That moment of hesitation before you click, log in, or enter your information is now one of the most powerful defenses you have online. In 2026, scammers clone websites pixel-for-pixel, buy search ads that rank above real results, and run sophisticated MFA interception attacks to bypass traditional security. Bad grammar and ugly designs are mostly gone. A fast, deliberate verification habit is essential.
This complete guide from GACS.app — your go-to resource for digital safety — gives you everything you need to confidently answer “Is this website a scam?”
Table of contents
- Why “Is this website a scam?” is the most important question you'll ask today
- The 3 best free tools to check a website (2026 update)
- How to manually verify any website in under a minute
- MFA interception attacks explained
- FIDO2 passkeys & WebAuthn origin binding — the strongest defense
- Passkeys vs Biometrics: What's the difference?
- WebAuthn vs FIDO2: What's the difference?
- What's new in WebAuthn Level 3 (2026)
- The #1 scam you'll see in 2026: government impersonation sites
- What to do if you've already been scammed
- How small business owners can protect their site from impersonation
- Frequently asked questions
- Your 30-second scam check routine
Why “Is this website a scam?” is the most important question you'll ask today
Scam databases now track over 112 million webpages, with millions confirmed as fraudulent. Every day, tens of thousands of new suspicious pages are scanned. The cost of getting it wrong keeps rising — attackers steal credentials, intercept MFA in real time, and hijack accounts completely.
MFA interception attacks explained
Scammers create a fake login page that works as a reverse proxy (tools like Evilginx are commonly used).
- You enter your username and password on the fake site.
- The fake site forwards them instantly to the real site.
- The real site sends an MFA prompt (push notification, code, etc.). You complete it normally.
- The attacker steals the resulting session token.
- They are now fully logged into your account — without needing your password or triggering MFA again.
This attack defeats most traditional MFA.
The 3 best free tools to check “Is this website a scam?” (2026 update)
- [GACS.APP](/safe-scanner) (Powered by ScamAdviser) — Community-powered trust score, domain age, owner location, and user reports. Best starting point for most users.
- URLVoid — Scans the site against 30+ blocklists and security databases for technical red flags (malware, phishing lists, etc.).
- Ask Silver — Mobile-first WhatsApp bot. Send a link or screenshot and get a verdict in seconds — perfect for Marketplace, Instagram, or text deals.
Pro tip: Start with GACS.APP, then use URLVoid for deeper checks.
How to manually verify any website (even without tools)
- Domain inspection: Check for exact matches only. Watch for extra words, hyphens, or wrong TLDs (e.g., irs-gov.com instead of irs.gov).
- Contact page: Real businesses list verifiable physical addresses, working phones, and responsive emails.
- Trust seals: The padlock only means encryption. Click any BBB, McAfee, or trust seal — legitimate ones link to official verification.
- Community feedback: Google “[site name] scam” and check recent Reddit or Trustpilot threads.
FIDO2 passkeys & WebAuthn origin binding — the strongest defense
FIDO2 passkeys are a passwordless authentication method that uses cryptography instead of shared secrets.
How passkeys work:
- Your device creates a unique public-private key pair.
- The private key never leaves your device.
- The website only stores the public key.
WebAuthn origin binding (the magic feature): A passkey created for irs.gov is cryptographically locked to that exact domain. If a phishing site (even a perfect clone) tries to use it, the device checks the origin and refuses to sign the challenge. The passkey simply does not work on fake sites.
This defeats MFA interception attacks at the protocol level.
Quick setup guide (2026):
- Google: myaccount.google.com/signinoptions/passkeys → Create a passkey.
- Apple: Enable iCloud Keychain — passkeys sync automatically across devices.
- Microsoft: account.microsoft.com → Security → Add sign-in method → Passkey.
Recommendation: Create passkeys on at least two devices. Use synced passkeys for convenience and a hardware security key (YubiKey) for critical accounts.
Passkeys vs Biometrics: What's the difference?
Passkeys and biometrics are not the same thing, though they often work together. Understanding the difference matters for security.
Quick summary:
- Biometrics = something you are (fingerprint, face, iris). They handle local user verification.
- Passkeys = a complete cryptographic credential (public-private key pair). They handle remote authentication.
Detailed comparison:
| Aspect | Biometrics alone | Passkeys (FIDO2) | | --- | --- | --- | | What it is | Physiological trait | Cryptographic key pair | | How it works | Matches physical feature on the device | Private key signs a challenge; unlocked by biometrics/PIN | | Phishing resistance | None | Extremely high (WebAuthn origin binding) | | Remote authentication | Not suitable by itself | Yes — full passwordless login | | Cross-device / sync | Device-specific only | Yes (synced passkeys via iCloud, Google, etc.) | | Revocability | Cannot be changed | Can be revoked/deleted like a password | | Data exposure | Biometric template stays on device | No biometric data sent to website | | Security level | Good for device unlock | Very high (combines "something you have" + "something you are") | | Best use case | Unlocking your phone or local app sessions | Logging into websites and services securely |
How they work together:
Most modern passkeys use your device biometrics (Face ID, Touch ID, Windows Hello) or a PIN to unlock the private key before it signs into a website. You get the convenience of a quick face scan, but the actual security comes from the cryptographic passkey, not the biometric itself. You can also use a device PIN or pattern instead of biometrics if you prefer.
