Is it safe to use a website that shows 'Not Secure' or no padlock for purchases?
You should never enter payment details or personal information on a website without HTTPS (indicated by a padlock and 'https://' in the address bar). Your data travels unencrypted and can be intercepted.
Last reviewed: 10 June 2026
Explanation
HTTPS (HyperText Transfer Protocol Secure) encrypts the data exchanged between your browser and a website. Without it, your payment details, passwords, and personal information travel in plain text across the internet, where they can be read by anyone positioned to intercept your traffic — on a shared network, or in rare cases, elsewhere in the routing chain.
Modern browsers display clear warnings for insecure sites: a 'Not Secure' label in the address bar, a crossed-out or absent padlock, or a full-page warning before the site loads. These warnings exist precisely to help users avoid this risk.
However, HTTPS alone does not make a site trustworthy. Fraudulent sites can and do obtain SSL certificates — the padlock only confirms the connection is encrypted, not that the operator is legitimate. A fake shopping site can have a valid padlock. So HTTPS is a necessary condition for safety, not a sufficient one. You need both HTTPS and verification that the site is genuine.
For any purchasing decision, look for HTTPS, then verify the store through independent research: check reviews, look up the domain registration date, confirm a physical address and contact information, and search for the store name alongside terms like 'scam' or 'reviews'. Price comparison sites and established retailers are the safest starting point for online shopping.
Common red flags
- Browser displays 'Not Secure' or a crossed-out padlock in the address bar
- The URL begins with 'http://' rather than 'https://'
- Your browser shows a full-page security warning before loading the site
- The checkout page is on a different, insecure domain from the rest of the site
- The security certificate is expired or issued for a different domain name
What to do now
- Leave the site immediately without entering any information
- If you already entered payment details on an insecure site, contact your bank to report potential exposure and consider requesting a replacement card
- Enable browser settings that warn or block insecure sites — most modern browsers have these by default
- When shopping online, start from well-known, established retailers rather than following links in ads or emails
- Use a dedicated card with a low limit or a virtual card number for online purchases to limit exposure
Frequently asked questions
Does the padlock mean a website is safe to buy from?
The padlock confirms the connection is encrypted, not that the site is legitimate. Scam sites can have valid padlocks. Always combine HTTPS verification with research into the store's legitimacy.
My browser warned me about the site but I continued anyway — what should I do?
If you entered any information, contact your bank or card provider immediately. Run a malware scan on your device. Monitor your accounts closely for the next several weeks for unauthorised charges.