How to Check Whether an Online Shop Is Trustworthy

How to verify an e-commerce site: a 2026 guide to assessing reliability and security before you buy

In 2026, verifying an e-commerce site is no longer about a gut feeling that a shop "looks legitimate". Clones of well-known websites can be visually flawless — to the point where, according to FranceVerif, it is increasingly difficult to tell a legitimate site from a copy without using the right tools. The financial impact is very real too: according to wearestudium, online scams cost French people €2.1 billion in 2025.

This guide gives you a practical method (visible signals, proof to request, and tools) to assess an e-commerce site before purchasing, protect your data, and know what to do if you fall victim to fraud — without becoming paranoid or naïve.

Why e-commerce scams keep evolving — and why your habits need to keep up

Fraudsters iterate quickly: new domain names, social campaigns, short-lived shops, fake reviews, and scripted "support" scenarios (delivery, after-sales, refunds). In 2026, purchasing journeys also begin more often on mobile (around 60% of global web traffic comes from mobile, according to Webnyxt 2026), which reduces vigilance: smaller screens hide clues (truncated URLs, hard-to-find legal pages, intrusive banners).

On top of that, more people now use AI search tools to "validate" a seller: according to IPSOS (2026), 39% of French people use AI search engines for their research. But an AI summary can be wrong, so your checks should be based on verifiable elements (legal identity, payment-page security, returns policy, domain consistency, and a tool-based reputation check).

What you can check in minutes — and what requires proper proof

In practice, there are two levels of checks:

• Quick checks (by eye): HTTPS/padlock, overall quality, easy access to legal notices/terms/returns, contact options, and whether pricing and pages feel coherent.
• Proof-based checks: the seller's real existence (company details, plausible address), domain age, reputation (phishing/malware), strength of TLS encryption, consistent external reviews, and compliant consent/data minimisation.

The rest of this article follows that order: first what eliminates most risk, then what secures a purchase when doubt remains.

A quick 10-point method to check whether an e-commerce site is reliable

Here is a short checklist to assess a site in a few minutes, then decide: buy, investigate further, or leave.

1. Identify the seller (company name, address, registration details) and check everything is consistent.
2. Check clear terms and conditions (delivery, returns, guarantees, disputes).
3. Confirm the returns policy and that customer service is reachable.
4. Verify HTTPS and the certificate on sensitive pages (account/basket/payment).
5. Compare the domain name with the brand and watch for lookalike variants.
6. Scrutinise pricing/promotions (offers "too good to be true"), stock messages and artificial urgency.
7. Check product pages (specifications, variants, conditions, availability).
8. Cross-check reviews (externally) and spot manipulation signals.
9. Check data protection (GDPR, cookie consent, data minimisation).
10. Use 1–3 tools (reputation, phishing, SSL, domain age) before paying.

Identify the seller and check the information is consistent

The first filter is knowing who you are buying from. French authorities (DDPP, official page updated 28/01/2026) remind consumers that the website must publish legal notices that allow you to verify the seller's identity and contact details.

• Full postal address: a vague address ("Paris, France") or a PO box is a red flag (wearestudium).
• Registration details: in France, SIRET numbers have 14 digits. If details are missing, broken, or look pasted in without coherence, do not buy (wearestudium).
• Internal consistency: the same name across legal notices, terms, invoices and emails. Placeholder fields like "[Insert company name]" in the terms (Europe-consommateurs) are a strong copy-paste warning sign.

Check pricing, promotions and availability (the "too good to be true" test)

An overly attractive deal remains a core warning sign (DDPP). The wearestudium example (February 2026) of an Instagram advert promising "-70% hotels" shows the typical pattern: unrealistic discounts, a very new domain, incomplete legal notices, and an untraceable identity.

Be cautious if:

• the price is abnormally low versus the market (Boursorama, 2025);
• the site uses artificial urgency (countdowns, "only 2 left" everywhere);
• stock and delivery times are inconsistent (e.g. "24-hour worldwide delivery" with no named carrier).

Review product information and look for inconsistencies

A reliable site documents its products. Boursorama (2025) recommends relying on product specifications: if they are not detailed, it is safer not to order.

Practical checks:

• Complete description (dimensions, compatibility, materials, warranties), not just a photo (DDPP).
• Coherent variants (sizes/colours) and plausible stock information.
• Photos: watch for overly generic catalogue images or visuals that do not match the text.

Test the site's overall quality (language, journey, errors, duplicate pages)

Execution quality often reveals how serious a shop is. According to Europe-consommateurs, poor French (errors, unnatural phrasing) is a reason to leave the site. Add typical "rushed build" indicators: broken links, duplicated pages, an unstable basket/checkout flow, or strange redirects.

