You're about to enter your credit card number on a site you've never used before. Or maybe you clicked a link in an email and the login page looks right but something feels off. Here are 7 things you can check in under 30 seconds — and what actually matters versus what doesn't.
The padlock icon in your browser's address bar does not mean a website is safe. It means the connection is encrypted. Those are very different things.
A phishing site can have HTTPS. In fact, most do. Free certificates from Let's Encrypt take about 30 seconds to set up. The padlock tells you nobody can eavesdrop on your connection to the server — but it says nothing about who runs the server.
So yes, check for HTTPS. But don't stop there.
This is the single most important check and the one most people rush past. Phishing sites use domain names that look close to the real thing:
arnazon.com instead of amazon.com (rn looks like m)paypal-secure.com instead of paypal.comlogin.microsoft.com.evil.site — the real domain here is evil.sitegoggle.com, faceboook.com — simple typos that are easy to missRead the domain from right to left. The actual domain is always the last two parts before the path: in accounts.google.com/signin, the domain is google.com. In google.com.login-verify.net/signin, the domain is login-verify.net. That second one is not Google.
This one's more technical, but it's the check that catches the most sophisticated attacks. Right-click on the page, select "View Page Source" or "Inspect Element," and look at the <form> tag. Where does its action attribute point?
If you're on mybank.com but the form submits to data-collector.xyz, something is very wrong. This is exactly what PhishClean's domain mismatch detection catches automatically — it compares the page's domain to the form's submission target on every page you visit.
If the site is asking for a password or payment info over plain HTTP — no padlock, just http:// — close the tab. Your data will be sent in plain text that anyone on the network can read.
But remember: HTTPS only means the connection is encrypted. It doesn't verify that the site is legitimate, that it's not a scam, or that it handles your data responsibly. Think of it as a minimum requirement, not a seal of approval.
Legitimate businesses have an About page, a physical address (or at least a registered business entity), and a way to contact them. Phishing sites almost never bother with these details because they only need to exist for a few hours.
This isn't foolproof — scammers can fake contact info too. But the absence of any business information on a site asking for your credentials? That's a red flag.
"Your account has been compromised! Click here to verify NOW!" — this is the number one tactic in phishing attacks. Urgency bypasses your judgment. A real bank or service provider will never ask you to verify your password via an email link with a countdown timer.
If something feels urgent, go directly to the real website by typing the URL yourself. Don't click the link.
Phishing pages often get small details wrong. Things to watch for:
PhishClean detects some of these automatically. The VISUAL_ANOMALY and SUSPICIOUS_LOGIN_REGION signals fire when login form structures don't match typical patterns.
You can manually check all of the above, but you probably won't do it on every page. That's where automation helps.
Chrome's Safe Browsing blocks known malicious URLs. uBlock Origin blocks ads and some malicious domains. PhishClean analyzes page content in real time — form targets, hidden iframes, HTTPS downgrades, leaked credentials, and more. They work best together.
No single check is enough on its own. Phishing has evolved past the "Nigerian prince" era. Modern phishing pages look pixel-perfect, use HTTPS, and even steal real content from the sites they imitate. The domain name and form behavior are your most reliable indicators.
You don't need to manually inspect every page you visit. PhishClean runs 15 detection signals on every page, automatically:
All of this runs locally in your browser. PhishClean doesn't see what sites you visit or what data you enter.
Is a website safe just because it has HTTPS?
No. HTTPS means the connection is encrypted, not that the site is trustworthy. Phishing sites routinely use HTTPS — free certificates make it trivial. HTTPS is necessary but not sufficient for safety.
Can Google Safe Browsing catch all unsafe websites?
No. Safe Browsing maintains a blocklist of known malicious URLs, but new phishing sites appear faster than they can be reported. A phishing page that went live 30 minutes ago likely isn't in any blocklist yet. Real-time page analysis tools like PhishClean catch what blocklists miss.
What should I do if I already entered my password on an unsafe website?
Change your password immediately on the real site. If you used the same password elsewhere, change those too. Enable two-factor authentication. Check your account for unauthorized activity. If it was a financial site, contact your bank. See our full guide on post-phishing response.
PhishClean runs 15 detection signals on every page you visit — locally, in real time. 3-day free trial, no credit card required.
Install PhishCleanIf this helped, save it for later, share it with someone who would benefit from it, or subscribe for new browser-security guides from PhishClean.
Get practical phishing and browser-safety articles in your inbox. No salesy drip, just new guides and product updates when they are worth sending.