How do I spot a fake login page?
Fake login pages copy the look of real websites but sit on different domains — always check the full URL in your browser bar before entering any password.
Last reviewed: 10 June 2026
Explanation
Phishing login pages are designed to be visually identical to the real site they impersonate. Criminals copy the HTML, CSS, and images of a well-known service — a bank, an email provider, a social network — and host the copy on a lookalike domain. When you enter your credentials, they are sent straight to the attacker while you are usually redirected to the real site to avoid suspicion.
The domain name is the most reliable indicator. Real sites use their exact registered domain as the final authority in the URL. Common tricks include adding a word (secure-, login-, verify-) before the real name, using a different top-level domain (.net instead of .com), using homoglyphs (rn instead of m, 0 instead of o), or putting the real brand name as a subdomain of a fake domain: paypal.com.fakesite.net. In this example the actual domain is fakesite.net.
Browser padlock icons only confirm the connection is encrypted — they do not confirm the site is legitimate. A phishing page can have a valid padlock. Focus on the domain name itself, not the padlock.
Additional tells include a login form that appears in an unexpected context (an email that says your password expired and shows a login box inside the email body), a page that asks for extra information a genuine login never requests (your card number, mother's maiden name), or autofill not working because your password manager does not recognise the domain.
Common red flags
- Domain name does not exactly match the official website you expect
- Brand name appears as a subdomain of an unfamiliar domain
- You reached the page by clicking a link in an email or text rather than typing the address
- Password manager does not autofill your credentials
- Page asks for information beyond username and password (card details, national ID)
- HTTPS padlock is present but the URL looks unfamiliar
What to do now
- Close the tab without entering any information
- Navigate to the real site by typing the address yourself or using a bookmark
- If you already entered your password, go immediately to the real site and change your password
- Enable two-factor authentication on all important accounts
- Report the phishing URL to Google Safe Browsing (safebrowsing.google.com/safebrowsing/report_phish/) and to the site being impersonated
- Check your account for unauthorised logins or changed settings
Frequently asked questions
Does a padlock mean the site is safe?
No. HTTPS only encrypts the connection. A fraudulent site can have a valid SSL certificate. The domain name is what matters.
Can my password manager protect me?
Yes, indirectly. Password managers only autofill on the exact domain they saved. If autofill does not trigger, treat that as a warning sign.
What if the URL looks right but something still feels off?
Trust your instinct. Open a new tab, type the address manually, and log in there instead.