When to trust a website

Knowing when to trust a website depends in part on who publishes the website, what info they might want from you, and what you want from the site. If you're not sure whether to trust a website, consider these questions:

Show all

How do I know if the site I'm visiting is safe?

SmartScreen Filter in Internet Explorer helps protect you from phishing and malware attacks by warning you if a website or download location has been reported as unsafe.

Windows SmartScreen checks the reputation of apps downloaded from the Internet and warns you if the app isn't well-known and might be malicious.

If Windows SmartScreen isn't turned on, then SmartScreen Filter in Internet Explorer will check the reputation of downloaded apps. If the app doesn't have established reputation, a warning dialogue is shown.

Are you visiting a secure site?

If you're visiting the website with a secure connection, you'll be able to identify the website through the site's certificate. A secure or encrypted website address will begin with HTTPS rather than HTTP, and you'll often see some sort of icon in the browser, such as a padlock indicating that the website is secure. Secure connections use certificates to identify the website and to encrypt your connection so that it will be more difficult for a hacker to view.

Depending on the type of certificate the website has, you can see the website address or the company address that the certificate was issued to. Extended Validation (EV) certificates will turn the address bar green in some browsers, and will contain a confirmed name and address for the website owner. Non-EV certificates will contain the website address or the domain of the site. If you can view a security report, and it only shows the website's address, be sure it's the address you wanted to visit. Phishing or fraudulent websites will often use similar website names to trick visitors into believing they're visiting trusted sites.

Certificates are issued by companies called certification authorities. Windows contains a list of the most common certification authorities. If Windows doesn't recognise the issuer of the certificate, a warning message will appear. However, Windows can be configured to trust any certification authority, so you should not rely solely on receiving a warning message when a website is potentially fraudulent.

Is the website certified by an Internet trust organisation?

An Internet trust organisation is a company that verifies that a website has a privacy statement (a posted notification of how your personal information is used) and that the website gives you a choice of how they use your information. Websites approved by Internet trust organisations are able to display the privacy certification seals, usually somewhere on their home page or order forms. However, these seals don't guarantee that a website is trustworthy; it just means the website complies with the terms acceptable to the Internet trust organisation. Additionally, some unscrupulous websites might display the trust logos fraudulently. If you're not sure whether a trust logo is legitimate, contact the trust organisation to see if the website is registered with them.

To learn more about these trust organisations, you can go to the TRUSTe website, the BBB Online website or the WebTrust website.

Is the website owned by a company or organisation that you know well?

For example, if you've bought merchandise from a physical shop and were happy with the experience, you might want to try the shop's website as well. However, even if you trust the company, you read the website's privacy statement and terms of use. Sometimes, a company's website is independent of its shops, and it might have different privacy terms. Look for terms you might not agree with, such as requirements to accept email offers or advertising from the website, or that your information is shared with the company's partners. If you're not comfortable with the terms or behaviours (for example, you don't want to be tracked or to see advertisements), don't use the site.

Does the website ask you for personal information?

If you're asked for personal info, such as credit card numbers or bank information, only provide it if there's a good reason to do so. Also, make sure there's a secure entry form for recording info. Look for a message stating that the info will be encrypted and check for a lock icon or ensure that the web address starts with HTTPS:// (don't enter confidential information if neither of these are present). Also, try to find out what the website's policy is about storing info: Do they keep your credit card number on file? Do they have partners that they share info with? You should be confident that the site is using your info properly and in a secure manner before you provide it.

On a retail website, is there a way to contact someone by phone or post?

Do they have a phone number that you can call if you have a problem, or that you can use to place an order? Does the website list a street address? Is there a posted return policy with acceptable terms? If the site doesn't provide a phone number or physical address, try contacting the company by email to ask for that info.

If you don't recognize the site, do you have other information to help you decide?

If you're not familiar with a website or it doesn't have a privacy certification seal, you might still be able to trust it. Ask reliable friends or colleagues about the site. Search for references to the site on the Internet to see if a source, such as a magazine or company that you do trust, has referred to it. Read the website's privacy statements or other disclosures (but keep in mind that the site might not necessarily abide by them).

A website might not be trustworthy if:

  • The site is referred to you through an email message from someone you don't know.

  • The site offers objectionable content, such as pornography or illegal materials.

  • The site makes offers that seem too good to be true, indicating a possible scam or the sale of illegal or pirated products.

  • You're lured to the site by a bait and switch scheme, in which the product or service isn't what you were expecting.

  • You're asked for a credit card as a verification of identity or for personal info that doesn't seem necessary.

  • You're asked to provide a credit card number without proof that the transaction is secure.

Need more help?