Not sure how to know if a website is legit? If your answer is no, you’re likely to find yourself the target of a phishing scam sooner or later. Here are 5 ways to tell if a website is legitimate or is as fake as a $3 bill

Phishing is one of cybercriminals’ favorite tools of the trade. Regardless of whether they’re sent through emails, text messages, or if you come across them directly through a web search, knowing how to tell if a website is legit is a necessary skill virtually everyone needs to know.

Q4 2021 data from the Anti Phishing Working Group (APWG) indicates that December 2021 was the highest month on record as far as phishing activity was concerned. According to the report, 316,747 attacks were detected.

This is where knowing how to tell if a website is legit really plays in your favor. This article breaks down several key things you should watch when clicking on links in emails and web search results in your browser.

Not Sure How to Tell If a Website Is Legitimate? Here’s What to Look Out For…

One of the biggest giveaways of a fake website is its design and language usage. For example, if you’re in a rush and type in but find yourself on a slightly different-looking website, stop and really look at the website. Ask yourself a few quick questions:

  • Do the images or other graphics look distorted?
  • Is the company’s logo looking a bit wonky?
  • Is the site not using proper grammar, spelling, punctuation, etc.?

If your answer to any of these questions is yes, then it’s likely that you’ve stumbled upon a phishing website. But aside from these visual cues, how do you know if a website is legitimate? There are several other great ways to know if a website is legit. We’ll quickly over each of these methods to get you on your way.

1. Check the Legit URL By Hovering Your Cursor Over Embedded Links & Buttons

This first item on our list is one of the most important tasks when it comes to telling if a website is authentic or a fraud. Cybercriminals are all about deception; one of the ways they do this is by embedding fake website links into legitimate-looking anchor texts and buttons that they can send in emails, SMS text messages, and hide on websites.

Someone can trick you into clicking on a malicious URL by hiding it in a misleading button, graphic, or another element. Say, someone sends you an impersonating Microsoft (which isn’t hard to imagine considering that Microsoft is one of the most-impersonated companies globally by cybercriminals). The email tells you that your account’s autorenewal subscription payment has been processed and that you must log in to view the payment or to request a refund. The sender’s message includes a convenient button that says Login to Your Microsoft Account, which takes you to a login page when you click on it.

The attacker’s goal here is to get you to click on the website without first checking whether the destination website is authentic. When you enter your login credentials on the phony website, the attacker steals them and can use them to access your legitimate Microsoft account.

You can tell if a website is legitimate by moving your mouse (cursor) over the embedded link or button in question without clicking on it. Doing this causes the hidden destination URL to appear as a hovering box above the link or button. Let’s look at a quick example:

A screenshot of an example email with a phishing link embedded in disguise as a legitimate Microsoft URL.
Image caption: A screenshot of a phishing email that has a fake website URL embedded in it.

In this example, if you hover your mouse over either the banner image or the Access Your Data button, you’d see the highlighted hidden URL display. This is the real destination URL that you’d be taken to if you click on either option.

Check out our blog to see other real-world phishing email examples.

2. Double-Check the URL Spelling for Small Variations (And Watch Out for Typos!)

One of the easiest ways cybercriminals like to trick unsuspecting users is by creating websites with domains similar to those owned by legitimate companies to trick people into landing on them. (This is known as typosquatting.) For example, someone could register the domains or with the hopes of tricking users who:

  • Accidentally type URLs incorrectly into their browsers, resulting in misspelled domains, or
  • Aren’t paying attention and think that they’re really clicking on the legitimate

Be sure to keep your browser updated as well. Older versions of the Google Chrome, Mozilla Firefox and Opera web browsers were susceptible to homograph attacks. These attacks involved a bad guy creating

Beware Unicode Domains

Unicode domains — meaning web addresses that incorporate non-ASCII characters (i.e., non-English characters) that look visually identical to English letters — are particularly tricky to identify. Also known as homograph attacks, attackers take advantage of a bug in browsers that allows users to create similar-looking website URLs that are visually indistinguishable from legitimate websites by replacing a character with a similar-looking character in another language’s alphabet.

The guy who discovered this bug (Xudong Zheng) in 2017 walks you through how the process works more in depth on his site. In a nutshell, registering the domain “xn–” allowed him to replace the letter L in with a Cyrillic letter I. This enabled the fake domain to display visually as

Thankfully, the browsers quickly addressed this issue a few years ago in their subsequent version updates. But if you’re using a browser that hasn’t been updated, you’re still at risk as it’s visually impossible to tell if a website is legit or fake. You’d have to copy-and-paste the URL into notepad or a URL scanner tool to check its authenticity. Now, when you try going to similar Unicode websites, you’ll receive this type of error:

A screenshot of a Unicode email that's disguised to appear as ""
A screenshot of the error message users receive when they visit Xudong Zheng’s unicode domain example site.

