In the time it takes to read this sentence, somewhere in the world a person has just handed their bank card details to a website they believed was legitimate but is actually a scam. Fake websites — convincing imitations of banks, retailers, government services, parcel delivery companies, and utility providers — are one of the primary mechanisms through which billions of pounds are stolen from UK consumers every year.
The sophistication of fake websites has reached a level where even technically confident people are deceived. Modern fraud operations use stolen brand assets, accurate site layouts, and convincing domain names. Some clone legitimate websites so precisely that only careful examination of the URL distinguishes them from the real thing. But there are always tells — and this guide will show you every one of them.
Sign 1: The domain name is wrong
This is the most reliable indicator of a fake website and the most important thing to check. Look at the complete URL in your browser’s address bar — not a summary or a link text, but the actual address that appears in the bar at the top of your browser.
The structure of a URL is: protocol (https://), then subdomains if any, then the domain name, then the top-level domain (.com, .co.uk, etc.), then the path. The critical element is the domain name — the bit immediately before the final dot and top-level domain. In www.paypal.com, the domain is paypal and the TLD is .com. This is legitimate. In paypal.secure-verify.com, the domain is actually secure-verify and the TLD is .com — PayPal is merely a subdomain. This is a scam site.
Scammers use several techniques to create misleading domain names: adding words to the real brand name (amazon-uk-official.com, royalmail-redelivery.net), replacing letters with similar-looking characters (paypa1.com using the number 1 instead of the letter l), using the brand name as a subdomain of their own domain, and registering domain names in unusual country-code TLDs (.info, .xyz, .online) when the legitimate organisation uses .com or .co.uk.
Sign 2: The site was registered very recently
Every domain name has a registration date — the date it was first purchased. A bank that has been trading for decades will have had its domain for decades. An e-commerce retailer you recognise will have a domain history stretching back years. A fraudulent website, by contrast, is typically registered days or weeks before a scam campaign begins — and is abandoned just as quickly once the campaign has run its course.
Check the registration date using a WHOIS lookup: go to any WHOIS tool (search “WHOIS lookup” in Google) and enter the domain name. Look for the “Created” or “Registration Date” field. A website claiming to be an established retailer or service with a domain registered within the past few weeks is almost certainly fraudulent.
Sign 3: HTTPS is present but does not prove legitimacy
The padlock icon in your browser address bar and the HTTPS prefix indicate that the connection between your browser and the website is encrypted. This is a necessary feature of any legitimate website and its absence is a red flag. However — and this is critical — HTTPS does not mean the site is legitimate. It only means the connection to it is encrypted.
Fraudulent websites use HTTPS certificates just as readily as legitimate ones. HTTPS certificates are available for free through services like Let’s Encrypt, and obtaining one requires no proof of identity or business legitimacy. A convincing fake banking website will almost certainly have HTTPS. Do not use it as your primary safety indicator.
Sign 4: Contact information is absent or cannot be verified
UK law requires businesses selling goods or services online to provide their company name, address, email address, and in most cases phone number. Look for this information on the website — it is typically in the footer, in an About page, or in a dedicated Contact page.
When you find contact information, verify it. Search the address on Google Maps and check whether it actually exists as a business premises. Call the phone number. Search the company name on Companies House (gov.uk/get-information-about-a-company) to verify it is a registered UK company. A legitimate business can be verified; a fraudulent one typically cannot.
Sign 5: The design feels slightly off
Professional organisations invest significantly in their web presence. Brand guidelines, consistent typography, professional photography, and quality copywriting are standard for any established business. Fake websites often get these details slightly wrong — lower-resolution images than the genuine site uses, text that does not quite match the brand’s usual voice, slightly different shades of the brand’s signature colours, or a layout that resembles but does not quite match the genuine site.
Trust your instinct if something feels slightly wrong aesthetically. Your brain is pattern-matching against every previous experience with the genuine site and flagging a mismatch. That feeling is data worth respecting.
Sign 6: You were sent here from an unsolicited message
A significant proportion of traffic to fake websites comes from links in phishing emails, smishing texts, and social media posts rather than from organic search or direct navigation. If you arrived at a website by clicking a link in an unsolicited email or text message, your guard should be significantly elevated regardless of how legitimate the site appears.
The safe practice is never to click links in unsolicited messages to access sensitive services. If a text claims to be from your bank, close the message, open your browser, and type your bank’s address directly. If an email claims to be from Amazon, close it and go to amazon.co.uk directly. You can then check whatever the message claimed needed your attention from the security of the legitimate site.
Sign 7: Browser security warnings are present
Chrome, Firefox, Safari, and Edge all maintain databases of known malicious websites, updated continuously by security researchers and reported URLs. When you navigate to a URL that matches one of these known-bad sites, your browser will display a warning page — usually red or orange, with prominent text explaining that the site is dangerous.
Never override a browser security warning. It is technically possible to bypass these warnings in most browsers, but doing so is never advisable when you do not know the site. The warning means the site has been identified by security professionals as dangerous. Go back.