GACS will never ask for your seed phrase, private keys, or payment. Always free.
GACS — Global Anti-Crime Shield Logo
Guide
Updated June 2026
10-point checklist

How to check if a website is a scam — the 10-point guide

Before you hand over a card number, run a website through these ten checks — domain age, SSL, payment methods, reviews, lookalike URL, reputation databases, and the social-proof basics scammers can't fake. Or paste the URL into our free Website Checker below and skip straight to the verdict.

Run the free Website Checker

Skip the checklist — check the site now

Paste any URL into the GACS Website Checker. It runs WHOIS, SSL chain, blacklist lookups, reputation scoring, lookalike-domain detection, and payment-method red-flag checks in under 5 seconds. Free, anonymous, no signup.

Open the Website Checker

The 10-point scam-website checklist

  1. 1

    Check the URL and SSL certificate

    Look for typos and lookalike characters (rn→m, ı→i, 0→o). Confirm the address bar shows a padlock and the certificate's issued-to domain matches what you typed. SSL alone proves nothing — almost every scam site has one — but a missing padlock or a mismatched certificate is a definite stop.

  2. 2

    Verify domain age with WHOIS

    A site that claims to be an established brand but was registered in the last 30–90 days is almost always a scam clone. Look up the creation date on whois.com or run our automatic Website Checker — it pulls the same data and flags anything under 6 months old.

  3. 3

    Search the brand name + ‘scam’ or ‘review’

    Google the exact business name with the words ‘scam’, ‘review’, or ‘legit?’. Real complaints surface fast on Reddit, Trustpilot, BBB, and consumer-protection forums. No reviews at all on a site selling £200 trainers is itself a red flag.

  4. 4

    Check independent reputation databases

    Cross-check the domain on at least two of: GACS Blacklist, ScamAdviser, URLVoid, Google Safe Browsing, PhishTank, and your country's consumer-protection register. One source can lag; agreement across two is reliable.

  5. 5

    Inspect prices and payment methods

    Prices 50–80% below market on luxury goods, electronics, or designer fashion are the single biggest signal. Sites that accept only wire transfer, crypto, gift cards, Zelle, or Western Union — but not Visa, Mastercard, PayPal Goods & Services, or Apple Pay — have removed every consumer-protection path on purpose.

  6. 6

    Look for a real address, phone, and policy pages

    Open the Contact, About, Returns, and Privacy pages. Missing addresses, copy-paste boilerplate, free Gmail/Outlook contact emails, or a phone number that nobody answers all point to a shell site. Search the address in Google Maps — scam sites often list a residential house, a vacant lot, or a real address they've stolen from a legitimate competitor.

  7. 7

    Reverse-image-search the product photos

    Drag a product image into Google Images or TinEye. Stolen photos that appear on dozens of unrelated shops are the calling card of dropshipping scam farms.

  8. 8

    Test the social-media links

    Click the Facebook / Instagram / X icons in the footer. They should open active accounts that match the brand, not a generic platform homepage. New accounts with no posts, no followers, or comments disabled are flags.

  9. 9

    Watch for urgency, pop-ups, and fake countdowns

    “Only 2 left!”, “Offer expires in 04:59”, full-screen modals that block the back button — all are conversion-pressure patterns lifted from real e-commerce, but on a scam site they hide that you have no recourse once you pay.

  10. 10

    Run the GACS automated check before you pay

    Our free Website Checker bundles all of the above — WHOIS, SSL chain, blacklist databases, reputation scoring, lookalike-domain detection, payment-method flags — into one report in under 5 seconds. If anything is off, you'll see it before you hand over a card number.

Technical signals to look for

These are the under-the-hood signals our automated checker scores. You can verify them manually with WHOIS, SSL inspectors, and DNS tools, but most people are better off letting the tool do it.

  • Domain age under 6 months when the site claims to be an established brand.
  • WHOIS record fully redacted on a business site (legitimate companies usually publish a registrant org).
  • SSL certificate issued by a free CA (Let's Encrypt is fine on its own — but combined with a brand-new domain and luxury pricing, it's the canonical scam stack).
  • Server hosted in a country that doesn't match the claimed business location (e.g. a “UK retailer” on a Russian or Hong Kong IP).
  • DNS records pointing at known bulletproof / scam-hosting ASNs.
  • No SPF, DKIM, or DMARC records — meaning the site cannot send authenticated email, so any “order confirmation” you get is likely spoofed.
  • Lookalike domain: amazoη.com, paypa1.com, micros0ft-support.com, app1e-id.com, gov-uk-tax-refund.com.

Social & reputation signals

Even a technically clean site can be a scam if the social trail is wrong. These are the things humans spot faster than automated scanners.

  • Search results dominated by complaints, chargeback threads, or zero coverage at all for a brand claiming to have thousands of customers.
  • Trustpilot / Google reviews with a sudden burst of 5-star reviews in a single week, identical phrasing, or reviewer accounts that only review this one company.
  • Brand mentioned by name on r/scams, Trustpilot ScamWatch, or your national consumer body (Action Fraud UK, FTC US, Signal-Conso FR, BBB, ACCC).
  • Social-media accounts created within the last 90 days, with stock-photo team members or no team at all.
  • Reverse-image search of the “CEO” photo returns a stock-photo library or somebody else's LinkedIn page.

