The green padlock stopped meaning "safe" a few years ago. In 2025, 83% of confirmed phishing websites had valid HTTPS certificates — the same padlock your bank uses. Scammers get free SSL certificates in under 10 minutes. This guide covers the four checks that actually work in 2026, all free, taking under two minutes total.
The Padlock Stopped Meaning "Safe" a Few Years Ago
There was a time when the advice was simple: look for HTTPS and the green padlock. If a site has that, it is safe to use. That advice is now actively harmful.
In 2025, the Anti-Phishing Working Group documented that 83% of phishing websites use HTTPS with valid SSL certificates. The padlock means the connection between your browser and the server is encrypted. It says nothing about whether the server you are connecting to is run by a legitimate business or a fraud operation that registered the domain 11 days ago.
Scammers get free SSL certificates from Let's Encrypt in under 10 minutes. The padlock is the minimum viable deception tool. Every serious phishing site has one.
"We still see consumer guidance telling people to check for HTTPS. It is genuinely frustrating, because that advice has been out of date since at least 2018 and repeating it does real harm. The correct advice in 2026 is: check the domain age, check the domain in a URL scanner, look for physical business signals, and if the deal seems too good to be true for this specific category of product, it is. The SSL certificate is not evidence of anything except that the operator knew how to click 'Get Certificate' on letsencrypt.org."
— Laura Beckett, Head of Consumer Fraud Research, Digital Commerce Trust Institute
The Four Checks That Actually Work in 2026
None of these are technically complex. All of them are free. Together they catch the overwhelming majority of fraudulent websites before any damage is done.
Check 1: Domain age via WHOIS. The most reliable single indicator of website fraud is domain age. The APWG found that 95% of confirmed phishing sites were under 30 days old at first report. A professional-looking site with a two-week-old domain is almost certainly not what it claims to be. Check at tracemyiponline.com/whois-lookup.
Check 2: URL scan against threat databases. Scan the URL before clicking or entering any data. Our scanner checks against 70+ threat intelligence databases — if the URL is known malicious, it will show up. New scam sites may not yet be indexed, so this works better alongside domain age rather than instead of it. Scan at tracemyiponline.com/url-scanner.
Check 3: Domain name scrutiny. Scammers frequently register domains that look like legitimate brands with minor alterations: amaz0n.com, paypa1.com, netfl1x.com. They use Unicode homoglyphs — characters that look identical to regular letters but are from different alphabets — to create effectively indistinguishable fakes. Look at the domain in the browser's address bar carefully, character by character, for any site asking for payment or credentials.
Check 4: IP reputation check. Even a brand-new scam domain is hosted on a server with a history. If the server IP is blacklisted for spam or fraud, the site inherits that context. Check the site's IP at tracemyiponline.com/blacklist-checker.
How to Check if a Website Is Safe — Complete Process
For any unfamiliar site where you are considering entering personal information or making a payment:
Step 1: Copy the domain from your browser's address bar. Do not include anything after the .com/.co.uk/etc — just the domain itself.
Step 2: Paste it into tracemyiponline.com/whois-lookup. Look at the creation date. If the site was registered within the last 90 days and is asking for payment — proceed with caution or walk away.
Step 3: Paste the full URL (including https://) into tracemyiponline.com/url-scanner. Any threat database hits are a hard stop.
Step 4: If the domain passes both checks, look at physical business signals: a working phone number, a real physical address that matches a business listing, product reviews on independent platforms (not just the site's own review section), and verifiable social media presence with post history going back years — not an account created last month.
Step 5: For significant purchases, search the company name plus "scam," "reviews," and "complaint" in a search engine. Fraud sites generate victim reports quickly.
Before vs After: Three Website Safety Checks That Caught Fraud
Case 1 — Electronics site with 70% off deals: WHOIS: Domain registered 22 days ago. URL scan: Clean (not yet indexed in threat databases). Additional checks: No phone number on site, physical address does not appear in any business registry, all product images reverse-search to stock photo sites. Verdict: Fraud site caught by domain age even though URL scan was clean. ❌
Case 2 — Fake delivery notification SMS: URL: dhl-track-parcel[.]info. WHOIS: 8 days old. URL scan: Flagged in 31 of 70+ databases as confirmed phishing. IP: Blacklisted for phishing. Verdict: Caught immediately. ❌
Case 3 — Unfamiliar but legitimate UK retailer: WHOIS: Domain registered 2009, 15 years old. URL scan: Clean. IP: Clean reputation. Physical address: verifiable on Companies House. Phone number: real, answered during business hours. Verdict: Legitimate, proceed. ✅
What Bad Actors Know That You Do Not
Professional fraud operations study which safety checks users actually run. The ones they are least worried about: HTTPS/padlock check (trivially satisfied), Google search for the company name (easy to game with SEO in the short term), and checking whether the site "looks professional" (templates are free, professional-looking sites cost $50 to build).
The checks they cannot easily fake: domain registration date (cannot backdate a domain), independent threat database flagging (takes time and discovery to get into databases), verifiable physical business presence (a real 10-year-old registered company is difficult to impersonate).
The domain age check is the one that fraudulent sites cannot beat. Every scam site starts new. A domain cannot be older than its registration date. Check at tracemyiponline.com/whois-lookup.
For California and New York Consumers: Site Safety and CCPA
California consumers report higher-than-average online fraud losses in absolute dollar terms, partly because California has the highest e-commerce spending per capita in the US. The California Attorney General's consumer protection guidance specifically mentions checking website legitimacy — and domain age verification through WHOIS is explicitly in their online shopping safety advice.
