Is This Website Legit? A 12-Point Checklist Before You Buy
Every online store looks legitimate for the first few seconds. Clean layout, a checkout button, product photos, maybe a countdown timer telling you the sale ends tonight. None of that tells you whether the company on the other end will actually ship what you ordered, honor a return, or protect the card number you’re about to hand over.
The good news: you do not need to be a security researcher to tell the difference. Almost everything that separates a real business from a fly-by-night storefront is checkable in a browser tab in a few minutes, before you type in a card number. Below are twelve checks worth running on any online store you have not bought from before, especially one you found through an ad or a social media post rather than a search or a friend’s recommendation.
No single check here is proof of anything by itself. A brand-new domain is not automatically a scam — every legitimate business was new once. A missing “About” page is not automatically a scam either. What matters is the pattern: a store that fails one of these checks is worth a second look, and a store that fails four or five of them, especially in combination, is telling you something worth listening to.
1. Look Up How Old the Domain Actually Is
Every website’s domain name has a public paper trail. Registration records show when the domain was first created, which registrar it runs through, and when it is due to expire — and unlike a testimonial or an “About Us” page, a domain’s creation date cannot be edited to look better.
How to do it: Copy just the domain itself (the “brand.com” part, no “https://” and no extra pages after it) and paste it into a WHOIS lookup tool such as ICANN Lookup or whois.com. Find the “Creation Date” or “Registered On” field in the results.
Red flag: The registrant’s name, address, and email are often blocked out by default — that is normal privacy redaction that most registrars have applied since European data-protection rules took effect, not a sign of anything shady on its own. What is worth noticing is a domain registered days or weeks ago that is paired with claims of being an established company: a copyright notice reading ”© 2015–2026,” a footer that says “trusted since 2010,” or reviews on the site itself that reference years of loyal customers. New business, old story — that mismatch is the tell.
2. Make Sure the Connection Is Actually Encrypted
A padlock icon in the address bar used to mean something close to “this site paid to prove who it is.” It no longer does. Free, automated certificate services made basic encryption nearly universal, so HTTPS on its own is now table stakes, not proof of trustworthiness — but the absence of it is still a serious warning sign, especially at checkout.
How to do it: Check that the address bar shows “https://” (not “http://”) on every page, particularly the checkout and payment pages. Click the padlock icon and view the certificate details; it should be issued to the actual domain you are visiting, not to some unrelated name.
Red flag: A checkout page served over plain “http://,” a full-page browser warning about the connection not being private, or a certificate issued to a domain that does not match the one in your address bar. Any of those means your payment details would travel unencrypted or to the wrong place — close the tab.
3. Look for Contact Information You Could Actually Use
A real business wants to be reachable, because unreachable businesses cannot process returns, resolve disputes, or keep customers. A storefront that only offers a contact form is choosing to be hard to reach.
How to do it: Look for a physical address, a phone number, and an email address that uses the company’s own domain rather than a free Gmail or Outlook account. Paste the address into Google Maps or Street View and see whether it corresponds to a real office, warehouse, or storefront rather than an empty lot, a residential house, or a mailbox rental store. If a phone number is listed, call it.
Red flag: No phone number anywhere on the site, an email address on a free consumer domain instead of the company’s own, or a listed address that turns out to be unrelated to the brand when you look it up independently.
4. Read the Return and Refund Policy Before You Buy
Marketing copy tells you what a company wants you to believe. A return policy tells you what a company is actually willing to commit to in writing, which is a far better predictor of what happens if something goes wrong.
How to do it: Find the returns or refunds page — usually linked in the site footer — before you add anything to your cart. Note the return window in days, whether the customer or the seller pays return shipping, and whether refunds go back to your original payment method or only as store credit.
Red flag: No returns policy published anywhere, a policy that only offers store credit rather than a refund, an unusually short window (under seven days), or fine print that excludes the exact category of item you are about to buy.
5. Study How the Reviews Are Distributed, Not Just the Average
A glowing star average tells you almost nothing on its own. What matters is the shape of the ratings behind that number and where those reviews actually live.
How to do it: If the only reviews you can find live on the seller’s own product pages, treat that number skeptically — a site controls what gets published on its own domain. Look instead for the brand’s profile on an independent platform, and search the brand name plus “reviews” plus “reddit” or “scam” in a search engine to see what independent, unaffiliated discussion turns up. On any review platform, check the distribution across star ratings rather than just the average, and glance at the dates: a wall of five-star reviews all posted within the same few days is a common sign of a purchased or incentivized review push.
Red flag: Reviews that exist only on the seller’s own site, generic five-star praise with no specifics about the product, and clusters of reviews posted on the same handful of dates rather than spread out naturally over time.
6. Pay Attention to How You’re Asked to Pay
The payment method a checkout page pushes you toward tells you a lot about how much protection you would have if the order goes wrong.
How to do it: Check whether the site accepts a credit card or a payment processor like PayPal, both of which give you a real path to dispute a charge if the item never arrives or is not as described. Notice if the checkout steers you toward — or only accepts — a bank wire transfer, cryptocurrency, a gift card, or a peer-to-peer app payment sent as “friends and family.”
