How do I know if a website is safe?

Check for HTTPS (padlock icon), a real privacy policy, visible business details (company name, address, registration number), proper cookie consent and up-to-date security. Our free scanner checks all of these automatically.

What makes a website untrustworthy?

Red flags include: no HTTPS, missing privacy policy, no business contact details, aggressive cookie banners with no reject option, outdated CMS and no terms and conditions. Any of these suggest the site owner isn't taking compliance seriously.

Can I check someone else's website?

Yes. All the trust signals mentioned in this guide are publicly visible. You can also run any website through our free scanner to get a compliance report.

GDPR & Privacy Security

Is a website trustworthy? 10 signals to check in 2026

Steven | TrustYourWebsite · 20 April 2026 · Last updated: May 2026

Before entering personal information or payment details on a website, verify that it is legitimate. Here are 10 practical signals you can check in minutes, without technical expertise. The table below summarises what each check tells you and what to be alert for.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">#</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Trust signal</th> <th className="border border-slate-300 px-3 py-2 font-semibold">How to check</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Pass criterion</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2">1</td> <td className="border border-slate-300 px-3 py-2 font-semibold">HTTPS certificate</td> <td className="border border-slate-300 px-3 py-2">Padlock icon. Click for certificate detail.</td> <td className="border border-slate-300 px-3 py-2">Valid, current, with an organisation name where expected.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">2</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Business registration</td> <td className="border border-slate-300 px-3 py-2">Footer company number. Companies House Find and Update.</td> <td className="border border-slate-300 px-3 py-2">Number resolves to a real, active company at the right address.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">3</td> <td className="border border-slate-300 px-3 py-2 font-semibold">VAT number</td> <td className="border border-slate-300 px-3 py-2">HMRC VAT number checker</td> <td className="border border-slate-300 px-3 py-2">Name and address match what the website says.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">4</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Privacy policy</td> <td className="border border-slate-300 px-3 py-2">Footer link. Read the first two paragraphs.</td> <td className="border border-slate-300 px-3 py-2">Specific to the business. No template placeholders.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">5</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Contact information</td> <td className="border border-slate-300 px-3 py-2">Contact page</td> <td className="border border-slate-300 px-3 py-2">Real postal address, phone and email. Not only a contact form.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">6</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Terms, refunds and returns</td> <td className="border border-slate-300 px-3 py-2">Terms page. Look for the 14-day cancellation right.</td> <td className="border border-slate-300 px-3 py-2">Clear delivery, refund and cancellation terms consistent with UK law.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">7</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Domain age</td> <td className="border border-slate-300 px-3 py-2">WHOIS lookup</td> <td className="border border-slate-300 px-3 py-2">Older than a few weeks. Not registered the day before purchase.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">8</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Fraud reports</td> <td className="border border-slate-300 px-3 py-2">Action Fraud, Scamadviser, Trustpilot search</td> <td className="border border-slate-300 px-3 py-2">No active fraud reports against the business name or domain.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2">9</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Security headers</td> <td className="border border-slate-300 px-3 py-2">securityheaders.com grade</td> <td className="border border-slate-300 px-3 py-2">Grade A or B. F is a strong red flag.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2">10</td> <td className="border border-slate-300 px-3 py-2 font-semibold">Review authenticity</td> <td className="border border-slate-300 px-3 py-2">Google, Trustpilot, sector-specific platforms</td> <td className="border border-slate-300 px-3 py-2">Detail level, posted over months, reviewers have other reviews.</td> </tr> </tbody> </table> </div>

How trustworthy does your website look?

Our scanner checks SSL, privacy policy, security headers and contact details.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

1. Check the HTTPS Certificate and Padlock

Look at the address bar of your browser. A legitimate website displays a padlock icon and "https://" at the start of the URL. "http://" (without the 's') means the connection is unencrypted.

Click the padlock icon. A popup will show the certificate holder's name and the certificate validity period. For a business website, you should see an organization name (not just a domain name). A valid certificate costs money and requires the business to prove they control the domain.

In 2026, all SSL/TLS certificates are issued with shorter validity periods (199 days instead of one year), which means legitimate businesses renew them regularly. An expired certificate is a red flag.

Use the free online tool SSL Shopper SSL Checker to verify that a certificate is valid.

2. Verify Business Registration and Company Number

Legitimate UK businesses display a company registration number, often in the footer of the website.

Visit Companies House Find and Update and search for the company by name or number. You will see the registered office address, director names and filing history.

