7 steps to buy a website safely

1. 1

   Use a reputable marketplace with verified listings

   Start your search on a marketplace that verifies seller identity and listing data. Avoid purchasing from cold outreach, unsolicited emails, or anonymous forums where you cannot verify who you are dealing with. Reputable marketplaces like Buy Sites Direct display verified seller profiles, listing metrics, and provide a direct communication channel so you can assess seller credibility before any financial commitment. A seller unwilling to communicate through a trackable channel or who pressures you to move off-platform is a significant red flag.

2. 2

   Verify traffic with read-only analytics access

   Never rely solely on screenshots of Google Analytics or revenue dashboards — screenshots can be faked or cherry-picked. Before any offer, request read-only Google Analytics 4 and Google Search Console access. Verify that traffic sources, volumes, and trends match the listing claims. Look for: organic search as the primary traffic source (vs. unexplained direct or referral spikes), steady or growing keyword rankings over 12+ months, and no sudden unexplained traffic spikes. Cross-reference with Ahrefs or Semrush to confirm domain rating, referring domains, and organic keyword count. Fabricated traffic is one of the most common forms of website acquisition fraud.

3. 3

   Verify revenue through payment processor exports

   Revenue verification is the highest-risk step in any acquisition. Request exports from the actual payment processors (Stripe, PayPal, Shopify Payments, Google AdSense, Amazon Associates, Mediavine) — not just the website's admin dashboard or a PDF. Payment processor exports show timestamps, amounts, and refund rates that are hard to fabricate. For advertising revenue (AdSense, Mediavine), request both the dashboard export and an earnings statement. For affiliate revenue (Amazon Associates, ShareASale), request the affiliate dashboard's monthly breakdown. Cross-reference multiple sources: if traffic is consistent but revenue is volatile in a way that doesn't track to algorithm updates or seasonal patterns, investigate before proceeding.

4. 4

   Check for Google penalties, PBN links, and SEO red flags

   A site with a hidden Google penalty or manipulative backlink profile can lose most of its organic traffic within weeks of your acquisition — after you've already paid. In Google Search Console (with the read-only access you should already have), check the Security & Manual Actions section for any manual penalties. In Ahrefs or Semrush, review the backlink profile for obvious spam patterns: links from unrelated industries, mass foreign-language links, link velocity spikes, or a very high percentage of exact-match anchor texts. Run the domain through a spam-score checker. Any site with an active manual action or a clearly manipulated backlink profile should be rejected unless you are an SEO specialist pricing the risk accordingly.

5. 5

   Sign an NDA before sharing financials — and use an LOI

   Never share sensitive financial documentation or business access credentials without a signed Non-Disclosure Agreement. An NDA protects both parties — the seller's business details stay confidential, and you have a contractual record of what was shared. Once you decide to move forward after preliminary verification, formalize the deal with a Letter of Intent that includes an exclusivity period (typically 14–30 days) and clearly states that the LOI is non-binding on deal terms but binding on confidentiality and no-shop provisions. This prevents the seller from continuing to market the business while you're spending time and money on due diligence. Never begin full due diligence without an LOI in place.

6. 6

   Always use a reputable escrow service for payment

   Never send payment directly to a seller's bank account, PayPal, or crypto wallet before receiving all agreed assets. Escrow services hold your payment in a neutral third-party account and release it only after you confirm receipt of all transferred assets. For website acquisitions, Escrow.com is the industry standard. The escrow process: buyer deposits funds → seller transfers all agreed assets (domain, hosting, analytics, revenue accounts, codebase, etc.) → buyer confirms receipt of every asset → escrow releases funds to seller. If the seller cannot or will not use escrow, treat that as a serious red flag. A legitimate seller has nothing to fear from escrow — it protects both parties equally. For deals below $5,000, PayPal Goods & Services provides some buyer protection but lacks the structured asset-confirmation step.

