Start with the URL — and read it carefully
The address bar is still your best defence, but the technique needs to be more precise than a quick glance. The part of a URL that actually identifies who owns the site is the domain — specifically the last two segments before the first single slash.
In www.paypal.com/login, the domain is paypal.com. In paypal.com.login.verify-account.ru, the domain is verify-account.ru — it has nothing to do with PayPal. The paypal.com part is a subdomain of a Russian site. This pattern — embedding a trusted brand name in a subdomain — is one of the most common phishing techniques, and it works because people don't read URLs all the way through.
Train yourself to read the domain, not just check whether a brand name appears somewhere in the URL. The question to ask is: what comes immediately before .com (or .org, .net, or whatever the top-level domain is)? That word, and only that word, identifies the actual owner.
The padlock and HTTPS: still necessary, no longer sufficient
HTTPS means the connection between your browser and the server is encrypted. It doesn't mean the server you're connected to is who it claims to be. Phishing sites regularly obtain SSL certificates — they're cheap, sometimes free, and the certificate authorities that issue them don't verify the business identity behind domain-validated (DV) certificates.
So: a site without HTTPS is definitely suspicious and should receive no sensitive input. A site with HTTPS is not necessarily safe. The padlock is a necessary but not sufficient condition for trust.
Look at the domain's age and registration
Legitimate businesses have owned their domain for years. Phishing sites are typically registered recently — days or weeks before the campaign launches. You can check a domain's registration date using a WHOIS lookup.
Go to a WHOIS service (domaintools.com or whois.domaintools.com), enter the domain, and look at the "Created" date. A financial institution, retailer, or major service claiming to be legitimate but registered last month is an immediate red flag. A new domain for a startup is understandable; a new domain for a bank is not.
Check what the site looks like when it shouldn't exist
Try navigating to a page that definitely doesn't exist on the site, like /qzxymfake. A real website shows a proper 404 error page that matches the site's design. Many phishing kits show a generic server error or redirect to the homepage, because the underlying software isn't a real web application — it's a template designed only to capture credentials on a few specific paths.
This test isn't foolproof, but it's fast and catches a lot of hastily assembled fake sites.
Look for contact information you can verify
Legitimate businesses have a contact page with an address, phone number, or both. Copy the address from the site and paste it into Google Maps. Does it exist? Does it match the kind of business this claims to be? A fashion brand claiming headquarters at a residential address in an obscure suburb is worth questioning.
Try calling the phone number. Even if you don't speak to anyone, whether the number rings, goes to voicemail with a recognizable message, or doesn't exist tells you something.
Search for the site name plus "scam" or "review"
Before entering payment details on an unfamiliar site, spend thirty seconds on a search engine: the store name plus "scam", "legitimate", or "reviews." Sites like Trustpilot, Reddit, and specialized consumer protection forums accumulate reports quickly when a fake shop starts operating. If a site is new and there are no results at all, that's also a data point — genuine retailers of any age tend to have some independent mentions.
Be particularly suspicious when you arrived via an ad or email
Many people's mental model of URL safety is "I'll just be careful." The problem is that the moments when we're most likely to enter credentials on a fake site are the moments when we're least cautious: we clicked something in an email, or followed a sponsored search result, or clicked an ad on social media.
Search engine ads can be purchased for queries like "chase bank login" or "paypal", and a convincing fake site at the top of sponsored results has trapped bank customers who searched their bank's name rather than navigating directly. If you arrived somewhere by clicking an ad, treat the URL verification step with extra care.
For sites you log into regularly — banking, email, anything with payment information — form the habit of navigating directly by typing the URL, not by clicking links.
What to do if you're not sure
Don't enter credentials. If you're genuinely uncertain whether a site is real, the correct answer is to navigate directly to the official domain — type it in yourself, don't click a link — and do whatever you needed to do there. The five minutes of inconvenience is worth avoiding the alternative.
If you've already entered a password on a site you now suspect was fake, change the password on the real site immediately. If you shared the same password elsewhere, change it there too. If payment details were involved, contact your bank or card issuer — most have 24-hour fraud lines and can reverse recent transactions more easily when notified quickly.