Hard red flags — close the tab

  • Pressure to pay outside the platform: “Your card was declined, please send by bank transfer / crypto instead.”
  • Email confirmations sent from a different domain than the site you ordered from.
  • “Customer support” reachable only via WhatsApp, Telegram, or a personal Gmail.
  • Returns / refunds page that requires you to pay the “return courier” upfront in crypto.
  • Cookie banner, privacy policy, or terms page that mention a completely different brand name — proof the template was copy-pasted from another scam.
  • A government-impersonation site (HMRC, IRS, GOV.UK, DHL, USPS) on any domain that isn't an official .gov / .gov.uk / company-owned domain.

If you've already paid — what to do

  1. Contact your bank within 24 hours and request a chargeback (card), Section 75 claim (UK credit card over £100), or disputed-transaction reversal (debit / wire). Speed matters — banks reject late claims.
  2. Report the website on GACS so it appears on the public blacklist for the next person who searches. One report can prevent dozens of future victims.
  3. File with your national consumer-protection body: reportfraud.ftc.gov (US), Action Fraud 0300 123 2040 (UK), Signal-Conso (FR), ACCC Scamwatch (AU), Europol's EC3 portal (EU). Include the URL, payment receipt, and any email correspondence.
  4. If you paid by crypto, file an IC3 report (US) immediately and forward the receiving wallet to your local cybercrime unit. Public on-chain tracing is fastest in the first 48 hours, before the funds are bridged or mixed.
  5. Never engage with a “recovery service” that contacts you afterward. Asset-recovery companies that find you (especially by DM or cold email) are almost always a second scam targeting victims of the first. Read our recovery-scam guide before paying any fee.

Frequently asked questions

What's the fastest way to check if a website is a scam?

Paste the URL into the GACS Website Checker at the top of this page. In under 5 seconds it runs WHOIS, SSL, blacklist, reputation, and lookalike-domain checks and returns a single green / amber / red verdict with the specific reasons. It's free and doesn't require an account.

Does a padlock (HTTPS) mean a website is safe?

No. The padlock only proves your connection to the server is encrypted. It says nothing about who runs the site or whether they'll ship your order. Over 90% of phishing sites detected in 2025 carried a valid SSL certificate, almost all from free issuers. Treat HTTPS as the bare minimum, not a safety guarantee.

How can I tell how old a website is?

Use a WHOIS lookup (whois.com, whois.domaintools.com) and read the “Creation Date” field. A brand that claims to have been around for years but shows a registration date in the last few months is almost certainly a clone. The GACS Website Checker pulls this for you automatically and flags any domain younger than 6 months.

What does it mean if the site asks me to pay by bank transfer or crypto?

It means you'll have no chargeback rights. Legitimate retailers accept card or PayPal Goods & Services because they expect chargebacks; scam sites push wire, crypto, gift cards, or peer-to-peer apps (Zelle, Cash App) because those are irreversible. If a checkout flow steers you off card, abandon the order.

How do I check if an online shop is legit before buying?

Run our Website Checker, then do three manual checks: (1) Google the brand + the word ‘scam’ — real complaints surface fast. (2) Reverse-image-search the product photo on Google Images or TinEye — if the same photo appears on twenty unrelated shops, it's a dropship or scam farm. (3) Confirm the site accepts Visa/Mastercard/PayPal and not just wire or crypto.

Is ScamAdviser accurate?

ScamAdviser is one of several reputation scorers; like any single source it can lag, miss new clones, or rate aggressively. The right approach is to cross-check against at least two sources — for example ScamAdviser plus GACS plus URLVoid — and read the reasons each gives, not just the score. Agreement across sources is what matters.

What should I do if I've already paid a scam site?

Move fast. (1) Contact your card issuer or bank within 24 hours and request a chargeback / Section 75 / disputed transaction. (2) Report the site on the GACS blacklist so the next person sees a warning. (3) File with your national consumer-protection body (FTC at reportfraud.ftc.gov, Action Fraud in the UK, Signal-Conso in France). (4) If you paid by crypto, file with IC3 (US) and your local police — recovery is rare but tracing is faster the sooner it's reported. Never use a paid “recovery service” that contacts you afterward — they are almost always a second scam.

Can I check a website on my phone?

Yes — the GACS Website Checker is mobile-first; paste any URL from a text message, social-media DM, or search result and it returns the same report. Save the page to your home screen for one-tap checking next time.

Keep going

Free Website Checker →“Is this a scam?” checklist →Ultimate scam detection guide 2026 →Recovery-scam guide →
Report a scam website

Sources: ICANN WHOIS, Google Safe Browsing transparency report, FTC Consumer Sentinel 2025, Action Fraud UK quarterly bulletin, APWG Phishing Activity Trends Report Q1 2026. Last reviewed June 22, 2026.