On mobile, performance also influences perceived trust. Google (2025) reports that 53% of mobile visits are abandoned if load time exceeds 3 seconds. A slow site is not automatically fraudulent, but it increases the risk of mistakes (wrong order summary, duplicate payment, shifting pages).

Legal notices, terms, returns and contact details: core e-commerce trust signals

How do legal notices help you verify an e-commerce site?

Legal notices help confirm the seller exists and can be traced. According to the DDPP, they are mandatory and must identify the business (name, address, contact details). Wearestudium highlights two simple checks: a real physical address in France and a valid SIRET (14 digits).

Do this in 2 minutes:

• Copy the postal address and check it in a mapping tool: if it points to something implausible (derelict site, unrelated private residence), be cautious (Europe-consommateurs).
• Compare the business name, address and contact details between legal notices and the terms: inconsistency is a risk signal.

Terms and conditions: delivery, cancellation, refunds, guarantees and disputes

The terms are effectively a contract: they explain delivery, returns and refunds. Boursorama (2025) stresses the importance of reading them so you understand your options if something goes wrong.

What to expect:

• Delivery terms: timelines, carrier, costs, served areas.
• Right to cancel: in the EU, the reference period is 14 days (Boursorama, 2025; the DDPP recommends favouring French or European sellers to benefit from guaranteed rights).
• Refunds: conditions, timelines, possible fees.
• Guarantees: statutory and commercial (if stated).

A common red flag: generic, inconsistent terms, or missing/unfinished fields (Europe-consommateurs).

Returns and after-sales support: timelines, conditions, fees and expected evidence

A credible returns policy is specific and operational: return address, timeframe, expected condition, proof of purchase, steps, and fees. If the site provides only a form with no process, you may hit a "wall" after paying.

Before buying, look for:

• the return address (not just "contact us");
• processing timelines (return received → refund);
• exceptions (custom goods, hygiene items, etc.);
• required proof (order number, photo, parcel tracking).

Customer service: address, phone, opening hours, response times and scam patterns

A legitimate site provides real contact routes. Wearestudium recommends a French number beginning 01/02/03/04/05/06/09; a hidden number, a +44 number, or only a form can be suspicious. Europe-consommateurs advises calling before you buy (if a number exists) and avoiding premium-rate numbers.

A simple test: ask a specific question (stock, timeframe, returns). Support that replies quickly but evasively — or pushes you to "pay now" — can look like a script.

Technical security: HTTPS, certificate, domain, payment and fraud prevention

How does HTTPS protect transactions?

HTTPS encrypts data exchanged between your browser and the website. Wearestudium notes that if the URL starts with https:// and a closed padlock appears, the data is encrypted. Without HTTPS, sensitive information (passwords, card details) can be sent in plain text — and wearestudium estimates a site without HTTPS is dangerous 95% of the time.

The DDPP also recommends checking that the URL switches to HTTPS at payment and that a padlock appears. It also highlights the "double click" principle: one click to review the order, a second to confirm it definitively.

Certificate, domain, redirects and URLs: spotting clones and lookalike variations

Clone sites rely on details you might miss: an extra hyphen, a different extension, a misleading subdomain, or a redirect that sends you elsewhere at checkout.

• Check the full URL: on mobile, tap the address bar to reveal the entire domain.
• Open the certificate: wearestudium suggests a simple method: click the padlock → "Certificate" → check "valid from". A very recent domain (under 6 months) increases risk.
• Watch redirects: if the basket/checkout jumps to an unrelated domain, stop.

Europe-consommateurs also suggests a useful coherence test: if the domain name has nothing to do with the activity (e.g. a "car" domain selling shoes), be wary.

Payment: 3-D Secure, PSD2, virtual cards and preferred methods

To reduce financial risk, use payment methods that make disputes easier and support strong customer authentication.

• 3-D Secure / PSD2: the DDPP recommends a double safety step via your bank, such as a confirmation code by SMS.
• Virtual cards: if your bank offers them, they reduce exposure of your real card number.
• Avoid saving your card: the CNIL advises against letting apps or browsers store bank details, as security is not always guaranteed.

Checkout: risk signals (excessive data collection, unusual steps, off-site payment)

Checkout is a critical moment. Stop if you see:

• excessive data collection (ID documents, date of birth, information not needed for delivery);
• unusual steps (payment "by email", an incoherent external link, request for an IBAN);
• a missing or vague summary (the DDPP reminds sellers must allow you to verify details and the total price before payment).

