Before you sign in: check the site
Always confirm you are on the official website before entering credentials. Look at the address bar — the domain should exactly match the official domain (no extra letters, hyphens, or unusual suffixes). Avoid sites with small misspellings or unfamiliar domain endings. If a link arrived in email, a message, or social media, prefer to type the official address directly into your browser rather than clicking the link.
- Is the domain exactly right? (e.g., example.com, not examp1e.com or example-login.net)
- Is there a padlock icon in the address bar? Click it to inspect the certificate.
- Is the site using HTTPS and is the certificate issued to the company you expect?
Understanding the padlock and SSL certificate
The padlock means the connection between your browser and the website is encrypted. Click the padlock to view certificate details such as the issuing authority and the domain the certificate was issued for. A valid certificate helps, but it does not guarantee the site is legitimate by itself — attackers can obtain certificates for deceptive domains. Use the certificate check together with verifying the exact domain and other signals.
Use strong authentication
Enable two-factor authentication (2FA) wherever available. 2FA adds an extra layer (a code from an authenticator app or a hardware key) that greatly reduces the chance of account takeover. Prefer authenticator apps or hardware security keys over SMS when possible, because SMS can be intercepted.
What to do if you suspect phishing
If you encounter a suspicious site or have already entered your credentials on a site you suspect is fake, take these actions immediately:
- Change your account password on the official site (type the official URL manually).
- Revoke any active sessions and sign out everywhere if the service provides that option.
- Enable or reconfigure 2FA on your account.
- Contact official support immediately and report the incident.
- Monitor your account for unexpected activity; if money or transfers are involved, contact customer support and your bank without delay.
Recognizing common phishing tricks
Phishers try to create urgency (e.g., “Your account will be locked unless you act”), copy official logos, and use similar-looking domains. They may send attachments, ask for verification codes, or ask you to paste a code into a webpage. Treat any unsolicited request for credentials, codes, or downloads with extreme caution.
How to report a suspicious page
Most companies have a support or abuse email address and a dedicated reporting page. If you see a fraudulent page impersonating a service, report it to the company and to major browser/anti-phishing services (for example, Google Safe Browsing). You can also report phishing emails to your email provider. Reporting helps take bad pages offline sooner and protects other users.
Need more help?
If you’re unsure whether a page is legitimate, don’t enter credentials. Instead, visit the official website by typing its address directly, or contact official support using contact information from the company’s verified site. If you'd like, copy the suspicious URL and provide it to official support so they can investigate.
Official support link example (replace with your service's support page): https://uphold.com