Week 28: Spotting scam websites

15.07.2025 - Online shopping and other digital services have become an integral part of everyday life. But with convenience comes risk: fake online shops and other scam websites are becoming increasingly common, and not every platform is as trustworthy as it seems. Particular caution is required when making credit card or TWINT payments.  In the second part of its summer series, the NCSC explains how to recognise fraudulent websites using a few simple checks – like looking at reviews, the website address, or how old the domain is.

From shopping and booking tickets to ordering travel visas and buying motorway vignettes, many everyday tasks now involve entering personal details online. However, uncertainty arises when it comes to entering sensitive information such as credit card numbers, or making TWINT payments. Is the site really trustworthy? Will the goods I ordered actually arrive? What happens to the information I’ve just entered? Could it fall into the wrong hands? That’s why it’s so important to take a closer look. By carrying out a few simple checks, such as reviewing ratings and checking the website address and how long the domain has been active for, you can identify many unreliable providers and protect yourself from scams. It’s worth noting that legitimate online shops also face risks – especially when dealing with first-time customers.

Reviews are an important factor in determining whether a website is trustworthy. While they can offer useful insights into the experiences of other buyers, they should always be taken with a pinch of salt. For example, a very large number of five-star ratings can actually be a red flag. Fake shops may buy or generate fake reviews automatically. As strange as it sounds, negative reviews are often more helpful. They often provide specific details about issues such as undelivered goods, missing refunds, and poor customer service. It can also be helpful to click on the reviewers themselves to see what other products or shops they have reviewed.

The age of the reviews matters, too. Older reviews may no longer reflect the shop's current state – for instance, the shop may have experienced financial difficulties, or have since implemented changes in response to negative feedback. It is also suspicious if a shop or company has no reviews at all. The shop might be new or little-used, so there’s no way to tell how trustworthy it is.

The internet address may already be an indication of a scam website. They often contain small typos, strange add-ons, or hyphens in odd places (see last week’s review for more on this). If anything about the address seems unusual, it’s best not to visit the site at all – and certainly never enter any personal information.

Even using a search engine to find a website isn’t risk-free. The first search result isn’t always the safest. Scammers use misleading ads to place fake sites right at the top of the search results page, in the hope that people will click on them without scrolling down to the legitimate results.

If a website’s domain was registered recently, it’s much more likely to be fraudulent. In fact, most of the domains reported to us as suspicious that are less than three months old turn out to be scams. This makes the registration date another helpful clue.

Last week's review focused on understanding how links and URLs are structured. With this knowledge, you can now identify the domain name within a link and find out when the domain was registered. To do this, you need the domain’s 'Whois' information – publicly available details about the domain that include its registration date. There are various websites to look up Whois details; "nic.ch" is a good site to use for registration information on ".ch" domains. A note of caution: Switzerland’s registry only shows the date of the domain's first registration, not when it may have changed hands. So if scammers have recently taken over an old domain, it may look like it’s been around for years. For international domains, services such as "CentralOps" can provide registration details for almost all top-level domains.

The contact information section can be an indicator of whether a website is trustworthy. It should include the company's full name, a valid address, phone number, and email address. If something goes wrong with the order, it is important that you are able to get in touch with someone. Scam shops often only provide a web form as a point of contact, and messages sent through these forms often go unanswered. However, the contact details provided may be fake, so it’s worth verifying them against publicly available sources. For instance, you can use Google Maps to verify the address: is there really a business at that location, or is it just a private home or mailbox company?  You can also search for the phone number in an online directory such as 'search.ch' to see if it is listed under the correct company name or address. It’s also worth checking the Swiss commercial register platform 'zefix.ch' to see whether the company is officially registered. This allows you to see whether the company exists under the stated name, whether the address matches the one given on the website, and what the official business purpose is. If there’s no entry, or if the details don’t line up, that’s a clear red flag. The registration date can also provide useful information: if the company isn't listed in the commercial register at all, or if its registered purpose differs from that stated on the website, it's best to steer clear.

Checking the general terms and conditions (GTC) is a good way to assess whether a company is trustworthy. Reputable companies use clear, easy-to-understand language. GTC should include details on warranty policies, data protection, billing and payment terms, liability, and rules for exchanges and returns. Be wary of vague or contradictory information, missing cancellation rights, or unusual payment requirements (such as prepayment by cryptocurrency only). The terms and conditions should also specify the place of jurisdiction. This indicates which court would handle any legal disputes. If the place of jurisdiction is outside of Switzerland, this could make things more difficult if problems arise. And if the place of jurisdiction doesn’t match the company’s business location, that could also be a red flag.

The padlock symbol in the address bar is not a sign that a website is trustworthy. It simply indicates that the connection is encrypted, which is especially important when transmitting credit card details. However, encryption alone does not guarantee that the site itself is legitimate. Almost all scam websites now use encryption to appear credible.

Ultimately, you can only get a complete picture by piecing together the little details. No single indicator is sufficient for reliably assessing the trustworthiness of a website. However, if you take the time to check the domain information, customer reviews, the contact information, commercial register entry, technical features, and legal terms, you can effectively protect yourself. And last but not least: trust your instincts. If a deal seems too good to be true, it probably is.

• Only shop online with companies that you know and trust.
• If you're unfamiliar with a seller, check their reviews, website address, domain registration date, legal notice and terms and conditions.
• If you have any doubts at all, don't buy from this seller.
• Don’t rely on the padlock symbol in your browser’s address bar – it only indicates that data is being transferred securely, not that the site is trustworthy.

Current statistics

Last week's reports by category:

Current figures