Table of Contents
You’ve found a product you want. The price looks right. The website looks professional. You’re about to enter your card number — and that’s exactly the moment a scammer is waiting for. Fake shopping websites, cloned payment portals, and fraudulent checkout pages stole crores from Indian consumers and NRIs last year alone. The most dangerous ones don’t look fake at all. They have SSL certificates, product photos, and even fake reviews. The difference between a real site and a scam site can be a single character in the URL, or a payment gateway that loads on a completely different domain. This checklist gives you ten fast, reliable checks to run before you enter your card details on any website, whether you’re shopping from India or abroad.
10 Checks
Run before entering card details on any website
30 Seconds
To examine a checkout page before typing a single digit
1 Character
In a URL is enough to separate real from fraudulent
Here’s what makes fraudulent checkout pages so effective in 2026: scammers have learned that perfecting the product page matters far more than perfecting the payment page, because that’s where most shoppers stop paying close attention. SSL certificates are free. Fake reviews are cheap to generate. A convincing product photo takes minutes to copy. The ten checks in this guide go exactly where scammers cut corners — the URL, the payment gateway, the checkout fields, and the business’s actual accountability. Run through them once, and you’ll spot a fraudulent site in under a minute, every time.
1 Verify the URL — Before Anything Else
The URL is your single most important safety indicator. Fake websites invest heavily in looking like the real thing, but they can’t perfectly clone a URL. One extra letter, a hyphen, or a swapped domain extension is all that separates you from a scam.
| ✔ Safe Sign | ✗ Red Flag |
|---|---|
| ✔ amazon.in / flipkart.com | ✗ amazon-deals.in / flipkart-sale.shop |
| ✔ Typed manually into browser | ✗ Clicked from a WhatsApp forward or SMS |
| ✔ .com / .in / .org domains | ✗ .xyz / .top / .shop / .store for payments |
| ✔ URL matches the brand exactly | ✗ Extra hyphens, numbers, or words added |
type the website address manually into your browser. If you can only reach it through a link someone sent you, treat it as a red flag until verified
Quick Test
Also beware of Punycode attacks, where scammers use international characters that look identical to English letters. ‘аmazon.com’ (with a Cyrillic ‘а’) is not amazon.com. Always check the address bar character by character for high-value transactions.
2 HTTPS & Padlock — Necessary, But Not Enough
HTTPS means the connection between your browser and the website is encrypted. It does NOT mean the website is legitimate. Scammers routinely obtain SSL certificates for fake websites, and they’re free to get. A padlock icon only tells you the data is encrypted in transit, not that the recipient is trustworthy.
| What HTTPS Tells You |
|---|
| • Your data is encrypted during transmission • The connection is not being intercepted by a third party |
| What HTTPS Does NOT Tell You |
|---|
| • That the website owner is legitimate or trustworthy • That your card data won’t be stolen after submission • That the site isn’t a professionally built clone |
| ✔ Safe Sign | ✗ Red Flag |
|---|---|
| ✔ https:// with no browser warnings | ✗ http:// — no encryption at all |
| ✔ Certificate issued to the brand’s legal name | ✗ Certificate issued very recently (check: click padlock) |
| ✔ No ‘Not Secure’ or ‘Certificate Error’ message | ✗ Browser warning about certificate mismatch |
click the padlock icon and check ‘Certificate’ details. See when it was issued — scam sites typically show certificates less than 3 months old
Pro Tip
3 Check the Website’s Age & Real-World Reputation
Scam websites are usually newborn operations — set up, run for a few months to scam as many people as possible, then abandoned. A website with no history, no genuine reviews, and no organic online presence is a serious warning sign.
| How to Check Website Age |
|---|
| • Go to whois.domaintools.com and enter the domain name • Check the ‘Registration Date’ — under 6 months old is a red flag • Check the ‘Registrant’ details — hidden or offshore registration is suspicious |
| How to Verify Real Reputation |
|---|
| • Search: [Website name] + ‘reviews’ + ‘scam’ • Check Trustpilot, MouthShut, Google Reviews, and Reddit India • Look for complaints about non-delivery, payment fraud, or fake products • Check if the brand has a verified social media presence (not just paid ads) |
a website with no digital footprint outside of paid ads, no organic reviews, and no social media history — avoid completely, regardless of how good the deal looks
Instant Red Flag
4 Verify the Payment Gateway — The Most Critical Check
The payment page is where your card data is actually captured. A legitimate Indian e-commerce site hands off payment processing to a trusted, RBI-regulated gateway. If the payment page looks wrong, loads on a different domain, or behaves unexpectedly, stop immediately.
