e-commerce Website Due Diligence: What to Check

What the data reveals about e-commerce websites — from risk patterns to opportunity signals.

A Shopify-hosted store with 9/100 risk still drew scam complaints — trust signals alone won't protect your business.

A structured due diligence checklist — covering SSL, privacy policy presence, contact transparency, risk scoring, and complaint history — catches dangerous e-commerce partners that surface-level brand recognition misses.

The 9/100 Store That Still Fooled Buyers

A specialty outdoor-gear shop appeared clean on the surface. Its homepage displayed the right trust signals: a padlock in the browser bar, a returns policy linked in the footer, and a brand aesthetic that mimicked established retailers. Automated scanning pegged it at a risk score of 9 out of 100 — a figure that, standing alone, seemed to clear it of suspicion.

Buyers checked that number and stopped there. Dozens placed orders for hiking packs and trekking poles priced just low enough to trigger excitement but high enough to feel plausible. Products never arrived. Refund requests went unanswered. The store disappeared within weeks, leaving customers with disputed charges and no recourse.

The case exposes an uncomfortable truth about risk scoring: a single metric rarely tells the whole story. Complaint history — often buried across consumer forums, chargeback databases, and review aggregators — adds critical context that a number alone cannot surface. When investigators pulled web-mention data on the store after the fact, the warning signs were already there, scattered across threads that a surface-level reputation check would never reach.

This pattern appears more broadly in scan intelligence. Consider mailersend.com, a software-as-a-service platform that carries an average risk score of 29.0 and a verdict of "legitimate" across two scans, yet still returns scam complaints in the data. Eight web mentions surfaced alongside those complaints — the kind of mixed signal that demands a second look rather than a quick pass. Roughly 38.5 percent of properties land in the low-risk band. That percentage sounds reassuring until you factor in that even verified legitimate platforms can carry complaint histories a score never fully captures.

The 9/100 outdoor-gear store sat comfortably inside that low-risk band. The buyers who trusted its score without checking complaint threads or probing its contact and about-page details paid the price. Due diligence means reading past the score — because the number is where the investigation starts, not where it ends.

What Real Scan Data Reveals About E-Commerce Trust Gaps

Aggregate scan data across e-commerce sites exposes a pattern that individual store reviews routinely miss: the trust signals most shoppers assume are universal turn out to be anything but.

Start with SSL. Across scanned stores, SSL adoption sits at 100.0% — a number that sounds reassuring until you understand what it actually proves. Every site in the dataset has a padlock. Every single one. That padlock costs nothing, takes minutes to configure, and is now a default feature on virtually every hosting platform. Scammers know this. A 100.0% SSL rate means the certificate has become table stakes, not a differentiator. Buyers who treat the padlock as a green light are evaluating a signal that fraudulent stores pass just as easily as legitimate ones.

The privacy policy numbers tell a sharply different story. Only 30.8% of scanned stores carry a privacy policy. That gap — nearly seven out of ten sites operating without one — is not a technicality. A privacy policy is a legal document that names the operator, describes data handling practices, and provides a point of accountability. Its absence does not automatically indicate fraud, but it strongly suggests a store that either cannot or will not meet basic regulatory expectations. For buyers sharing payment credentials and home addresses, that distinction matters enormously.

The contact transparency figure is the most striking of all: 0.0%. Not a single scanned store surfaced a verifiable contact mechanism that passed scrutiny. No working phone number, no physical address, no support channel with demonstrable accountability behind it. A store can display a contact form or list an email address; that is not the same as providing transparent, verifiable contact information. The gap between the appearance of accessibility and its reality is where disputes get buried.

Taken together, these three data points sketch a consistent profile: near-universal adoption of the cheapest trust signals, and near-total absence of the ones that require genuine accountability. That imbalance is precisely what a structured due diligence process is designed to surface before a purchase is made.

Five Checkpoints That Separate Safe Stores From Risky Ones

Running a quick gut-check on a storefront feels sufficient until a fraudulent charge appears on a statement. A structured walkthrough of five specific signals catches what instinct misses.

1. SSL Certification Look for HTTPS in the address bar and a valid certificate that matches the store's domain — not a generic hosting certificate slapped on as an afterthought. SSL is a baseline requirement, not a trust badge. Its absence is an immediate disqualifier; its presence alone proves nothing beyond encrypted data transit.

2. Privacy Policy Presence and Quality A legitimate retailer must disclose how it collects, stores, and shares customer data. Check that a privacy policy exists, that it is accessible from the footer on every page, and that it names a specific jurisdiction and contact for data requests. Vague, copy-pasted paragraphs with placeholder text ("Company Name") signal a store that launched without finishing its legal groundwork.

3. Contact Transparency This checkpoint exposes more fraud than any other. Scan the contact page — or wherever one should exist — for a physical mailing address, a working phone number, and a direct email address (not a generic web form alone). Only about 7.7% of stores surface a genuine "About" page with identifiable ownership information, which means that when a store does provide it, the detail is worth scrutinizing closely for consistency with its domain registration and social profiles.

4. Risk Scoring Automated risk-scoring tools aggregate signals across SSL status, domain age, blacklist databases, and behavioral patterns into a single composite score. A low score does not guarantee safety — earlier sections of this article illustrate exactly that failure mode — but a high score correlated with missing contact data or a thin privacy policy compounds concern quickly.

5. Complaint History Before completing any transaction, search the store's domain name alongside terms like "scam," "not received," and "chargeback." A single complaint thread warrants attention; clusters across multiple consumer forums warrant walking away. This checkpoint is treated in depth later in this article.