7. 7

   Use a written Asset Purchase Agreement reviewed by an attorney

   For any transaction above $10,000, have an attorney review — or draft — the Asset Purchase Agreement before you sign. The APA governs what exactly transfers, what the seller warrants is true (representations and warranties), what happens if the seller misrepresents financials or assets, and how post-close disputes are resolved. Key protective clauses: full asset schedule listing every URL, account, code repository, and subscription that transfers; seller representations that there are no pending legal issues, Google penalties, or platform violations; a non-compete clause (1–3 years) preventing the seller from immediately rebuilding a competing site; and a survival period for reps and warranties (typically 12–24 months after close). These clauses are not bureaucratic formalities — they are your legal remedy if something goes wrong after you pay.

Common website acquisition scams and how to spot them

The same fraud patterns appear repeatedly in website acquisitions. Knowing what to look for before you start a conversation protects your time and money.

For a deeper dive into specific fraud patterns, see the fraud prevention FAQ and 10 common website buying mistakes.

Frequently asked questions

What is the safest way to buy a website?

The safest website acquisition follows this sequence: (1) Find the listing on a reputable marketplace with verified profiles. (2) Request read-only Google Analytics, Search Console, and payment processor access before any offer — not screenshots. (3) Sign an NDA before sharing due diligence materials. (4) Sign a Letter of Intent with an exclusivity clause before spending money on professional verification. (5) Conduct full due diligence including backlink audit, penalty check, and revenue cross-referencing. (6) Draft or review an Asset Purchase Agreement with an attorney for deals above $10,000. (7) Use a reputable escrow service (Escrow.com) — never pay directly before receiving all assets. Buyers who skip any of these steps are substantially more likely to lose money.

How do I know if a website listing is legitimate?

Key legitimacy signals: (1) The seller has a verified profile with communication history. (2) They can provide live (not screenshot) read-only access to Google Analytics, Search Console, and payment processors. (3) Revenue sources match the listed traffic volumes — a content site earning $3,000/month from display ads should have 40,000+ monthly organic sessions. (4) The seller answers questions directly without deflecting, vague answers, or urgency pressure. (5) The domain Whois records show consistent ownership history. (6) The backlink profile shows natural, relevant links. Red flags: seller refuses GA4 or GSC access, revenue dashboards don't match traffic data, seller urges you to move fast or pay directly. Any one of these alone warrants extra scrutiny; two or more is grounds for walking away.

Do I need to use escrow when buying a website?

For any transaction above $5,000, using an escrow service is the single most important buyer protection available. Escrow.com is the standard for website acquisitions. Escrow holds your payment in a neutral third-party account and releases it only after you confirm receipt of all agreed assets — domain, hosting, analytics access, payment accounts, codebase, and anything else in the asset schedule. Without escrow, you have no mechanism to recover funds if the seller disappears, fails to transfer assets, or transfers less than agreed. For deals under $5,000, PayPal Goods & Services provides limited protection, but lacks the structured asset-by-asset confirmation that escrow provides. There is no legitimate reason for a seller to refuse escrow.

What are the most common website buying scams?

The six most common website acquisition fraud schemes are: (1) Fake revenue screenshots — inflated income shown in doctored screenshots rather than live access. (2) Bot traffic — purchased bot traffic inflates visitor counts while revenue stays flat or inconsistent. (3) Hidden Google penalties — a Manual Action or algorithm penalty suppressed temporarily to complete the sale. (4) PBN backlink fraud — manipulated backlink profiles that will collapse when Google's next link spam update processes. (5) Ownership fraud — a seller who does not actually own the domain or has active legal disputes. (6) Post-payment disappearance — seller collects payment outside escrow and then stops responding. The consistent defense against all six is the seven-step safe buying process: verify independently before paying, use escrow for all payments, and document everything in a written agreement.

Related guides

• How to Buy a Website (Full Step-by-Step Guide)
• Website Due Diligence Guide
• How to Verify Website Revenue
• How to Evaluate a Website Listing
• Questions to Ask When Buying a Website
• Website Escrow Guide
• Website Acquisition NDA Guide
• Website Acquisition LOI Guide
• Website Asset Purchase Agreement Guide
• Fraud Prevention FAQ
• 10 Common Website Buying Mistakes
• Website Acquisition Checklist
• What to Do If Your Acquisition Falls Through