How to Check If a Website Is Trustworthy: 10 Essential Signals in 2026

Before entering personal information or payment details on a website, verify that it is legitimate. Here are 10 practical signals you can check in minutes, without technical expertise.

1. Check the HTTPS Certificate and Padlock

Look at the address bar of your browser. A legitimate website displays a padlock icon and "https://" at the start of the URL. "http://" (without the 's') means the connection is unencrypted.

Click the padlock icon. A popup will show the certificate holder's name and the certificate validity period. For a business website, you should see an organization name (not just a domain name). A valid certificate costs money and requires the business to prove they control the domain.

In 2026, all SSL/TLS certificates are issued with shorter validity periods (199 days instead of one year), which means legitimate businesses renew them regularly. An expired certificate is a red flag.

Use the free online tool SSL Shopper SSL Checker to verify that a certificate is valid.

2. Verify Business Registration and Company Number

Legitimate UK businesses display a company registration number, often in the footer of the website.

Visit Companies House Find and Update and search for the company by name or number. You will see the registered office address, director names, and filing history.

If the website claims to be registered in the UK but you cannot find it on Companies House, it may be operating illegally. Be cautious.

3. Check the VAT Number

Many UK businesses display a VAT registration number. Verify it using the UK HMRC VAT number checker. Enter the VAT number and you will see the business name and address on file.

A mismatched name or address is a warning sign of fraud or misdirection.

4. Read the Privacy Policy

A complete privacy policy states:

• The name and contact details of the business (organization name, registered address and email)
• What personal data is collected (name, email, payment card details and IP address)
• Why it is collected (contract performance, consent or legitimate interests)
• How long it is kept (e.g., payment records for 6 years, email lists while consent is active)
• Who it is shared with (payment processor, email marketing platform and analytics provider)
• Your rights (right to access, correct, delete and object)

Generic templates with placeholder text like "[YOUR COMPANY NAME]" or "[RETENTION PERIOD]" are red flags. The policy should be specific to that business.

If there is no privacy policy at all, you are providing personal data to an organization with no transparency. Do not proceed.

5. Check Contact Information

Legitimate businesses provide multiple contact options:

• A physical mailing address (not just a PO Box)
• A telephone number (for calls or WhatsApp)
• An email address
• A contact form (optional but useful)

Be cautious of sites that offer only a contact form and no phone or postal address. Scam sites often hide this information to avoid customer complaints.

Cross-check the address you find on the website with Companies House or the VAT register. If the addresses do not match, investigate why.

6. Verify Terms and Conditions and Returns Policy

E-commerce websites must clearly state:

• Delivery timeframe (e.g., 5-7 working days)
• Return rights: UK law provides a 14-day right to return goods ordered online (Consumer Contracts Regulations)
• Refund process: how and when you receive your money
• Payment methods accepted (credit card, PayPal and bank transfer)
• Cancellation procedure

If a website does not mention returns or refunds, it may be operating outside UK consumer protection law. Avoid it.

7. Check Domain Age and Registration

Use WHOIS lookup tools to check when the domain was registered. Websites registered within the last few weeks may be newly created fraudulent sites (though new legitimate sites do exist).

Look for historical data: has the domain changed owners recently? Has the website been active for months or years?

New websites are not inherently suspicious, but combined with other red flags (missing privacy policy, no company number, no phone number), a very new domain suggests caution.

8. Scan for Recent Fraud Reports

Visit Action Fraud to search for reports of the website or business name. Action Fraud is the UK's national fraud reporting service.

Also check scam alert sites like Scamadviser and Trustpilot. Recent complaints about payment not being processed or goods not arriving are warning signs.

9. Look for Security and Privacy Headers

For more technical verification, use the free tool securityheaders.com and enter the website URL. This checks whether the website has implemented protection against common attacks (cross-site scripting, clickjacking, man-in-the-middle attacks).

A website with good security headers displays an A or B grade. F is a serious red flag.

10. Check Review Authenticity

Legitimate businesses have customer reviews on Google, Trustpilot, or industry-specific sites. Look at:

• When reviews were posted (are they clustered in one week, suggesting fake reviews, or spread over months?)
• Reviewer names and profiles (do profiles have other reviews elsewhere, suggesting real accounts?)
• Review detail level (do they mention specific products and issues, or are they vague praise like "Great!" and "Recommend"?)

Fake reviews are often generic, recent, and posted by accounts with no history.

Checklist for Safe Online Shopping

When you are about to enter payment details, verify:

1. HTTPS padlock visible
2. Company number displayed and verified on Companies House
3. Privacy policy present and organization-specific
4. Contact details present (phone and address)
5. Returns policy and refund terms clearly stated
6. Domain not recently registered (unless it is a known new company)
7. No recent fraud reports on Action Fraud
8. Customer reviews are detailed, recent (spread over time) and on multiple platforms
9. Security headers grade is A or B (not F)
10. Payment method is secure: look for Stripe, PayPal and 3D Secure indicators

What You Cannot Always Verify

Some legitimate websites may lack certain signals (for example, very small local businesses may not have a formal privacy policy published). In these cases, email the business directly and ask. A legitimate business will respond with contact details and clarification.

If you are still uncertain, consider alternative options: phone the business, visit in person if it is a local service, or check whether they operate through a verified marketplace (Amazon, Etsy, eBay) where buyer protection is built in.