Skip to content
Breachfolio
GUIDES · PHISHING

Is this domain fake or suspicious? Here's how to check.

A padlock icon proves nothing about who's actually running a site. Here's what to actually look at before you trust a link.

July 9, 20268 min read

Checking whether a domain is fake isn't just about looking for the padlock icon or "https" in the address bar. Plenty of phishing sites have valid certificates and professional-looking designs — a certificate only confirms that traffic between you and the server is encrypted, not that the server belongs to who it claims to be. Certificate authorities issue certificates to whoever controls a domain, full stop; they don't verify that the domain belongs to a particular company, so a scammer who registers a convincing-looking domain gets the same padlock icon a bank does.

The real signals come from looking at several things together: the actual domain name, its context, how old it is, where it redirects, and what it's actually asking you for. No single one of these is decisive on its own — a brand-new domain isn't proof of anything by itself, and neither is a long domain name — but when several of them line up, the picture usually becomes obvious quickly.

SignalWhat to check
Real domainThe part right before the ".com"/".net" — not the link text, not the logo
Domain shapeExtra hyphens, brand name + "secure"/"verify"/"login" stacked on an unfamiliar base
Registration ageBrand-new domain impersonating an established company = red flag
Safe Browsing statusAlready flagged = stop immediately; not flagged ≠ proven safe
What it asks forCard numbers, OTPs, passwords, seed phrases — the strongest signal of all

Look at the real domain, not the link text or logo

A link's displayed text can say anything the sender wants it to say, and a page's logo is just an image — neither one proves anything about where a link actually goes or who built the page. What matters is the actual domain sitting in the address bar, or the actual destination hidden behind a link.

On mobile this is especially easy to miss, since the address bar shows less of the URL and often truncates it. Before tapping a link in a text message or email, press and hold it (or long-press to copy it) to preview the real destination instead of trusting how it's labeled. On desktop, hovering over a link usually shows the real URL in the corner of the browser. A domain containing words like "irs," "bank," "usps," or "secure" proves nothing about who actually owns it — anyone can register a domain with those words in it.

Be suspicious of long domains and excessive hyphens/subdomains

Real organizations tend to use short, clean domains. Scammers, by contrast, often need to cram a brand name and a reassuring word into a domain that's already taken in its short form, so they stretch it out. Illustrative examples of the pattern (these are fictional, not real sites): secure-account-verify-login.com, usps-package-tracking-update.info, or my-bank-online-signin.net.

The more forced and keyword-stuffed a domain looks — extra hyphens, a brand name followed by words like "secure," "verify," "update," or "login," stacked onto an unfamiliar base domain — the more it deserves scrutiny. Legitimate companies rarely need to bolt reassurance words onto their own domain name to prove they're legitimate.

The same instinct applies to unusual top-level domains and subdomain tricks. A message claiming to be your bank but landing on something like bank-of-example.security-alerts.com is using the real brand name as a subdomain of an unrelated base domain — the part that actually matters for ownership is the part right before the top-level domain (the ".com," ".net," or similar), not whatever comes earlier in the string. Scammers rely on people reading left to right and stopping as soon as they spot a familiar word.

Does it use a real brand's name without being that brand's real domain?

If a site mentions a bank, a delivery carrier like USPS, a government agency like the IRS, or a well-known platform, but the domain itself doesn't match that organization's actual site, treat it as a serious red flag. This is one of the most reliable signals available, because it's exactly the gap scammers can't close: they can copy a logo pixel-for-pixel, but they can't use the real organization's actual domain.

Don't use the link you were sent to "find" the official site by clicking through and looking around — if the domain is already wrong, everything downstream of it is untrustworthy too. Instead, type the organization's real address into the browser yourself, from memory or from a saved bookmark, or search for it independently through a search engine and confirm the result matches what you already know about that organization.

Check public registration data

ICANN Lookup, at lookup.icann.org, lets you check public registration data for a domain — who registered it, when it was created, and which nameservers it uses, depending on what privacy settings the registrant has enabled. Many domains use privacy protection services that hide the registrant's name, which is common and not inherently suspicious on its own.

What matters more than any single field is the creation date. A brand-new domain isn't automatically malicious — legitimate businesses launch new sites all the time. But a brand-new domain that's imitating a real, established company and asking you for sensitive information is a real risk signal worth weighing heavily. An organization that's been operating for a decade should not suddenly be running its login page from a domain registered last week.

Check if it's already flagged as unsafe

Google's Safe Browsing Transparency Report, at transparencyreport.google.com/safe-browsing, shows whether Google currently flags a given site as unsafe for phishing, malware, or other harmful content. You can paste a domain in directly and get a status.

If a site is flagged, stop — don't enter anything, don't continue browsing it, and don't dismiss the warning as a false positive without solid reason. If it's not flagged, that doesn't guarantee the site is safe. Brand-new phishing domains are often live for hours or days before they get indexed and flagged anywhere, so a clean result here is reassuring but not conclusive on its own.

Look at what the page is actually asking for

This is often the strongest signal of all, and the one that matters most in the moment. A request for card numbers, CVV codes, one-time passcodes, Social Security numbers, usernames and passwords, or a crypto wallet's seed phrase should stop you regardless of how polished the page looks, how convincing the branding is, or how urgent the message sounds.

Legitimate sites essentially never need you to type a seed phrase into a web form, and no legitimate login flow needs you to read back or type in a one-time code somewhere other than the service's own official app or site. If a page is asking for that combination of information, treat the domain question as already answered.

Watch for redirects and shortened links

Shortened URLs — the kind produced by link-shortening services — hide the real destination until you click through, which is exactly why scammers like them. A message that uses a shortened link to request payment, a login, or personal information deserves extra suspicion simply because you can't verify the destination before committing to it.

Multiple redirects chained together are sometimes used deliberately, both to make the trail harder to analyze after the fact and to let the attacker swap out the final landing page quickly if the current one gets flagged or taken down. If a link bounces through several different domains before landing somewhere asking for information, that chain itself is worth noting.

There are legitimate uses for shortened links and redirects too — marketing platforms, analytics tools, and app download flows all use them routinely — so a shortener alone isn't proof of anything. What raises the stakes is the combination: a shortened or redirecting link paired with an urgent request for money, credentials, or personal information is a much stronger signal than either one on its own.

Quick checklist

  • Unusually long domain name with excessive hyphens or subdomains
  • Uses a recognizable brand name, but the domain doesn't match that brand's real site
  • Recently registered, especially if it's imitating an established organization
  • Uses a link shortener to hide the real destination
  • Redirects through multiple domains before landing on the final page
  • Asks for passwords, card numbers, one-time codes, or a wallet seed phrase
  • No clear contact information, company details, or legal pages on the site
  • Excessive urgency in the messaging — a countdown, a threat, a "final notice"
The one-sentence version. No single signal proves a domain is fake, but several of these together — especially a site using a real brand's name while asking for sensitive data — should stop you cold until you've verified it independently.