When to trust a website

This information applies to Windows Internet Explorer 7 and Windows Internet Explorer 8.

Knowing when to trust a website depends in part on who publishes the website, what information they want, and what you want from the site. If you're not sure whether to trust a website, consider these questions:

Show all

Are you visiting a secure site?

If you are visiting the website with a secure connection, you will be able to identify the website through the site's certificate. A secure or encrypted website address will begin with HTTPS rather than HTTP, and you will see a lock icon Picture of lock icon in the Address bar. Secure connections use certificates to identify the website and to encrypt your connection so that it will be more difficult for a hacker to view. You can also click the lock icon in the Address bar to see more information about the website. For more information on secure websites, see How to know if an online transaction is secure.

When you click the lock icon in the Address bar, you can see the security report. Depending on the type of certificate the website has, you can see the website address or the company address that the certificate was issued to. Extended Validation (EV) certificates will turn the Address bar green, and will contain a confirmed name and address for the website owner. Non-EV certificates will display the website address or the domain of the site. If the security report only shows the website's address, be sure it is the address you wanted to visit. Phishing or fraudulent websites will often use similar website names to trick visitors into believing they are visiting trusted sites. For more information on phishing, see What is phishing?

Certificates are issued by companies called certification authorities. Windows contains a list of the most common certification authorities. If Windows doesn't recognize the issuer of the certificate, a warning message will appear. However, Windows can be configured to trust any certification authority, so you should not rely solely on receiving a warning message when a website is potentially fraudulent.

Is the website certified by an Internet trust organization?

An Internet trust organization is a company that verifies that a website has a privacy statement (a posted notification of how your personal information is used) and that the website gives you a choice of how they use your information. Websites approved by Internet trust organizations are able to display the privacy certification seals, usually somewhere on their home page or order forms. However, these seals don't guarantee that a website is trustworthy; it just means the website complies with the terms acceptable to the Internet trust organization. Additionally, some unscrupulous websites might display the trust logos fraudulently. If you are not sure whether a trust logo is legitimate, contact the trust organization to see if the website is registered with them.

To learn more about these trust organizations, you can go to the TRUSTe website, the BBB Online website, or the WebTrust website.

Is the website owned by a company or organization that you know well?

For example, if you bought merchandise from a physical store and were happy with the experience, you might want to try the store's website as well. However, even if you trust the company, always read the website's privacy or terms of use statement. Sometimes a company's website is independent of its stores, and it might have different privacy terms. Look for terms you don't agree with, such as requirements to accept e‑mail offers or advertising from the website, or that your information is shared with the company's partners. If you are not comfortable with the terms or behaviors (for example, you do not want to be tracked or to see advertisements), do not use the site.

Does the website ask you for personal information?

If you are asked for personal information, such as credit card numbers or bank information, only provide it if there is a good reason to do so. Also, make sure there is a secure entry form for recording information. Look for a message stating that the information will be encrypted and check for the lock icon Picture of lock icon in the Security Status bar in the Internet Explorer Address bar (do not enter confidential information if there is no lock icon on the Address bar). Also, try to find out what the website's policy is about storing information: Do they keep your credit card number on file? Do they have partners that they share information with? You should be confident that the site is using your information properly and in a secure manner before providing any information.

On a retail website, is there a way to contact someone by phone or mail?

Do they have a phone number that you can call if you have a problem, or that you can use to place an order? Does the website list a street address? Is there a posted return policy with acceptable terms? If the site doesn't provide a phone number or physical address, try contacting the company by e‑mail to ask for that information.

If you don't recognize the site, do you have other information to help you decide?

If you are not familiar with a website or it does not have a privacy certification seal, that might not necessarily mean that you cannot trust it. Ask reliable friends or colleagues about the site. Search for references to the site on the Internet to see if a source, such as a magazine or company that you do trust, has referred to it. Read the website's privacy statements or other disclosures (but keep in mind that the site might not necessarily abide by them).

A website might not be trustworthy if:

  • The site is referred to you through an e‑mail message from someone you don't know.

  • The site offers objectionable content, such as pornography or illegal materials.

  • The site makes offers that seem too good to be true, indicating a possible scam or the sale of illegal or pirated products.

  • You are lured to the site by a bait and switch scheme, in which the product or service is not what you were expecting.

  • You are asked for a credit card as a verification of identity or for personal information that does not seem necessary.

  • You are asked to provide a credit card number without proof that the transaction is secure.