Red flag: Any pressure, discount, or requirement to pay by wire transfer, gift card, or crypto instead of a card. Those payment methods are difficult or impossible to reverse once sent, which is exactly why scam operations prefer them — a legitimate retailer has no reason to avoid ordinary card payments.
7. Check Whether the Social Media Presence Is Real
Social icons in a website footer are just images. Anyone can drop a Facebook or Instagram logo into a footer whether or not an active account is behind it.
How to do it: Click each social icon and confirm it actually leads to a working profile rather than the platform’s homepage or a dead link. On the profile itself, check when the account was created, how often it posts, and whether the follower count roughly matches the level of engagement (likes, comments, shares) on individual posts.
Red flag: Social icons that do not link anywhere real, an account created only weeks ago with a handful of posts, or a large follower count paired with almost no comments or engagement — a common pattern when followers have been purchased rather than earned.
8. Scan for Sloppy Spelling, Grammar, and Stock Photos
Professional retailers proofread their own websites, because typos and awkward phrasing cost them sales. Sloppy copy is cheap to notice and surprisingly reliable as a signal.
How to do it: Read the “About” page and a product description or two closely, not just skim them. Watch for phrasing that reads like a direct machine translation, inconsistent product names, or formatting that shifts between sections. For product photos, right-click a suspicious one and run a reverse image search (Google Images or TinEye both offer this) to see whether the exact same photo is being used across unrelated storefronts.
Red flag: Awkward, inconsistent, or machine-translated text on a site claiming to be a long-established Western brand, and a reverse image search that turns up the same product photo on several unrelated store names — a strong sign of a dropshipping template rather than an original retailer.
9. Do the Math on “Too Good to Be True” Pricing
A steep discount is not inherently suspicious — real sales happen. What is worth double-checking is a price so far below the norm that it would not cover the cost of the product itself.
How to do it: Before you buy, search for the same or a similar product to see what it typically costs elsewhere. If a listing claims an 80–90% markdown from a “list price” you cannot find anywhere else, treat that original price as marketing rather than fact, and judge the deal by the actual dollar amount instead. Watch for urgency tactics stacked on top of the discount — a countdown timer that resets when you reload the page, or a “3 left in stock” banner that never changes.
Red flag: A price that would not realistically cover materials and shipping for that category of product, a “was” price that appears nowhere else online, or a countdown timer and low-stock warning that reset or stay identical no matter when you check back.
10. Check Whether the Company Is Registered Anywhere
Operating a business under a company name usually means that name is registered with a government body somewhere, and that registration is often a matter of public record.
How to do it: If the site lists a US state in its address, search that state’s Secretary of State business registry for the company name. If it claims to be a UK company, check the free Companies House register. Many storefronts also list a registered business number in the footer near their address or terms of service — search that number directly.
Red flag: A company name that does not turn up in the business registry for the state or country it claims to operate in, or a site that lists no business name or registration number anywhere at all, only a brand name.
11. Read the Privacy Policy for Who Actually Gets Your Data
Most legitimate online businesses publish a privacy policy, partly out of good practice and partly because a range of laws — including the EU’s GDPR and California’s consumer privacy law — require many businesses that collect personal data to disclose how they use it. A missing or clearly fake policy is a meaningful gap.
How to do it: Open the privacy policy and skim past the boilerplate to the sections on data sharing and third parties. Watch for obvious template leftovers, like placeholder text reading “[Company Name]” or “[Insert State],” or a company name in the policy that does not match the brand you are actually shopping on.
Red flag: No privacy policy at all, or one that is clearly a copy-pasted template — mismatched company names, leftover placeholder brackets, or boilerplate that describes a different kind of business entirely.
12. Verify Trust Badges Instead of Trusting Them on Sight
“Verified Secure,” “SSL Protected,” “Featured On,” and award-style seals are some of the easiest things on a website to fake, because a badge is just an image file. Nothing stops a site from displaying one it has no right to.
How to do it: Click the badge. A real security or verification badge links through to the issuing organization’s own site, where it confirms the credential for that specific domain. A static image that does not link anywhere, or links only to the seller’s own homepage, is decorative at best. For “as seen on” logos referencing news outlets, search the brand name together with that outlet’s name to see whether real coverage exists.
Red flag: A badge that is not clickable, a badge that links to a page not actually run by the organization it claims to represent, or “as seen on” logos for outlets that show no trace of ever covering the brand when you search independently.
No Single Check Is Proof — the Pattern Is
A three-week-old domain is not a scam by itself. A copy-pasted privacy policy is not a scam by itself. Neither is a missing phone number, or a discount that looks steep. But a store that fails four or five of these checks at once, in combination, is telling you something worth listening to no matter how good the product photos look.
Keep this list somewhere you can find it, and run through as many items as you have time for the next time you are about to buy from a brand you have not heard of before. Ten minutes of checking is a small price for the peace of mind, and it is a habit that gets faster every time you do it.
It is also close to the process behind everything else on this site: we run a version of this same checklist against every brand before we publish a review, so you do not have to start from scratch each time you are deciding whether to trust somewhere new.