Customer reviews and reputation: checking without being fooled

Where to find reliable feedback and how to cross-check

Do not rely solely on reviews shown on the site. Wearestudium recommends checking external platforms (e.g. Google or Trustpilot) and being wary if there are fewer than 10 reviews or if the latest ones are over 6 months old.

For a quick check, combine:

• searching the site name together with the word "scam" (DDPP recommendation, also cited by Boursorama 2025);
• recent external reviews;
• consistency between complaints (non-delivery, non-existent support) and the published terms/returns.

Keep in mind: the DDPP warns that reviews can be manipulated (fake positive or negative reviews), even though it is illegal in France. Boursorama (2025) adds that fake reviews can be generated with AI — so treat reviews as a signal to cross-check, not as proof.

Spotting suspicious reviews (sudden spikes, language, duplicates, profiles)

Common signals:

• Sudden spikes in reviews over a short period, with no clear trigger.
• Formulaic language (over-the-top superlatives, interchangeable sentences), repetition and duplicates.
• Empty profiles or incoherent histories (lots of "5-star" reviews across unrelated businesses).

Do not look for statistical perfection — look for coherence. Real businesses typically have a mix of reviews, specific criticism, and responses from the company.

Trust marks and certifications: recognising proof and avoiding fake badges

How can you tell real trust marks from fake ones?

A "trust" badge is not proof in itself. Europe-consommateurs and Boursorama (2025) warn about fake labels. The rule is simple: if a site displays a badge, find out what it actually guarantees (checks, mediation, insurance, scope) and verify it matches the seller you identified.

A useful clue: serious schemes are usually backed by clear commitments (complaints process, mediation, audits), not just an icon.

Published commitments (payment, delivery, support): proof, traceability and consistency

The commitments that matter are those that leave a verifiable trail:

• detailed delivery terms (carrier, tracking);
• a clear support process (address, timelines, steps);
• written refund terms that align with the site's terms and conditions.

If the site promises "guaranteed refund" but provides no timeline, method or contact, treat it as marketing, not a guarantee.

Mobile: banners, pop-ups, consent and manipulation signals

On smartphones, some scams rely on UX tricks: pop-ups that hide the URL, "continue" buttons that trigger actions, and ambiguous consent banners. If you cannot easily access legal notices, terms or the privacy policy, treat it as a risk signal.

In 2026, a significant share of purchases start on mobile (Webnyxt/SEO.com 2026). Make these two habits non-negotiable: reveal the full URL and open the legal pages before entering card details.

Data protection and GDPR in e-commerce: what you should check

Privacy policy: purpose, retention, rights and data controller

A useful privacy policy answers practical questions: what data is collected, why, for how long, and how to exercise your rights. FranceVerif cites common categories linked to tracking and personalisation: identifiers, browsing behaviour, preferences, purchases, IP addresses, email addresses and location.

At minimum, check:

• the identity of the data controller (linked to the seller);
• the purposes (order, delivery, marketing, fraud prevention);
• retention periods and rights (access, deletion, objection).

Cookies and consent: compliant practice vs misleading practice

FranceVerif notes, for example, the ability to withdraw consent and an observed validity period of 6 months for choices (depending on configurations). In practice, a clean consent banner should make refusing as easy as accepting.

Common red flags:

• a prominent "accept all" button with refusal hidden behind multiple clicks;
• no way to refuse non-essential trackers;
• aggressive ad tracking as soon as you land, before you have shown purchase intent.

Customer accounts: data minimisation, passwords and security

A retailer does not need to know everything. Be cautious if creating an account is mandatory and it asks for information unrelated to the sale (e.g. documents, bank details outside payment). For security, avoid reusing passwords and consider a password manager to reduce the impact of a breach.

Tools: a practical toolkit to verify an e-commerce site before buying online

Which tools can you use to check an e-commerce site is secure?

Use only a few tools, but use them well. The goal is to confirm reputation (phishing/malware), TLS security, and domain identity/age.

• FranceVerif: a verification service based on more than 127 criteria. FranceVerif reports having recently tested 1 million websites, with 52% deemed reliable and 115,000 fraud detections. It also offers a reverse directory, lists of sites with questionable reliability, and a "report a scam" process.
• Google Safe Browsing: checks whether a site is flagged as dangerous (phishing/malware).
• VirusTotal and Sucuri: combine security and reputation signals (wearestudium).
• SSL Labs: evaluates TLS/SSL configuration (wearestudium suggests aiming for A/A+).

If you manage a website and want to reduce false positives (a healthy site that looks suspicious), Google explains security and diagnostics principles in its official documentation (developers.google.com and support.google.com).

