is a paid membership. Businesses pay an annual fee to be “accredited.” The BBB rates paying members and non-members, and the accreditation process is not a government or regulatory standard.
BBB ratings can be useful for researching US-based businesses, but they have significant limitations:
Can it be faked? Yes. Scammers frequently display fake BBB badges. Verify by searching the business name on bbb.org.
Verdict: Mildly useful for US businesses if you verify directly on BBB’s site. The badge itself proves nothing.
Trustpilot is a review platform where customers rate businesses. A high Trustpilot score can indicate genuine customer satisfaction.
But Trustpilot has known weaknesses:
Read the fake review detection guide for specific patterns to watch for.
Can it be faked? The widget can be copied, but you can always click through to the Trustpilot profile to verify. Check the review volume, dates, and content for authenticity.
Verdict: Useful signal if you verify on Trustpilot directly. Look for hundreds of reviews with natural variation — some 5-star, some 3-star, detailed and specific.
Google collects reviews from verified buyers after checkout through its review program. These reviews require an actual purchase, which makes them harder to fake than Trustpilot reviews.
Verdict: Relatively trustworthy. The purchase verification adds a layer of authenticity that open review platforms lack.
Don’t take any badge at face value. Here’s how to check:
Legitimate trust seals from Norton, McAfee, and BBB are interactive. Clicking should take you to a verification page on the issuer’s actual domain (e.g., trustedsite.com, bbb.org, seal.digicert.com).
If clicking does nothing, opens a popup on the same site, or goes to a URL that doesn’t match the issuer’s domain — it’s fake.
The verification page URL should be on the issuer’s official domain. Scammers create convincing lookalike domains:
seal.digicert.comseal-digicert.com or digicert-seal.netDon’t rely on the badge link at all. Go directly to the source:
Many verification pages show the date the seal was issued or last verified. If the date is months old or in the future, something is wrong.
No amount of trust badges should override these warning signs:
Trust badges were designed for an era when online shopping was new and scary. In 2026, they’re mostly visual noise.
Here’s the reality:
The only badges worth checking are interactive ones that link to a verification page on the issuer’s official domain. And even then, you should cross-reference independently.
For a comprehensive trust assessment, don’t rely on badges alone. Check the website’s reputation through multiple signals: domain age, content quality, external reviews, and technical infrastructure. Or run a full trust audit that analyzes dozens of signals automatically.
Trust badges are a starting point, not a conclusion. The real question isn’t “does this site have a seal?” — it’s “has this site earned your trust through verifiable, independent evidence?”
Check any website in 10 seconds
Paste a URL. Get a full trust audit — domain reputation, fraud signals, monetization analysis.
Run a free scan