10 Warning Signs of a Phishing Website

Updated June 2026 · 4 min read

Phishing is when criminals build a fake website that copies a real one — your bank, an online shop, a delivery service — to trick you into handing over passwords or card details. The good news? Almost every fake site gives itself away somewhere. Here is how to spot a phishing website using ten warning signs anyone can check, with no technical skills needed.

1. Urgent or threatening language

"Your account will be closed in 24 hours." "Unauthorised sign-in detected — verify now." Scammers want you scared, because scared people click without thinking. Real companies almost never threaten instant account closure, and they don't mind if you log in later through their official app or website instead.

2. A misspelled or look-alike web address

Look closely at the address bar at the top of your browser. Fake sites use addresses that look right at a glance but are slightly off:

• arnazon.example — an "r" and an "n" squeezed together to imitate an "m"
• faceb00k.example — zeros standing in for the letter "o"
• paypa1.example — the number one pretending to be a lowercase "l"

Reading the address slowly, character by character, defeats this trick every time.

3. The wrong domain after the brand name

This is the classic phishing trick, so it deserves its own entry. The only part of a web address that matters is what sits right before the first single slash — everything earlier can be faked. Compare:

• paypal.com/signin — really PayPal, because the address ends in paypal.com just before the slash
• paypal.com.secure-check.example/signin — actually a site called secure-check.example wearing a PayPal costume

4. No padlock on a login page

The little padlock near the address means the connection is encrypted — scrambled so nobody can read what you send. If a page asks for a password or card number and there is no padlock, or your browser says "Not secure", leave immediately. One caution: a padlock alone does not prove a site is honest, because scammers can get padlocks too. Treat it as a minimum requirement, not a seal of approval.

5. Offers that are too good to be true

A brand-new phone for ten dollars. A "government grant" you never applied for. A lottery you never entered. Phishing website examples like these all share one idea: dangle something amazing so you stop asking questions. If a deal would be front-page news in real life, it's bait.

6. Generic greetings and clumsy writing

Your bank knows your name. A page that greets you as "Dear Valued Customer" — or is littered with odd grammar, random capital letters, and missing words — was probably thrown together in a hurry, often machine-translated. One typo can happen to anyone; a page full of them is a pattern.

Checking all of this by hand gets easier with practice — and if you'd like a second pair of eyes, our free browser extension runs these same checks automatically and turns its shield red on suspicious pages.

7. Links that don't go where they say

The text of a link and its real destination can be completely different. On a computer, hover your mouse over a link without clicking, and the true address appears in the bottom corner of the browser. On a phone, press and hold the link to preview it. If the link shows your bank's name but the preview reveals login-verify-account.example, you've caught a phish.

8. Unusual payment methods

No legitimate shop or government office demands payment only in gift cards, cryptocurrency, or wire transfers. Scammers love these methods because they are nearly impossible to reverse or trace. A "tax office" asking for gift cards is not the tax office.

9. A brand-new or throwaway domain ending

The domain ending is the last piece of the address — .com, .org, and so on. Scam sites are often built on endings that are cheap or free to register, and the whole site may be only days old, made to be thrown away once it gets reported. A famous store suddenly operating from an address like megastore-clearance.example that didn't exist last month deserves serious suspicion.

10. Pressure to act immediately

Countdown timers, "only 2 left in stock", "offer expires in 10 minutes" — manufactured urgency is the glue that holds every other trick together. Real opportunities survive a coffee break. Anything that punishes you for pausing is designed to stop you from thinking.

When in doubt, close the page and type the company's official address into your browser yourself, or open its app. No genuine company will ever penalise you for taking thirty seconds to be careful.

The 30-second checklist

Before typing anything sensitive into a website, run through this:

1. Read the address slowly — is every letter exactly right?
2. Check what sits just before the first slash — is it the brand's real domain?
3. Is there a padlock on the page asking for your details?
4. Hover over (or long-press) the links — do they go where they claim?
5. Is anyone rushing you, scaring you, or promising you the moon?

If any answer feels wrong, trust that feeling. These fake website warning signs stop the overwhelming majority of scams — and the few seconds they take cost far less than a stolen password.