How to Analyze a Supplier’s Website for Clues About Their Professionalism (2025)

If you can triage a supplier’s website in minutes, you’ll save weeks of dead-ends and risky conversations. This guide gives you two layers you can use today:

• A 60–90 second sniff test to weed out obvious risks.

• A 10-minute triage checklist, plus a deeper weighted scoring model you can complete in 30–45 minutes with evidence links.

Who this is for: SMB founders/operators and junior procurement pros who need fast, defensible checks without turning into auditors.

What you’ll need: A modern browser, the links in this guide, and 10–45 minutes depending on depth.

Difficulty: Easy-to-moderate. You do not need specialized tools—only the free resources linked below.

---

The 60–90 Second Fast Sniff Test

Do these five checks in order. If two or more fail, pause outreach and jump to the troubleshooting section.

1. Domain email and full contact details visible

• Look for a contact email on the company’s domain (e.g., sales@company.com), a physical address, and a phone number in the header/footer and Contact page.

• Quick cross-check: Search the address on Google Maps; does it resolve to a real industrial/office site?

2. HTTPS padlock without browser warnings

• Click the padlock; ensure the certificate is valid for the domain and not expiring imminently.

• For a deeper view later, run the site through the Qualys SSL Labs SSL Server Test and look for an A/A+ grade, as outlined in the updated Qualys grading changes (2025).

3. Domain age not brand-new

• Use ICANN Lookup to check the creation date.

• Caution if 6–24 months; high risk if under 6 months and other signals are weak.

4. Certifications link to registries

• If the site claims ISO 9001/14001/45001 or similar, you should be able to validate via the global IAF CertSearch portal or the issuing certification body’s online directory.

5. Real product/factory photos (not stock)

• If images look generic, do a quick reverse image search with Google Images or TinEye to see if they appear on stock sites.

---

The 10-Minute Triage Checklist (Printable)

Timebox yourself to 10 minutes. Record Pass/Caution/Fail and paste evidence links.

1. Domain age and WHOIS (1–2 min)

• Tool: ICANN Lookup; alternatives: who.is, SecurityTrails.

• Pass: ≥ 24 months; Caution: 6–24 months; Fail: < 6 months without strong corroboration.

2. SSL/HTTPS quality (1–2 min)

• Tool: SSL Labs test; browser padlock.

• Pass: A/A+; Caution: B/C; Fail: D or any browser error. See Mozilla SSL guidance for best-practice indicators.

3. Identity in business registry (1–3 min)

• Match the site’s legal name and address to the official registry.

  • UK: Companies House

  • US (state-level): find the right Secretary of State via NASS member directory (2025)

  • EU: BRIS via e-Justice

  • China: GSXT

• Pass: Active status and matching details; Caution: minor discrepancies; Fail: no record or dissolved.

4. NAP consistency and footprint (1–2 min)

• Tool: Google Maps + Street View. Call the listed phone if needed.

• Pass: Plausible site and reachable phone; Caution: virtual office/residential; Fail: invalid address/phone.

5. Certifications verifiable (1–3 min)

• Tool: IAF CertSearch; verify issuing Certification Body via an Accreditation Body (e.g., UKAS, ANAB). For CE Notified Bodies, confirm scope in NANDO.

• Pass: Active, in-scope certificates; Caution: unverifiable CB, pending renewal; Fail: expired/forged.

6. Product pages and content quality (1 min)

• Look for unique specs, consistent units, and coherent English. Avoid copy-paste from better-known brands. Use Wayback Machine if you suspect recent content swaps.

7. Social proof (1 min)

• Named clients, case studies, or credible directory listings (e.g., chamber of commerce, Alibaba/Global Sources Verified, Clutch for services). Verify one item quickly.

8. Policies and terms (1 min)

• Check for payment terms, MOQs, lead times, warranty/returns, and privacy/terms pages.

• Fail quickly if you see crypto-only or personal-account wire details on first order.

9. Team and LinkedIn cross-check (1–2 min)

• See if leadership/team listed on site exists on LinkedIn; headcount trend should be plausible. Start at the LinkedIn Help Center for guidance on page elements.

10. Adverse media and sanctions spot-check (1 min)

• Search brand name + “scam” or “fraud” in news; and screen names/entities in OFAC’s Sanctions List Service and your relevant jurisdiction’s consolidated lists (e.g., UK OFSI list; EU via European Commission sanctions pages).

