This page is an independent reading resource at targetcom.co.com. It is not the target official site and has no commercial relationship with the retailer. Its purpose is to help a reader verify any page that claims to be the genuine retailer's digital presence.
Why verifying the target official site matters
The target official site handles login credentials, payment card data, account-recovery flows and saved personal addresses. A convincing imitation page that captures any of those inputs can cause financial and personal harm that takes months to remedy. Phishing campaigns targeting the chain's customers circulate regularly, particularly around high-traffic sale periods like back-to-school season, Target Deal Days and the winter holiday window. Learning to distinguish a genuine page from an imitation is a skill that applies every time a shopper arrives at what looks like the target official site from a search result, a social-media post, a SMS promotion or an email.
The FTC publishes guidance on retailer impersonation phishing at consumer.ftc.gov. The USA.gov online-safety resource at usa.gov/online-safety covers browser verification steps in plain language. Both are government resources with no commercial interest in the outcome; they make reliable starting points for a reader who wants to go deeper than this page allows.
The address bar: the first verification step
Before entering any information on a page that claims to be the target official site, check the address bar. The domain for the genuine retailer is target.com. In a browser, the second-level domain — the word immediately before the final dot-com — should read "target". Sub-domains like www.target.com and m.target.com are legitimate. Any domain where "target" appears after a dot (like target.com.someotherdomain.net) is not the target official site; the rightmost domain and TLD determine ownership, and in that example the owner of someotherdomain.net controls the page.
Typo-squatted domains take advantage of fast, unchecked typing. Common examples include dropping a letter (arget.com), doubling a letter (targget.com), swapping a letter (tarjet.com) or using a different TLD (target.net, target.org). None of those are the target official site. A reader who bookmarks the genuine domain directly, rather than relying on search results each time, eliminates most of this exposure.
The padlock: what it does and does not prove
A padlock in the browser address bar indicates that the connection between the browser and the server is encrypted using HTTPS. It does not, by itself, prove that the page belongs to the target official site. A phishing page can and frequently does display a valid padlock because obtaining a basic TLS certificate costs nothing. The padlock means the connection is private; it does not mean the destination is trustworthy.
To go further, click or tap the padlock and examine the certificate. A summary view shows who the certificate was issued to. For the target official site, the certificate should list the retailer's corporate entity. If the issued-to field shows an unfamiliar company name, a registrar's privacy proxy or a generic hosting provider, treat that as a warning sign and do not proceed.
Reading the certificate in detail
Most browsers allow a reader to view the full certificate by selecting "Certificate is valid" or "More information" in the padlock panel. The key fields to examine are the common name or subject alternative names (should match target.com and its legitimate sub-domains), the issuer (should be a recognised certificate authority) and the validity period (an expired certificate is a red flag). The target official site uses a certificate issued by a major public CA with a validity period that is current. A self-signed certificate or one issued by an unrecognised authority is a strong signal to stop.
Common phishing tactics that impersonate the chain
Phishing campaigns targeting the target official site's customers typically follow one of several structural patterns. The first is visual cloning: copying the retailer's colour scheme, bullseye logo, font stack and layout so closely that the page is indistinguishable at a glance. The second is URL padding: placing the genuine domain name inside a long URL path so a casual reader sees "target.com" mid-string without noticing that the actual domain is different. The third is misleading sub-domains: constructing a URL like target.com.deals-portal.net, where "target.com" appears as a sub-domain of a different owner's root domain. The fourth is redirect chains: a short link or ad URL that passes through multiple redirects before landing on an imitation page, making the original source hard to trace.
Email-borne phishing adds a layer: the "from" display name is set to look like the retailer, while the actual sending address is unrelated. Most email clients allow a reader to hover over or tap the sender name to reveal the real sending domain. If the sending domain does not match the retailer's known domain, the email did not come from the target official site's team, regardless of how the display name reads.
Verification steps at a glance
| Verification check | What to look for | What to do if missing or wrong |
|---|---|---|
| Second-level domain | "target" immediately before .com | Do not enter any information; navigate away |
| HTTPS padlock | Padlock present, no "Not secure" warning | Do not submit forms; treat page as unencrypted |
| Certificate issued-to | Retailer's corporate entity name | Close tab; navigate to the domain directly |
| Certificate expiry | Valid, not expired | Do not proceed; may indicate a stale phishing page |
| Email sender domain | Sending address matches target.com domain | Treat as phishing; report to email provider |
What this hub is and what it is not
The domain you are reading now — targetcom.co.com — is an independent reading resource operated by Targetcom Reading Bench. It publishes informational content about the chain and its services; it does not process any transactions, does not collect payment data, does not operate a sign-in flow for the retailer's accounts and does not represent the chain commercially. The target official site is target.com, which is wholly separate from this domain.
This hub exists because readers searching for information about the target official site benefit from a plain-language reading resource that explains how verification works, rather than landing on the genuine retailer's site when they were looking for an explainer. The two types of content serve different reader intents: the retailer's site handles commerce; this hub handles explanation.
What to do if you suspect a phishing page
If a page claiming to be the target official site raises any of the warning signs described above, close the tab immediately. If you have already entered a password, change it on the genuine site as soon as possible from a trusted device and network. If you have entered payment-card data, contact the card issuer's fraud line to flag the exposure. The BBB's scam tracker at bbb.org/online allows readers to report and look up known scam domains in their region. Reporting a phishing page helps protect other shoppers who might arrive at the same imitation before the domain is taken down.
Staying safe as a routine habit
The safest long-term habit for any shopper who regularly uses the target official site is to bookmark the genuine domain directly, use the official app rather than a browser for mobile transactions and treat unsolicited messages with URLs — whether by email, SMS or social media — with skepticism until the destination address is verified. These steps take seconds each time and prevent most credential-theft scenarios before they begin. A reader who internalises the address-bar check described in this page gains a skill that applies equally to the target official site and to any other retailer, bank or service that faces regular impersonation campaigns.