Trusted Indian payment gateways include Razorpay, PayU India, Cashfree, CCAvenue, BillDesk, and Stripe.
| Payment Page Red Flags |
|---|
| • Checkout page loads on a completely different domain (e.g., you’re on shopxyz.com but payment goes to pay-secure99.com) • Payment page looks outdated, pixelated, or poorly designed • Website forces you to save card details before processing • Payment page asks for your OTP directly — this is illegal under RBI guidelines • ‘Pay via bank transfer’ or ‘Pay via QR code to WhatsApp number’ requests • No recognisable gateway logo (Visa/Mastercard/RuPay) on the payment page |
no legitimate payment page in India will ever ask you to enter an OTP directly on the merchant’s website. OTPs are only sent by your bank and entered on your bank’s own secure page.
RBI Rule
5 Verify Contact Details & Legal Policies
A legitimate business stands behind its products. Every real e-commerce website in India is legally required to display company information, a grievance officer name, and clear refund policies. Scam sites skip these because they have no intention of honouring them.
| What a Safe Website Must Have |
|---|
| • Registered company name and GST number (for Indian businesses) • Physical business address — not just a PIN code or city name • Customer support email and phone number (test it — does it work?) • Clear return, refund, and cancellation policy • Privacy policy that explains how your data is used • Grievance officer name and contact (mandatory under IT Rules 2021) |
| Scam Site Patterns |
|---|
| • Only a WhatsApp number or generic contact form — no phone, no address • ‘Contact Us’ page that goes to a Gmail or Yahoo address • No return/refund policy, or a policy that says ‘all sales final’ • No GST number for an apparently Indian business |
call or email the support number before paying. Scam sites either don’t respond, give automated replies, or the number doesn’t exist.
Quick Test
6 Inspect the Checkout Page Before Entering Card Details
Scammers spend 90% of their effort making the product pages look real, but the checkout page is where they cut corners. Take 30 seconds to examine it carefully before typing your first digit.
Green Lights on the Checkout Page
- Page stays on the same domain throughout
- No unexpected pop-ups or redirects mid-checkout
- Only standard card fields: Card number, Expiry, CVV, Name
• Recognisable bank 3D Secure (OTP) page for final authentication
Stop Immediately If You See
- Checkout form asking for PAN card or Aadhaar number
- Fields requesting your full CVV to be emailed or typed in a chat
- ‘Pay via Google Form’ — no legitimate business uses Google Forms for payments
- ‘Pay via screenshot to this UPI ID’ — this is always fraud
- Forced account creation before you can see the total price
• Spelling errors, broken images, or misaligned layout on the payment page
your CVV should only ever be entered on your bank’s encrypted payment page — never in a chat, form, email, or screenshot request.
Golden Rule
7 Watch for Malware & Phishing Behaviour
Some fraudulent websites don’t just steal your card data — they try to infect your device or trick your browser into giving up saved passwords and banking credentials. These behavioural signs are immediate stop signals.
| Malware & Phishing Warning Signs |
|---|
| • Random, irrelevant pop-up ads appearing across the site • Fake antivirus warnings claiming your device is infected • Browser notifications asking for permission the moment you land on the page • Automatic file downloads you didn’t request • Repeated redirects to unknown pages before reaching the checkout • Unusually slow loading or pages that ‘break’ mid-transaction • Site asks you to disable your browser’s security warnings to proceed |
close the browser tab immediately. Clear your browser cache and cookies. If you already entered any data, contact your bank to put a temporary hold on your card.
If Anything Feels Off
8 Use Virtual Cards or Low-Limit Cards for Extra Protection
Even after running all the checks above, smart card hygiene means you should limit your exposure on any online transaction. Virtual cards and transaction limits are your last line of defence if a website turns out to be compromised.
| Virtual Card Best Practices |
|---|
| • Use your bank’s virtual card feature for one-time or single-merchant use (available in HDFC, ICICI, Axis, SBI, Kotak, and others)
• Set a low transaction limit on the card used for online shopping — only top it up when needed • Enable instant SMS and app alerts for every transaction • Disable international transactions on cards you only use for domestic purchases • Use a separate card for online shopping — never your primary salary or savings account card |
| For NRIs Transacting in India |
|---|
| • Use NRE/NRO account debit cards with strict per-transaction limits set via your banking app • Request India-only virtual cards from your bank for local online purchases • Disable the card after each major transaction and re-enable when needed • Set geographic restrictions via your bank’s app — block transactions from countries you’re not in |
treat your online shopping card like a prepaid card — load only what you plan to spend. If the website is compromised, scammers can only access what’s on that card.