Speaking of URLs, this brings us to our next talking point…  

3. Check a Website’s URL Using One or More Reliable Third-Party Security Tools

One of the most important steps you can take is running a website’s URL through an antivirus and/or antimalware scanner before entering it in your browser. This method of knowing how to tell if a website is legit entails using the companies’ databases of known threats and scanning technologies to help you determine whether a site is legit or might be an imposter.

Here are a few examples of the types of tools you can use for free:

4. Check the Organization’s Information in the Site’s Security Certificate

Relying on third-party scanners isn’t the only way to check the legitimacy of a website. You’ve got another important trick up your sleeve — you just might not know it. One of the most important ways to know how to tell if a website is legit is to check its website security certificate information.

Say, you’ve searched for a product in Google and clicked on a website. How do you know it’s the “real deal” or an imposter website now that you’re on it? Look at the web address bar — do you see a small padlock icon? This indicates that the website you’re on is secure because it’s got an SSL/TLS certificate installed that facilitated a secure, encrypted connection. (I.e., bad guys can’t steal your info in transit because they don’t have the necessary decryption key).

A screenshot of the "Connection is secure" message on the website.
A screenshot of the security padlock icon information for

This is great if the website you’re on is legitimate, but what if the site you’re on is a fake one that’s operated by a cybercriminal? Yikes — it means that you’re sending your sensitive information to them encrypted, but that they have the secret key that allows them to decrypt that data. This is why you also need to verify the digital identity of the organization that owns the website. You can do this by:

  • Pressing the Connection is secure option in the screenshot above.
  • Selecting the Certificate is valid option in the screenshot below. This will pop up a new window that details various types of certificate information.
  • Navigating to the Details tab and selecting Subject (No. 7 on the list), as seen two screenshots below.
A screenshot of the "Certificate is Valid" message on the website.
A screenshot of’s website security certificate information.
A screenshot of the verified organization information that displays in the extended validation SSL/TLS certificate details for website.
A screenshot of’s website security certificate details, including information about the organization that owns the site.

5. Verify the Company’s Information By Looking at Other Official Records & Resources

Of course, you don’t have to stop there — you can take this to the next level by actually using other official records and resources to verify the company’s information yourself. You can do this by taking the organization’s information and checking it against records from the following resources:

  • ICANN Lookup for WHOIS records
  • The state or regional resources (such as the Division of Corporations, Secretary of State, etc.)
  • Better Business Bureau (BBB)
  • Charity Navigator
A screenshot of domain information for the domain
An example screenshot from the ICANN website, displaying domain information for

However, it’s important to note that you’ll only see this information on websites that use organization validation (OV) or extended validation (EV) SSL/TLS certificates. These certificates offer basic business validation and extended validation, respectively, with EV being the highest level of business validation.

For them to be issued to the website, a publicly trusted third party (i.e., a certificate authority) has to verify specific information about the requesting organization to verify whether it’s legitimate. This is known as a validation check. Think of it as a background check for the website that verifies the organization’s digital identity using official resources from reputable third-party like Brad & Dunstreet.

If a website only uses the minimum level of validation — domain validation, or DV SSL certificates — it means that the site only had an automated system check its domain ownership. As a result, it won’t display any organizational information for you to verify.

Final Thoughts on How to Tell If a Website Is Legit (And What to Do If It’s Not)

Alright, that concludes our list of steps for how to tell if a website is legit. Unfortunately, phishing and malicious websites are some of cybercriminals’ favorite tools, so they aren’t going anywhere anytime soon. But we hope that you now have a better idea of how to distinguish fake websites from real ones.

Of course, if you come across a fake or fraudulent website, be sure to report it. Doing this helps to bring the site to the attention of browsers so that you can help prevent other people from becoming victims of these fake websites. There are a few ways you can report fake and malicious websites to both the FBI’s Internet Crime Complaint Center (IC3) and Google’s Safe Browsing Report Phishing Page.


Welcome to Savvy Security, a blog focused on providing practical cybersecurity advice for website owners and small businesses. Our team brings you the latest news, best practices and tips you can use to protect your business...without a multi-million dollar budget or 24/7 security teams.