How to Spot a Fake Login Page and Avoid Phishing

How to spot a fake login page

The most reliable way attackers steal passwords is not hacking — it is simply asking. A fake login page that looks exactly like the real one, reached through a convincing email or text, persuades you to type your credentials straight to a criminal. Our GetMyPassword team shows you how to spot a fake login page every time, so a polished imitation never costs you your account.

Spot a fake login page
How to spot a fake login page and avoid phishing.

Always check the address bar

The page can be copied pixel-for-pixel, but the web address cannot be faked. Look carefully at the domain before the first single slash: paypal.com is real, while paypal.secure-login.com or paypa1.com is not. Attackers hide the real site behind extra words and look-alike letters, so read it slowly.

The padlock is not proof

A common myth is that the padlock icon (HTTPS) means a site is safe. It only means the connection is encrypted — and scammers easily get free certificates for their fake sites. So a padlock on a phishing page is normal. Judge the domain name, not the padlock.

More red flags

  • You arrived via a link in an email or text rather than typing the address yourself.
  • Urgency or threats — “verify now or your account is closed.”
  • Small spelling or layout mistakes, or an outdated logo.
  • Your password manager does not offer to autofill — it does not recognise the fake domain.

Your password manager is a quiet lie-detector. It only autofills on the exact domain it saved, so if it stays silent on a familiar login page, the page is probably not the real one.

What to do instead

When in doubt, never log in from the link. Open a new tab and type the address yourself or use a saved bookmark. If you think you already entered details on a fake page, change that password immediately — and anywhere you reused it — then turn on two-factor authentication. A unique password from our password generator limits the damage to one site, and 2FA blocks the login even with the stolen password.

Frequently asked questions

How can I tell if a login page is fake?

Check the domain in the address bar for extra words or look-alike letters, be suspicious if you arrived via an email link, and notice if your password manager declines to autofill. The padlock alone does not prove a site is genuine.

Does the padlock icon mean a site is safe?

No. The padlock only means the connection is encrypted, and scammers get free certificates for fake sites too. Always judge the domain name rather than relying on the padlock.

What should I do if I entered my password on a fake page?

Change that password right away, and change it anywhere you reused it. Then enable two-factor authentication and watch the account for unusual activity. Acting quickly usually prevents any harm.

Help your friends stay safe. Share this article!