If the website claims to be registered in the UK but you cannot find it on Companies House, it may be operating illegally. Be cautious.

3. Check the VAT Number

Many UK businesses display a VAT registration number. Verify it using the UK HMRC VAT number checker. Enter the VAT number and you will see the business name and address on file.

A mismatched name or address is a warning sign of fraud or misdirection.

4. Read the Privacy Policy

A complete privacy policy states:

The name and contact details of the business (organization name, registered address and email)
What personal data is collected (name, email, payment card details and IP address)
Why it is collected (contract performance, consent or legitimate interests)
How long it is kept (e.g., payment records for 6 years, email lists while consent is active)
Who it is shared with (payment processor, email marketing platform and analytics provider)
Your rights (right to access, correct, delete and object)

Generic templates with placeholder text like "[YOUR COMPANY NAME]" or "[RETENTION PERIOD]" are red flags. The policy should be specific to that business.

If there is no privacy policy at all, you are providing personal data to an organization with no transparency. Do not proceed.

5. Check Contact Information

Legitimate businesses provide multiple contact options:

A physical mailing address (not just a PO Box)
A telephone number (for calls or WhatsApp)
An email address
A contact form (optional but useful)

Be cautious of sites that offer only a contact form and no phone or postal address. Scam sites often hide this information to avoid customer complaints.

Cross-check the address you find on the website with Companies House or the VAT register. If the addresses do not match, investigate why.

6. Verify Terms and Conditions and Returns Policy

E-commerce websites must clearly state:

Delivery timeframe (e.g., 5-7 working days)
Return rights: UK law provides a 14-day right to return goods ordered online (Consumer Contracts Regulations)
Refund process: how and when you receive your money
Payment methods accepted (credit card, PayPal and bank transfer)
Cancellation procedure

If a website does not mention returns or refunds, it may be operating outside UK consumer protection law. Avoid it.

7. Check Domain Age and Registration

Use WHOIS lookup tools to check when the domain was registered. Websites registered within the last few weeks may be newly created fraudulent sites (though new legitimate sites do exist).

Look for historical data: has the domain changed owners recently? Has the website been active for months or years?

New websites are not inherently suspicious, but combined with other red flags (missing privacy policy, no company number, no phone number), a very new domain suggests caution.

8. Scan for Recent Fraud Reports

Visit Action Fraud to search for reports of the website or business name. Action Fraud is the UK's national fraud reporting service.

Also check scam alert sites like Scamadviser and Trustpilot. Recent complaints about payment not being processed or goods not arriving are warning signs.

9. Look for Security and Privacy Headers

For more technical verification, use the free tool securityheaders.com and enter the website URL. This checks whether the website has implemented protection against common attacks (cross-site scripting, clickjacking, man-in-the-middle attacks).

A website with good security headers displays an A or B grade. F is a serious red flag.

10. Check Review Authenticity

Legitimate businesses have customer reviews on Google, Trustpilot or industry-specific sites. Look at:

When reviews were posted (are they clustered in one week, suggesting fake reviews or spread over months?)
Reviewer names and profiles (do profiles have other reviews elsewhere, suggesting real accounts?)
Review detail level (do they mention specific products and issues or are they vague praise like "Great!" and "Recommend"?)

Fake reviews are often generic, recent and posted by accounts with no history.

Red flag checklist

Any of the following on their own is reason to walk away.

What You Cannot Always Verify

Some legitimate websites may lack certain signals (for example, very small local businesses may not have a formal privacy policy published). In these cases, email the business directly and ask. A legitimate business will respond with contact details and clarification.

If you are still uncertain, consider alternative options: phone the business, visit in person if it is a local service or check whether they operate through a verified marketplace (Amazon, Etsy, eBay) where buyer protection is built in.

Share this article

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

UK Website Guides

Website Security Checklist: 10 Things to Check Today

A practical security checklist for small business websites. 10 things you can check and fix today without technical expertise.

SSL Certificate: What It Is, Why You Need It

An SSL certificate encrypts data between your website and visitors. Here's what it does, why you need one and how to get one for free.

GDPR Compliance Checklist for Your Website (2026)

A practical GDPR checklist for small business websites. Check cookies, privacy policy, consent forms, and tracking scripts.

When your domain expires: UK and generic TLD timelines

Domain expiry follows different rules for UK and generic TLDs. Exact timelines, suspension periods, redemption costs, prevention.

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.