Extended Validation

How to Identify Fake Websites

DigiCert Blog
Dean Coclin

In the age of digital transformation, knowing how to identify fake websites is not just helpful; it’s absolutely necessary to protect yourself online. Knowing how to spot a fraudulent website can protect your personal and work identity, your financial information and logins for your email and social media.

COVID-19 scams and identify theft are on the rise. The U.S. Department of Health and Human Services has warned the public about fraud related to the coronavirus, which could come in the form of calls, texts, social media messages or websites. Even as we transition to a new normal, online scams will not stop, and will likely increase. Understanding how to check if a website is authentic will help protect you now and in the future against fake websites.

How to verify a website

Check if the URL is misspelled

One key indicator of a fake site is a misspelled URL. Fraudsters may change up a URL name slightly, like using amaz0n.com, or they may change the domain extension — like amazon.org instead of amazon.com.

Check for site seals

A site seal signals that the site is authentic, and you can usually click on a site seal to reveal more information about the website and how it was verified. Seals that do nothing when clicked should not be trusted, as they are likely illegitimate copies of seals.

1 the DigiCert site seal
Figure 1: the DigiCert site seal


Look for a lock

The padlock on a website means that a site is secured by an TLS/SSL certificate that encrypts user data. You can look for the lock on the upper left of the address bar. There are three types of TLS certificates that will each display a lock: Domain Validation, Organization Validation and Extended Validation.

  • Domain Validation certificate: verifies ownership of the domain. However, DV certificates do not provide organizational identification information. Therefore, it is not recommended to use DV certificates for commercial purposes.
  • Organization Validation certificate: organizations are authenticated by the CA (certificate authority) in official business registration databases. This is the type of standard certificate recommended for a commercial or public website.
  • Extended Validation certificate: contains additional validation steps and offers the highest level of authentication to protect your brand and users. CAs may require certain documents and personal contact to ensure that EV certificates contain legitimate business information. They are used by the world's leading organizations to ensure user trust by giving users high confidence that the website is authentic and owned by the entity they believe they are transacting with.

If a site doesn’t have a lock, most browsers will display a “not secure” warning. In the past, simply looking for the lock was enough, but with the increase of online fraud you need to look deeper than the padlock to verify a website.

Figure 2: What a Secure and Not Secure site looks like in Chrome on desktop.


Secure site vs. scam site

The padlock means that information on a site is encrypted and browsers will consider it secure. Unfortunately, nowadays, a secure site does not necessarily mean a website is safe to buy from or share information with. Just because a site has a padlock doesn’t necessarily mean that it is not a fake. Research shows up to half of fake sites used for phishing have a padlock now.

Typically, fraudsters use DV certificates: low-level TLS certificates that some certificate authorities offer for free, so that they only have to prove that they own the site to get a lock. With DV certificates, they do not have to prove that the company is legitimate. At times they may use an OV or EV certificate, but because these require more effort to obtain, including proving a business registration, paying with a valid credit card and responding to certificate authority inquiries, most criminals are deterred from using them.

Fake websites using TLS certificates are usually caught, but they might be able to wreak havoc temporarily with a certificate.

Look beyond the lock

You should look beyond the lock by clicking on it once to reveal more information. For the highest level of authentication, if you click on the lock it will display “Issued to: [Company Name]” underneath “Certificate (Valid).” Unfortunately, this functionality only currently works on desktop browsers. But whether you’re on a mobile browser or desktop, the principles of looking beyond the lock to verify if a website is secure remain the same.

Run site through a website checker

When in doubt, use a website checker to verify if a website is secure. A secure website check can let you know any vulnerabilities on the site, if it is using encryption and what level of verification a site has.

Additional ways to verify a website

Besides checking for a lock, site seal and running the URL through a website checker, also look for the following trust indicators on a site:

  • A privacy policy
  • A return policy
  • Contact information for the business, like a phone number and address
  • Correct spelling and grammar
  • Online reviews (simply Google “reviews for [site name]” to find online feedback)

In general, avoid any deals that seem too good to be true, because they likely are.

What to do if you find a fake site

If you’ve landed on a fraudulent site, do not provide any sensitive information like financial details, a log in and password, verification codes, a Facebook login, or even your name and contact information. When in doubt, don’t fill it out. Additionally, do not click on links from unfamiliar emails, online posts or DMs. Knowing if a site is fake will help you know whether or not to buy from a site.

You should report a fake site to Google Safe Browsing and close out of it right away.


3 Surprising Uses of PKI in Big Companies and How to Ensure They Are all Secure

5 Min

Featured Stories


Pioneering the next wave of secure digital solutions 


4 best practices for bulk email senders



Driving digital trust with SOC 2-compliant DNS