Domain age and registration information (WHOIS and equivalents)

Europe-consommateurs and Boursorama (2025) recommend checking domain registration via WHOIS (and, depending on the extension, registries such as Afnic for .fr). A hidden owner is not automatically fraudulent, but combined with a very recent domain and weak legal notices, it should make you stop.

Reputation checks and alerts (Safe Browsing, anti-phishing lists)

Before paying, run a quick reputation check. Wearestudium also describes user-side symptoms: persistent pop-ups, strange redirects, extreme slowness. If you see these, leave — even a legitimate site can be compromised, and you do not want to enter payment details in an unstable environment.

Browser-level checks (certificate, connections, permissions, warnings)

Your browser is already a tool:

• open the padlock to read certificate information;
• refuse unnecessary permissions (notifications, location) for an online shop;
• take "deceptive site" or "not secure" warnings seriously.

A 3-minute verification routine before you pay

1. Reveal the full URL (including on mobile) and check the domain.
2. Open legal notices + terms + returns: look for registration details, address and contact routes.
3. Run Safe Browsing or a scan such as VirusTotal.
4. Check HTTPS/padlock and, if in doubt, the certificate's age.
5. Pay with 3-D Secure and, if possible, a virtual card. Do not save the card.

Scam detection: spotting fake online shops and knowing when to stop

What are the warning signs of a fraudulent online shop?

• Unclear identity: no real address, missing registration details, incomplete legal notices (wearestudium, DDPP).
• New domain: under 6 months = higher risk (wearestudium).
• Unrealistic promotions and time pressure (DDPP).
• Weak contact options: no phone number, or a suspicious/hidden one (wearestudium).
• Overly perfect reviews or reviews only on the site itself (wearestudium, DDPP).
• Abnormal checkout: strange redirects, IBAN/bank transfer requests, excessive data collection.

Brand impersonation and "clone" websites: visual, technical and textual clues

Clones copy design, but rarely copy rigour: inconsistent terms, mistakes, broken links and generic legal pages. Europe-consommateurs also notes that government or local-authority sites can be hijacked to inspire trust — rely on the real domain, not a logo.

A simple habit: type the address yourself (rather than clicking from an advert or message) and compare it letter by letter.

Phishing, fake support and fake delivery follow-ups: common scenarios

Wearestudium cites typical parcel scams: a message claiming "Your parcel is awaiting €2.99 in fees" that leads to a domain unrelated to the carrier. The same logic applies to fake ticketing sites.

Golden rule: never pay a "small amount" via a link received by SMS/email without going through the carrier's or retailer's official website (typed in by you).

Unusual requests (documents, IBAN, bank transfer, off-platform payment)

A standard online shop has no reason to ask for ID documents or an IBAN for a normal purchase. Bank transfer or off-site payment should be treated as high risk unless it is a tightly controlled B2B context (purchase order, contract, verified details).

If you have been scammed: what to do, refunds and consumer rights

Act fast: block your card, keep evidence, report it and secure accounts

• Cancel your card if your details may have been compromised.
• Keep evidence: screenshots, emails, URLs, order summaries, statements.
• Change passwords if you created an account — especially if you reused passwords.
• Report it: some services such as FranceVerif offer a "report a scam" workflow.

After paying, the DDPP also advises checking that the debited amount matches the order.

Chargeback, disputes and refunds depending on payment method

Europe-consommateurs mentions that you may be able to ask your bank for a refund via chargeback if your card offers this protection — particularly for non-delivery after card payment.

The more factual your case file (evidence, exchanges, dates), the better your chances.

Cancellation, non-delivery and non-conforming goods: your rights and timelines

With French or EU sellers, rights are generally better protected (DDPP). The EU reference cancellation period is 14 days (Boursorama, 2025). In cases of non-delivery or non-conforming goods, document everything immediately (photos, packaging, exchanges) and follow the seller's written procedure (terms/returns).

What consumer rights do you have when dealing with a suspicious online shop?

If the seller is in France or the European Union, you benefit from a stronger protection framework (DDPP). In parallel, Europe-consommateurs notes that marketplaces have obligations to identify sellers under the Digital Services Act (DSA), and that a platform that fails to properly identify professional sellers can be penalised (up to 6% of the platform's annual global turnover, according to Europe-consommateurs).

When doubt is serious (untraceable identity, unclear terms, risky payment), the best right is the one you exercise before paying: walking away.

Post-incident checklist to avoid it happening again

• Enable strong bank authentication (3-D Secure) and payment alerts.
• Use virtual cards when possible.
• Stop clicking payment links received by SMS/email.
• Always reveal the full URL on mobile before entering any details.
• Refuse to save card details in your browser (CNIL recommendation).