Key advantages of passkeys over plain biometrics:
- Phishing protection: A passkey for
bank.comwill not work onbank-login.comdue to origin binding. - No shared secret: Nothing is sent that an attacker can steal and reuse.
- Cross-platform: Works across your phone, laptop, and different operating systems.
- Recoverable: You can revoke a lost or compromised passkey.
- Standards-based: Built on FIDO2/WebAuthn.
Plain biometrics (e.g., using Face ID on a website without passkeys) usually still rely on weaker methods underneath and do not provide the same remote authentication strength.
Recommendation for 2026: Use passkeys (unlocked with biometrics) as your primary login method wherever supported. They combine the convenience of biometrics with cryptographic security that plain biometrics or passwords cannot match. For maximum protection on critical accounts, pair passkeys with a hardware security key as backup.
WebAuthn vs FIDO2: What's the difference?
People often say "FIDO2 passkeys" and "WebAuthn login" as if they are the same thing. They are closely related, but not identical:
| Aspect | FIDO2 | WebAuthn |
| --- | --- | --- |
| Scope | Umbrella project / overall standard | Browser API part of FIDO2 |
| What it is | Enables passwordless, phishing-resistant authentication | JavaScript API websites call to create and use passkeys |
| Developed by | FIDO Alliance + W3C | W3C Web Authentication Working Group (with FIDO) |
| Key components | WebAuthn + CTAP2 | Browser-side API only |
| Developer code | Rarely directly | Yes — navigator.credentials.create() / .get() |
| Origin binding | Enforced through the full system | The core mechanism that makes passkeys phishing-resistant |
| Current version | FIDO2 (ongoing) | WebAuthn Level 3 (Candidate Recommendation, May 2026) |
Simple analogy: FIDO2 is the entire electric car ecosystem (battery, motor, charging protocol). WebAuthn is the dashboard and steering wheel — what the driver (the website) actually touches. CTAP is the wiring that lets the car talk to external parts, like a roaming security key.
Why this matters for scam protection: WebAuthn is where origin binding lives. A passkey created for irs.gov is cryptographically locked to that exact domain and will simply refuse to work on irs-gov.com or any clone. That is the feature that defeats real-time MFA interception.
When GACS says "Use FIDO2 passkeys," we mean WebAuthn in the browser + a FIDO2-compliant authenticator. You cannot have FIDO2 without WebAuthn, but WebAuthn is only one piece of the full FIDO2 vision. Read the full comparison in our WebAuthn vs FIDO2 guide.
The #1 scam you'll see in 2026: government impersonation sites
Scammers buy Google ads for “renew passport,” “pay taxes,” “claim benefits,” etc. The top “Sponsored” result looks identical to the real .gov site and uses MFA interception.
Ironclad defense:
- Never click sponsored ads for government services.
- Bookmark official .gov URLs or type them directly.
- Use FIDO2 passkeys wherever available — they block origin-based phishing automatically.
What to do if you've already been scammed
- Stop all contact immediately. Block everything.
- Change passwords and switch to passkeys or app-based MFA.
- Contact your bank/credit card to dispute charges.
- Report to: GACS, ReportFraud.ftc.gov, and IC3.gov.
- Place a fraud alert or credit freeze.
- Ignore “recovery” offers — they are usually secondary scams.
How small business owners can protect their site from impersonation
- Monitor for lookalike domains.
- Register common misspellings and alternative TLDs.
- Implement DMARC email authentication.
- Publish a “How to know it's really us” page listing your exact domains and payment methods.
- Offer FIDO2 passkeys to your customers for phishing-resistant logins.
Frequently asked questions
Can I check websites for free?
Yes. GACS.APP, URLVoid, and Ask Silver are completely free.
What's the best tool?
GACS.APP for most people. Combine with URLVoid when needed.
Are passkeys really better than regular MFA?
Yes. Thanks to WebAuthn origin binding, they are strongly phishing-resistant.
How fast can scammers build fake sites?
Skilled operators can launch convincing clones in under an hour using phishing kits and AI.
What's new in WebAuthn Level 3 (2026)
WebAuthn Level 3 (W3C Candidate Recommendation, May 2026) is the “passkey maturity” update. It keeps the strict cryptographic origin binding that makes passkeys phishing-resistant, and adds quality-of-life upgrades that make adoption far easier:
- Client Capabilities — sites can detect supported features and adapt the UI.
- Conditional Create & Get — smoother usernameless / passwordless flows.
- Related Origin Requests (ROR) — controlled passkey use across related domains (e.g.
example.comandshop.example.com). - Signal API — sites can tell authenticators which credentials are valid, deleted, or updated, keeping synced passkeys clean.
- Hybrid Transport — better cross-device flows (phone ↔ desktop via QR/Bluetooth).
- PRF extension — derive cryptographic keys from passkeys for encryption use cases.
Read the full breakdown in our WebAuthn Level 3 guide.
Your 30-second scam check routine for 2026
Before entering any information:
- Paste the URL into GACS.APP — check trust score and domain age.
- Inspect the actual web address for typos or suspicious extensions.
- Quick search: “[site name] scam”.
- For logins: prefer passkeys or type/bookmark the official URL. Never click suspicious links.
- Pause when you feel urgency or FOMO. Bookmark this guide. Share it with family and friends. Report every scam you spot on GACS.app.
Every check and every report makes the internet safer.