Best Practice
9 Never Save Your Card on Unknown Websites
‘Save your card for faster checkout next time’ is one of the most dangerous prompts on the internet for Indian consumers. When a small or unverified website stores your card, they keep your card data on their servers. A single data breach at that website exposes your full card details to fraudsters.
| The Risk of Saved Cards |
|---|
| • Data leaks: many small Indian e-commerce sites have inadequate security — breaches expose millions of saved cards • Credential stuffing: stolen card data is tested automatically across hundreds of sites • Recurring charges: some sites initiate unauthorised recurring payments from saved cards |
| Where It Is Generally Safe to Save Cards |
|---|
| • Amazon India and Amazon Global • Flipkart, Myntra, Meesho • Swiggy, Zomato, BigBasket • IRCTC and major airline apps (IndiGo, Air India, Vistara) • Your own bank’s net banking portal or app |
| Never Save Cards On |
|---|
| • Any website you’ve visited for the first time • Small or regional e-commerce sites with limited reviews • Any site you found through a social media ad • Any site that doesn’t show a recognised payment gateway |
as of 2022, RBI mandates card tokenisation — reputable websites now store a token, not your actual card number. But many smaller, non-compliant sites still store raw card data. Saving your card on them is a direct risk.
RBI Update
The 10-Second Pre-Payment Safety Checklist
Run through this every single time before entering card details online — whether you’re shopping from Bengaluru or Birmingham. If even one box can’t be checked, close the page.
| URL & Website Identity | Payment & Checkout |
|---|---|
| ☐ URL spelling is correct — typed manually | ☐ Trusted payment gateway name is visible |
| ☐ HTTPS with no browser security warnings | ☐ Payment page stays on the same domain |
| ☐ Website is over 6 months old (WHOIS checked) | ☐ No pop-ups, redirects, or broken elements |
| ☐ Real reviews found on Trustpilot / Google | ☐ No request for PAN, Aadhaar, or OTP on site |
| ☐ Contact details, address & GST number present | ☐ Not saving card — or saving only on trusted site |
If Even ONE Check Fails — Do Not Pay. No deal is good enough to risk your card data. Close the page, find the product on a verified platform, and move on.
If You Already Paid on a Suspicious Website — Act Now
Time is critical. Card fraud disputes in India are most successful when reported within 24–48 hours of the transaction
Step 1
Request a chargeback or dispute for the transaction. Ask for a temporary card block if the site may have saved your details
Step 2
Don’t wait on hold — block it instantly through the app, then call. You can always unblock a legitimately blocked card
Step 3
Fraudulent sites sometimes initiate small recurring charges. Review your statement for any unfamiliar amounts.
Step 4
File a complaint at cybercrime.gov.in
Your complaint number is required for the bank’s dispute process. File it before calling back the bank.
Step 5
Visitsafebrowsing.google.com/safebrowsing/
report_phish/ to flag the site — this helps protect other users.
30 Seconds of Caution Saves Months of Headache. Card fraud disputes in India take weeks to resolve, and many are never recovered. The 10 checks in this guide take less than a minute and can save you from losing thousands. Share this checklist with everyone who shops online
Quick Reference: Key Portals and Helplines
| Item | Where to Go |
|---|---|
| Cyber Crime Helpline | 1930 — 24×7 |
| Report fraud online | cybercrime.gov.in — National Cyber Crime Reporting Portal |
| Check website registration / age | whois.domaintools.com |
| Report a phishing or scam website | safebrowsing.google.com/safebrowsing/report_phish/ |
| Card fraud dispute window | Call your bank within 24 hours of the transaction |
| Trusted Indian payment gateways | Razorpay, PayU India, Cashfree, CCAvenue, BillDesk, Stripe |
| Check reviews before buying | Trustpilot, MouthShut, Google Reviews, Reddit India |
Fraudulent checkout pages succeed because they exploit the exact moment you stop paying close attention — right after you’ve found the product you want, at a price that feels right. The ten checks in this guide are designed for that exact moment: verify the URL character by character, confirm HTTPS but don’t stop there, check the website’s age and real reviews, watch the payment gateway closely, verify the business has genuine contact details, inspect the checkout page before typing a single digit, watch for malware behaviour, use a virtual or low-limit card as your last line of defence, and never save your card on an unverified site. If even one check fails, close the page. No discount, no deal, and no urgency is worth the weeks it takes to dispute card fraud in India — and many disputes are never fully recovered. Thirty seconds of checking, every single time, is the only habit that protects you completely.