Print-friendly checklist: Copy the 10 items above into a doc. Add columns: Pass/Caution/Fail | Notes | Evidence link.

---

The Weighted Scoring Framework (30–45 Minutes)

Use this when the triage is promising. Score each criterion 0–100, apply the weight, and total.

• Identity transparency (20%)

  • Legal name, registration number, physical address, phone, and domain email present and consistent with registries and Maps.

  • Evidence: Registry page link + Maps link.

• Certifications and verifiability (20%)

  • ISO/industry certs verified in registries; CE NB scope confirmed in NANDO; UL/CSA/ETL listings verified (where applicable via UL Product iQ, CSA search, or Intertek/IECEE directories).

• Security and technical hygiene (10%)

  • SSL Labs grade A/A+, valid chain, modern TLS; no mixed content warnings.

• Policy clarity (15%)

  • Clear payments, MOQs, lead times, warranty/returns, Incoterms; privacy/terms pages present.

• Social proof and track record (15%)

  • Named clients, case studies, press mentions, credible directories, chamber memberships, and references.

• Content quality and authenticity (10%)

  • Unique product descriptions, consistent specs, authentic photos (reverse image search where needed), no obvious plagiarism per TinEye guidance.

• Off-site consistency (10%)

  • LinkedIn headcount and roles match claims; Maps/Street View plausible; archive history stable.

Scoring bands

• 85–100: Strong professional signal — proceed to samples/qualification.

• 70–84: Proceed with caution — request documents/references.

• 50–69: High risk — require third-party verification before proceeding.

• < 50: Do not proceed.

Tip: Document each score with a one-line justification and a link (screenshot if account-based directories are used).

---

Verification Toolbox: What to Use and How

• Domain and DNS history: ICANN Lookup; alternatives who.is, SecurityTrails. Check creation date, nameservers, registrant org (if visible).

• SSL/HTTPS quality: Qualys SSL Labs test. Look for A/A+, valid chain, TLS 1.2/1.3 only. See Mozilla SSL config for reference settings.

• Reverse image search: Google Images and TinEye. Oldest occurrence and stock site hits indicate potential stock usage.

• Website history: Wayback Machine to spot identity/content flips, sudden domain repurposing.

• Certifications and compliance:

  • ISO/IAF: IAF CertSearch and verifier docs: IAF verifier guide.

  • CE/NBs: NANDO database to confirm NB scope.

  • Electrical safety: UL Product iQ; CSA directory (navigate from csagroup.org); IECEE CB Scheme DB; Intertek ETL program directories (e.g., ETL Verified cabling PDF, 2025-08-01).

  • Food safety: BRCGS Directory (account may be required).

  • Medical devices: FDA DRLM via access.fda.gov (for US market), and check 510(k)/PMA if relevant.

• Corporate registries: UK Companies House; US via NASS directory (2025) to the right Secretary of State; EU via BRIS; China GSXT.

• Sanctions and adverse media: OFAC Sanctions List Service; UK OFSI consolidated list; EU via EU Commission finance sanctions pages; UN Security Council sanctions.

• Government cybersecurity supply chain guidance: UK NCSC’s principles on supplier risk emphasize identity verification, HTTPS, and basic hygiene — see NCSC supply chain guidance collection.

---

Red Flags and What to Do Next (If X, Then Y)

• If the domain is < 6 months and other signals are weak

  • Ask for references you can contact directly and propose escrow/letter of credit for the first order. Cross-check business registration and LinkedIn.

• If certifications don’t verify in registries

  • Request the certificate number, issuing Certification Body, and a link/screenshot of the CB’s lookup page. Validate via IAF CertSearch or the relevant AB (e.g., UKAS/ANAB). If still unclear, request a short screen-share.

• If address/phone doesn’t match Maps or registry

  • Ask for a recent utility bill or business license showing the current address, and a phone callback from the listed company number.

• If only free email is listed

  • Request communication via a domain email. Send a test email to support@/info@ on the domain to see if it routes.

• If images look stock or AI-generated

  • Request timestamped factory photos or a 2–5 minute live video walkthrough. Use TinEye to confirm suspected stock sources.