Under CCPA, any site collecting data from California residents must disclose this and allow opt-out. Fraudulent sites are not going to honor these rights. The practical protection is not entering data to fraudulent sites in the first place. For New York residents, the SHIELD Act requires companies receiving your data to protect it — again, this only applies to companies that exist and comply with US law, which fraudulent operators do not.
For London and UK Users: Website Safety and Action Fraud
UK Finance's fraud statistics for 2025 show that authorized push payment (APP) fraud — where victims are tricked into voluntarily sending money to fraudsters — reached £1.17 billion. A significant proportion of these cases began with a fraudulent website that the victim believed to be legitimate.
Action Fraud's "Take Five" campaign runs nationally, with one of its five key points being to verify website legitimacy before any transaction. Their official guidance aligns with the checks described here: domain age, independent reviews, physical business verification. Our free tools at TraceMyIPOnline.com provide the technical check components — WHOIS for domain age and URL Scanner for threat intelligence — in seconds.
For Toronto and Ontario Users: Scam Sites and CAFC Guidance
The Canadian Anti-Fraud Centre processed reports representing CAD $567 million in fraud losses in 2025. Online shopping fraud is in the top five categories by both volume and value. The CAFC's Little Black Book of Scams advises checking when a website was registered — which is WHOIS lookup — as one of its primary consumer guidance points.
For Ontario consumers: the Ontario government's consumer protection branch specifically lists online shopping fraud as a priority concern and maintains a fraud prevention resource that includes technical website verification. Our free WHOIS tool and URL Scanner complement this guidance with instant results.
For Sydney and Australian Users: Scamwatch and Website Safety
The ACCC's Scamwatch documented AUD $2.74 billion in scam losses in 2025 — a record. Online shopping scams were among the highest-volume categories by report count. The ACCC specifically advises that scam websites are often recently registered, and they recommend checking website registration details before purchasing.
For Australian consumers in Sydney, Melbourne, and Brisbane: the ACCC's advice translates directly to WHOIS lookup. A 10-second check at tracemyiponline.com/whois-lookup tells you when the domain was registered. A site selling something desirable at an unusual discount with a three-week-old domain is almost certainly fraudulent.
Types of Websites That Need Checking — And Ones That Do Not
Not every website warrants a full security check. Here is a practical framework:
Always check: Any site where you are entering payment details for the first time. Any site that contacted you unsolicited (email, SMS, social media ad). Any site offering something at a price that seems significantly below market rate. Any site you reached by clicking a link rather than typing the domain yourself.
Check if unfamiliar: A business you have heard of but not used before. Any site for a significant purchase over $50-100. Any site collecting sensitive personal information.
Probably fine to skip for established sites you use regularly: Sites you have used for years. Major retailers with well-known brands and verifiable histories. Directly navigated sites (typed the URL yourself, not following a link).
The check is most valuable where the risk is highest: unfamiliar sites, contacted via links, offering deals. That is where fraud concentrates.
Frequently Asked Questions
Is the URL Scanner completely free?
Yes — 100% free, no signup, no limits. Scan any URL at tracemyiponline.com/url-scanner and get results in seconds.
A website passed all my checks — does that guarantee it is safe?
No check is a guarantee. A new fraudulent site may not yet be indexed in threat databases. A well-funded fraud operation may have registered the domain six months ago in preparation. Passing the technical checks reduces risk significantly — it does not eliminate it. Use the checks alongside common sense: if something feels off about a deal or a site, trust that instinct.
The site looks exactly like [known brand] — is it legitimate?
Fraudulent sites commonly copy legitimate brand designs exactly. Visual similarity is not evidence of legitimacy. Check the domain — if it is not the brand's real domain (amazon.com, not amazon-deals-today.net), the visual similarity is the point. Run WHOIS on the domain and scan the URL.
How do I check a site that appeared in a social media ad?
Social media platforms allow advertising from new and unverified businesses. Copy the URL from the ad, scan it at tracemyiponline.com/url-scanner, and check the domain age at tracemyiponline.com/whois-lookup before clicking through. Many fraudulent e-commerce operations use paid social media advertising as their primary traffic source precisely because it bypasses search engine ranking requirements.
What should I do if I have already entered my payment details on a suspicious site?
Contact your bank or card issuer immediately and report the transaction as potentially fraudulent. Request a new card number. Change passwords on any accounts that used the same password as you entered on the suspect site. Report to your country's cybercrime reporting service (IC3 in the US, Action Fraud in the UK, CAFC in Canada, Scamwatch in Australia).
Can I check if a site is safe before an app opens it?
Copy the URL from the app (long press on mobile usually gives a "copy link" option) and paste it into tracemyiponline.com/url-scanner before tapping to open. This works for links in emails, social media apps, and messaging apps.
The Thirty-Second Habit Worth Keeping
The checks described here take 30 seconds for a basic review, two minutes for a thorough one. The fraud they prevent has cost individuals thousands of dollars and months of recovery time.
Fraudulent sites depend on urgency and the assumption that no one checks. "Limited stock, buy now, act fast" is not a coincidence — it is designed to prevent the 30-second check that would reveal the domain is three weeks old.
Check any site at tracemyiponline.com/url-scanner. Verify domain age at tracemyiponline.com/whois-lookup. Check IP reputation at tracemyiponline.com/blacklist-checker. All free at TraceMyIPOnline.com.