2026 habits for safer online shopping: an actionable summary

What habits should you adopt to secure online purchases in 2026?

• Start with identity: legal notices, registration details, a plausible address, reachable contact routes.
• Validate the conditions: terms, returns, timelines, refunds, and an order summary before payment (DDPP).
• Check security: HTTPS, certificate, reputation (Safe Browsing/VirusTotal), and a non-suspicious domain.
• Limit exposure: virtual card, do not save card details, minimise shared data.
• Cross-check reviews: external, recent, coherent, with no artificial spikes.

To put these habits into the 2026 "search" context, you can consult our SEO statistics and our GEO statistics, including on mobile usage and the rise of AI-powered search engines.

Prioritise checks based on spend, rarity and urgency

The higher the basket value, the more you should move from a quick checklist to "proof + tools". For costly purchases (electronics, travel, equipment), always add: a WHOIS check, a reputation scan, and a careful read of the terms (fees, guarantees, disputes).

Conversely, for low-value purchases, the safest strategy is often to buy from identifiable French or European sellers, so your rights remain enforceable (DDPP).

Scaling trust on the business side: quality control and reassurance content

Standardise critical pages (legal notices, terms, returns, privacy)

For businesses, trust is built through stable, accessible, consistent pages. Standardise critical content (legal notices, terms, returns, privacy policy) with verifiable details, clear procedures and clear contact routes. These are also pages users consult when hesitating — especially after searches like "brand + reviews" or "scam".

Keep information up to date and reduce inconsistencies at scale

Inconsistencies (different addresses across pages, contradictory delivery times, forms asking for too much) destroy trust faster than poor design. Build a review routine: update legal pages, check links, test basket/checkout on mobile, and review consent banners. On mobile, remember that slow loading can drive users away (Google 2025) even when everything is compliant.

If you publish new pages or change templates, a post-deployment check on sensitive pages (basket, payment, returns) reduces the risk of side effects. For more on speed and stability (without going into e-commerce SEO), see our resource on website performance audits.

Incremys focus: rolling out optimisations faster with "Incremys CMS integration"

Incremys is a B2B SaaS platform that helps you analyse, plan and deploy GEO/SEO optimisations and track their impact (rankings, ROI). From a "quality and consistency" perspective, the Incremys CMS integration module helps you industrialise the publication of fixes and content, helping to reduce inconsistencies at scale (e.g. keeping reassurance information and critical pages up to date). To understand the method and underlying principles, see the Incremys approach.

FAQ: how to verify an e-commerce site

How can you check an online shop is reliable before buying?

Start by identifying the seller (legal notices, real address, registration details), then read the terms/returns, check HTTPS and domain consistency, and cross-check external reviews. If you are still unsure, add a reputation tool (Safe Browsing/VirusTotal) and a domain-age check (WHOIS).

Which e-commerce trust and security signals should you prioritise?

Prioritise: (1) seller identity and contact routes, (2) clear terms/returns, (3) a secure HTTPS payment page with bank authentication, (4) external reputation (reviews + "name + scam" search), (5) a non-suspicious domain (not too new, no deceptive variants).

Which website trust-check tools should you use before paying?

FranceVerif (multi-criteria analysis), Google Safe Browsing (phishing/malware), VirusTotal or Sucuri (reputation/security), and SSL Labs (TLS/SSL quality). Complement with WHOIS/Afnic to check domain age and registration details.

How can you spot scams and identify fake online shops?

Look for risky combinations: new domain + unrealistic promotions + weak legal notices + unclear contact routes + suspicious reviews. Always check the full URL (especially on mobile) and be cautious with redirects at payment.

What should you check in legal notices, terms and the returns policy?

Legal notices: full seller identity and contact details (address, contact routes, registration details in France). Terms: delivery, cancellation (14 days in the EU), refunds, guarantees, disputes. Returns/support: procedure, return address, timelines and required proof.

How can you check data protection and GDPR compliance on an e-commerce site?

Review the privacy policy (purposes, retention, rights, data controller), the quality of cookie consent (refuse as easily as accept), and data minimisation (no excessive data collection). Avoid saving card details in your browser (CNIL).

What should you do if you have been scammed by a fraudulent online shop?

Cancel your card if needed, keep all evidence, secure your accounts (passwords), check transactions, and open a dispute with your bank (chargeback may be possible according to Europe-consommateurs). Report the scam using available reporting routes (e.g. the reporting process offered by some tools).

If you manage a website and want to improve perceived quality and compliance, you can also read our guide on how to submit a website as part of an ongoing improvement and control process.