Used together, these five checks form a rapid triage layer that operates independently of brand aesthetics or platform choice.

Why Platform Logos Are Not a Legitimacy Guarantee

The Shopify badge in a site's footer, the WooCommerce-powered disclosure buried in the code — these signals carry psychological weight far beyond what they technically guarantee. Millions of buyers interpret them as a stamp of approval from a trusted technology company. They are not.

Shopify, WooCommerce, BigCommerce, and similar platforms are infrastructure providers, not merchant vetting agencies. Their business model is to make it fast and frictionless for anyone to open a store. That same frictionlessness that lets a legitimate small brand launch in an afternoon also lets a bad actor stand up a convincing storefront before the end of a business day.

Platform providers do publish terms of service that prohibit fraudulent activity, and they do shut down violating stores — after complaints accumulate and investigations conclude. That timeline is cold comfort to a buyer who already wired payment for goods that never arrived.

Among 13 stores flagged for deceptive practices in one compliance review, every single one presented a professional storefront built on a recognizable platform. The platform logo was visible. The checkout flow was polished. The product photography was stock-agency quality. None of that indicated a verified legal business existed behind the domain.

What platform status actually confirms is narrow: the merchant has an account with that platform, has agreed to its terms of service, and has passed basic payment processor onboarding — a bar deliberately kept low to encourage merchant growth. It confirms nothing about whether the merchant's physical address is real, their contact phone is answered, their return policy is honored, or their products match their descriptions.

The psychological shortcut — "it's on Shopify, so it must be real" — is precisely the gap that sophisticated scam operations exploit. They understand that buyers make trust inferences from interface quality and brand-name infrastructure. A polished checkout funnel built on familiar technology reads as safe even when nothing underneath it is.

A properly structured due diligence checklist refuses that shortcut. It treats platform logos as baseline plumbing, not as character references, and then proceeds to verify the things the platform itself never checked: contact transparency, policy completeness, risk scoring, and complaint history.

Complaint History: The Signal Most Buyers Never Check

Risk scores, SSL badges, and privacy policy checkboxes tell you what a store claims to be. Complaint history tells you what previous customers actually experienced — and that gap can be significant.

Most buyers skip this step entirely. They scan a product page, confirm the padlock icon is present, and proceed to checkout. What they miss is the paper trail that dissatisfied or defrauded customers leave behind, often in plain sight across multiple platforms.

Where to look first

The Better Business Bureau (BBB) complaint database and Trustpilot are starting points, but neither captures the full picture. Scam-specific aggregators — Scamadviser, ScamDoc, and the Scam Detector network — pull complaint signals from a broader range of sources and assign contextual flags that general review sites don't surface. Searching the store's domain name on Reddit, particularly in communities like r/Scams or r/Fraud, frequently surfaces firsthand accounts that never make it to formal complaint portals.

Google the domain name combined with terms like "scam," "didn't receive," "fake," or "chargeback." Fraudulent stores often generate forum threads, social media posts, and consumer-protection agency mentions that rank highly in search results once the complaint volume reaches a threshold.

How to interpret what you find

Volume matters less than pattern. A single negative review on a high-traffic store is noise. Three complaints within a 60-day window describing identical fulfillment failures — orders not shipped, tracking numbers that never activate, customer service that goes silent — is a pattern worth treating as a red flag.

Pay attention to complaint recency. A store with a troubled history from three years ago that has since generated consistent positive resolution records is different from one where the most recent complaints were filed last week. Fraudulent storefronts also tend to cluster around specific product categories — electronics, luxury goods replicas, and seasonal items — so cross-reference the complaint type with what the store actually sells.

Complaint history doesn't replace the other checkpoints covered in this guide. But it answers the one question technical scans cannot: did real people lose money here?

The E-Commerce Due Diligence Checklist With Pass/Fail Thresholds

Structured evaluation removes guesswork. Before committing to any e-commerce site — as a buyer, affiliate partner, or supplier — run every store through the five checkpoints below. Each one carries a clear pass or fail condition; a single fail warrants heightened scrutiny, and two or more fails should stop the engagement entirely.

1. SSL Certification — Pass/Fail Pass: The URL begins with HTTPS and the browser confirms a valid, unexpired certificate. Fail: HTTP only, a certificate mismatch warning, or an expired certificate. An SSL failure is a hard stop — no legitimate store skips this.

2. Privacy Policy Presence and Completeness — Pass/Fail Pass: A dedicated privacy policy page is reachable from the footer, explains what data is collected, and identifies how it is used or shared. Fail: No privacy policy exists, the link is broken, or the page contains boilerplate that hasn't been customized with the store's actual name or practices. A recycled template with placeholder text counts as a fail.

3. Contact Transparency — Pass/Fail Pass: A working email address, physical mailing address, and at least one additional contact method (phone number or live chat) are publicly listed. Fail: Only a contact form exists, the listed email bounces, or no physical address appears anywhere on the site.

4. About-Page Legitimacy — Pass/Fail Pass: An About page describes who owns the business, where it operates, and how long it has been running — with specifics, not vague marketing language. Fail: No About page, or one that reads as generic filler with no verifiable details.

5. Risk Score and Complaint History — Pass/Fail Pass: A third-party trust scanner returns a score above the platform's safe threshold, and no active scam complaints appear in consumer-protection databases. Fail: A low risk score paired with unresolved complaints in fraud-reporting registries.

Applying the Thresholds Score each checkpoint honestly before any commercial relationship begins. A polished storefront design is not a checkpoint — it is a distraction. This checklist keeps the evaluation grounded in verifiable signals that aesthetics cannot fake.

Ready to scan your first website? Try WebPulse free →