[yifanl]

The only real difference that matters between a fake site and a real site is that the information on it is genuine, the form doesn't really factor into it. Which makes this a very tricky problem: You can't tell if the data is genuine before you have the genuine data.

[array_key_first]

Domain names is how you do this reliably. This is why everyone should use a password manager. It makes phishing much, much harder to do.

[yifanl]

There are no best practices for domain names, there's nothing that can differentiate between NPM and a fraudster from hosting "npmjs.help".

It also doesn't help when you have to visit a new domain for the first time, which tends to be the case when looking up novel information.

[array_key_first]

If you're trying to do something for the first time with a big company, you usually know the domain name. Like Google is google.com. Or for something like your bank, it'll be printed on your credit card.