You've found a website that looks promising—maybe a new platform, an online store, or a service you've been considering. It looks professional, the prices are right, and the testimonials are glowing. But before you create an account, enter your credit card, or send personal information, how do you actually know it's legitimate?

This is the exact problem ScamsTester was built to solve, and we've distilled our evaluation process into a 15-point checklist that anyone can follow. You don't need technical expertise. You don't need special tools. You just need a browser and about 15 minutes of focused attention. Each checkpoint below will increase your confidence in a verdict—trustworthy or not.

1. Check the SSL Certificate

Look at the address bar. Does the URL start with "https://" and show a padlock icon? Click the padlock to view the certificate details. An SSL certificate encrypts communication between your browser and the website, protecting data like passwords and credit card numbers in transit.

What to look for: A valid certificate from a recognized Certificate Authority (Let's Encrypt, DigiCert, Comodo, etc.). Check the expiration date—expired certificates indicate either negligence or abandonment. Note that SSL alone doesn't guarantee legitimacy (scammers can get free certificates), but its absence on any page that handles sensitive data is a disqualifying red flag.

2. Examine the Domain Age

Use a WHOIS lookup tool (whois.domaintools.com or who.is) to see when the domain was registered. While new domains aren't automatically suspicious, a brand-new domain claiming to be an "established" company is a contradiction worth investigating. Most legitimate businesses have domains registered for at least a year or two.

Also look at: the registration period. Scam domains are often registered for only one year (the minimum), while legitimate businesses typically register for 2–10 years. A domain registered for 5+ years shows long-term commitment.

3. WHOIS Privacy vs. Transparency

While you're running that WHOIS lookup, check whether the registrant information is hidden behind a privacy service. Privacy protection is increasingly common and not inherently suspicious—many legitimate site owners use it. But for a business that claims to be a registered company with a physical address, verifiable WHOIS information is a positive signal. If they're transparent everywhere except the domain registration, that's worth noting.

4. Verify the Business Registration

Every legitimate business is registered somewhere. For U.S. companies, search the Secretary of State database in the state where they claim incorporation. For U.K. companies, use Companies House. Most countries have equivalent public registries.

What you're looking for: The company name matches what's on the website. The registration is active (not dissolved or revoked). The registered agent and address are verifiable. The filing dates are consistent with the company's claimed history.

5. Analyze the Contact Information

A legitimate business provides multiple ways to reach them. Look for:

  • A physical address (verify it on Google Maps—is it an actual office or a virtual mailbox?)
  • A phone number (call it—does someone answer? Is there a professional voicemail?)
  • An email address on the company's own domain (support@company.com, not company.support@gmail.com)
  • A contact form that actually works

Websites that only offer a contact form with no other way to reach them are harder to hold accountable. The more contact options available, the better.

6. Read the Terms of Service and Privacy Policy

This is the step most people skip and arguably the most revealing. Open the Terms of Service and Privacy Policy. You don't need to read every line, but look for:

  • Is it clearly written, or is it generic boilerplate copied from another site?
  • Does it mention the actual company name and jurisdiction?
  • Are the data collection practices described specifically?
  • Is there a dispute resolution process outlined?
  • Are the dates of last revision recent?

Copy a unique sentence from their privacy policy and search for it in Google (in quotes). If the same text appears on dozens of unrelated websites, it's a template—which suggests the site owner didn't invest in proper legal documentation.

7. Search for Reviews on Independent Platforms

Don't rely on testimonials displayed on the website itself—those can be fabricated. Search for the company on Trustpilot, Sitejabber, the BBB, Reddit, and Google Reviews. Look for patterns rather than individual reviews. A company with 95% five-star reviews and 5% one-star reviews with no middle ground is suspicious. Genuine review distributions tend to cluster around 3.5–4.5 stars with a natural bell curve.

"Pay special attention to negative reviews. Do they describe consistent patterns (non-payment, poor customer service, bait-and-switch) or are they isolated complaints? Consistent patterns in negative reviews are your strongest signal."

