Phishing sites have gotten frighteningly good — pixel-perfect copies of real bank, email, and crypto sites. The defense isn't sharper eyesight, it's a checklist. Here are 10 fast checks that catch even sophisticated fakes.

1. Check the URL letter by letter

Look for letter swaps: paypaI.com (capital I, not L), arnazon.com (rn looks like m), g00gle.com (zeros for O). Punycode tricks turn international characters into lookalikes. Always type sensitive URLs by hand or use bookmarks; never click email links to login pages.

2. Check the domain, not the path

Read the domain right-to-left from the last dot before the slash. login.bankofamerica.com.evil.ru/secure belongs to evil.ru, not Bank of America. The real domain is whatever comes immediately before the first single slash.

3. HTTPS isn't a safety guarantee

The padlock means encrypted, not legitimate. Phishing sites all have HTTPS now (free Let's Encrypt certs). A padlock tells you no one is eavesdropping; it doesn't tell you who you're talking to. Check the domain anyway.

4. Look up the WHOIS

Run a WHOIS lookup. Was the domain registered three days ago? Almost certainly phishing. Real organizations have domains years old.

5. Check the IP

Use our website IP lookup. Real banks and major services live on dedicated infrastructure or major CDNs (Cloudflare, AWS, Akamai). A login page hosted on a random VPS in a hosting facility is suspicious.

6. Hover over links before clicking

The link text and the actual URL can differ. Hover; the real destination shows in your browser's status bar. If they don't match, don't click.

7. Watch for urgency and threats

"Your account will be closed in 24 hours." "Suspicious activity detected — verify now." Real companies don't email you to log in. Urgency is the phisher's main weapon — slow down.

8. Check the design quality

Slightly wrong logo, off-brand fonts, awkward English, mismatched footer links — even good fakes have tells. Open the real site in a separate tab and compare side by side.

9. Try a wrong password first

Phishing sites accept anything. If "hunter2" gets you into your bank account on the first try, it was a fake — and you just told them your real password.

10. Use a password manager

Password managers only autofill on the exact domain they have saved. If your password manager won't fill on the page, it's not the real site. The single best technical defense.

Try it now

Curious what your IP is showing the world right now? Check your IP address & location instantly with our free tool — no signup, nothing stored. Or trace any other IP to see its geolocation, ISP, and network details.