• If SSL/HTTPS is broken

  • Share the SSL Labs test results and ask them to remediate within 72 hours, then retest.

• If sanctions/adverse media flags appear

  • Escalate to compliance immediately. Per OFAC guidance (2025), entities on SDN lists or controlled by SDNs raise prohibitions — see OFAC FAQs on the 50 Percent Rule.

• If policies are vague or payment terms are unusual

  • Ask for standard T&Cs, Incoterms, and payment schedules; avoid crypto/personal accounts. The UK’s NCSC supply chain guidance underscores verifying basic controls and legitimacy.

---

Outreach Templates You Can Copy

1. Certification verification request

Subject: Quick verification for your ISO certificate

Hi [Name],

We’re completing our vendor onboarding. Could you share the certificate number, issuing Certification Body, and a link (or screenshot) to the CB’s public verification page for your ISO [standard]? If easier, a brief screen-share to the portal works too.

Thanks, [Your Name]

2. Address/identity clarification

Subject: Address confirmation for onboarding

Hi [Name],

Could you confirm your registered legal name and current operating address? A scan of a recent utility bill or business license with the address would help us finalize our records. We’ll cross-check with the public registry.

Best, [Your Name]

3. References request

Subject: Client reference call (15 minutes)

Hi [Name],

Before we proceed, could you provide 1–2 customer references we may contact? Ideally similar order size or product line. We’ll do brief 15-minute calls.

Thank you, [Your Name]

4. Payment terms clarification

Subject: Standard terms and payment milestones

Hi [Name],

Could you share your standard T&Cs, including Incoterms, lead times, MOQ, warranty/returns, and payment milestones? For first orders, we prefer escrow/LC or staged payments upon milestones.

Regards, [Your Name]

---

Edge Cases and Industry Notes

• New but legitimate companies

  • Compensate with stronger controls: verified references, smaller pilot orders, third-party inspections, and secure payment methods.

• Electronics and electrical goods

  • Look for UL/CSA/ETL listings or IECEE CB test certificates; verify in UL Product iQ, CSA, IECEE.

• Medical devices

  • Check ISO 13485 and device approvals/registrations; for US market, confirm via FDA modules at access.fda.gov.

• Food and packaging

  • Look for BRCGS/FSSC/GFSI-recognized schemes; verify in BRCGS Directory.

• EU CE claims

  • Only certain categories require a Notified Body; confirm NB scope in NANDO when an NB number is cited.

---

Why These Checks Work (Authoritative Guidance)

• Identity, HTTPS, and basic supplier hygiene align with the UK’s supply chain risk principles. See the NCSC supply chain guidance collection (2023–2025) for the rationale behind verifying identity, security, and governance basics.

• SSL grading and certificate validation thresholds are consistent with Qualys SSL Labs practices and the 2025 Qualys grading update.

• Accredited certification verification via IAF CertSearch and AB/CB portals is the recognized method to confirm ISO claims.

---

Printable Checklist and Score Sheet (Copy/Paste)

Triage (10 minutes) — columns: Check | Pass/Caution/Fail | Notes | Evidence Link

• Domain age (ICANN)

• SSL/HTTPS (SSL Labs)

• Business registry match

• NAP on Maps/phone

• Certifications verified (IAF/CB/NANDO)

• Product page quality

• Social proof

• Policies (payments/MOQ/lead times/returns)

• Team/LinkedIn match

• Sanctions/adverse media

Scoring (30–45 minutes) — columns: Criterion | Score (0–100) | Weight | Weighted | Evidence Link

• Identity transparency | | 20% | |

• Certifications/verifiability | | 20% | |

• Security/technical hygiene | | 10% | |

• Policy clarity | | 15% | |

• Social proof/track record | | 15% | |

• Content quality/authenticity | | 10% | |

• Off-site consistency | | 10% | | Total:

---

Final Tips

• Favor patterns over one-off signals; a polished site can still be risky if off-site evidence is thin.

• Document every check with a link or screenshot so your manager or client can review your reasoning.

• For borderline cases (70–84 score), start small: pilot orders, escrow/LC, third-party inspections, and milestone-based payments.

According to the UK’s guidance on supplier risk controls, simple identity and security checks meaningfully reduce exposure to common scams and misrepresentation — see NCSC’s supply chain guidance.