8. Check Social Media Presence

Look up the company on LinkedIn, Twitter/X, Facebook, and Instagram. Consider:

  • How old are the social media accounts? (Check the "Joined" date on Twitter or the page transparency section on Facebook)
  • Do the accounts have genuine engagement or just bot-like followers?
  • Is the content consistent and professional, or sporadic and generic?
  • Do employees list the company on their LinkedIn profiles?

A company with 50,000 Facebook followers but zero comments on their posts likely bought followers. A company whose employees have detailed LinkedIn profiles with verifiable career histories is far more credible.

9. Inspect the Website Quality

While professional design doesn't guarantee legitimacy, poor quality is a warning sign. Check for:

  • Broken links or pages that return errors
  • Stock photos used for "team" or "about us" pages (reverse image search to check)
  • Spelling and grammatical errors throughout the site
  • Pages that are clearly auto-generated or contain placeholder text
  • An incomplete website with "coming soon" sections that never arrive

10. Evaluate Payment Methods

How a website handles payments reveals a lot about its infrastructure and accountability. Trustworthy indicators include accepting credit cards through recognized payment processors (Stripe, PayPal, Square), offering multiple payment options, and displaying PCI compliance badges (verify these are real). Red flags include accepting only wire transfers, cryptocurrency, gift cards, or peer-to-peer payment apps for commercial transactions.

11. Test the Customer Service

Before committing, test the company's responsiveness. Send a question via their contact form or email. Call their phone number. Use their live chat if available. How quickly do they respond? Is the response helpful and relevant, or is it a generic template? Do they answer your specific question, or deflect? A company that can't handle pre-sale inquiries will be even less responsive after they have your money.

12. Check for Industry Certifications

Look for certifications relevant to the company's industry: BBB accreditation, industry association memberships, security certifications (SOC 2, ISO 27001), or trust seals (DTA, TRUSTe/TrustArc). Crucially, verify each certification by visiting the certifying organization's website and searching their directory—don't trust badge images alone.

13. Review the Return/Refund Policy

A clear, fair refund policy is a strong trust signal. Look for specific timeframes (30-day money-back guarantee), clear conditions, and a straightforward process. Vague policies, excessive restocking fees, or policies that effectively make refunds impossible are warning signs. For service platforms, look at how they handle dispute resolution between parties.

14. Look Up the Domain on Threat Databases

Several free services maintain databases of known malicious or fraudulent domains:

  • Google Safe Browsing Transparency Report (transparencyreport.google.com/safe-browsing)
  • VirusTotal (virustotal.com)—scans URLs against multiple security engines
  • ScamAdviser (scamadviser.com)—provides algorithmic trust scores
  • URLVoid (urlvoid.com)—checks against multiple blacklists

If a domain appears on any threat database, that's a definitive red flag. If it appears on none, that's positive but not conclusive—new scam domains haven't been reported yet.

15. Trust Your Instincts (But Verify Them)

After completing steps 1 through 14, take stock of your overall impression. How many green flags versus red flags did you encounter? A single red flag might have an innocent explanation; a pattern of three or more is cause for serious concern.

Score your findings:

  • 12–15 green flags: Strong trust signals. Proceed with reasonable confidence.
  • 8–11 green flags: Moderate trust. Proceed cautiously, start with small transactions.
  • 5–7 green flags: Low trust. Significant gaps in verifiable information. Avoid committing money or sensitive data.
  • Below 5 green flags: Do not engage. The risk significantly outweighs any potential benefit.

This checklist can't guarantee that every website you approve will deliver a perfect experience. But it can dramatically reduce your exposure to outright fraud. The 15 minutes you spend running through these checks is the cheapest insurance available—and it puts you in the same analytical mindset that professional investigators use every day.

Of course, you can also save time by checking ScamsTester's trust report for any website. Our automated and analyst-reviewed evaluations cover all 15 of these checkpoints and more, giving you a comprehensive trust score in seconds rather than minutes.