Currently my favorite topic, so let me add my experiences.
I've been dealing a lot with lossless music in FLAC and I can say that using a spectrum analysis tool like Spek is the only good way to check for signs of "foul play" in audio files. Do not bother with tools like Audio Checker, LosslessAudoChecker, Foobar 2000, or any other program, that displays a result in text or percentage (%). These tools fail on a huge number of lossy files, especially AAC codec encoded files in M4A containers typical for iTunes. You should only use graphical spectrum analyzers. Spek is actually the only one I know that is extremely good and detailed (you can resize the window to full-screen for a high resolution display).
The second step, once you got Spek, is to start learning. There is no way around it. I have put over 3000 releases (10.000+ songs) through Spek and I can say that I have gotten pretty good at spotting even the slightest signs of fakes or lossy re-encodes. You learn by watching examples of legitimate lossless files and lossy MP3 and other formats, and comparing them. Once you see a large enough sample you know what to look for and you learn to spot the signs of suspicious looking spectrograms. Seeing a cut-off at 16 Khz / 20 Khz or an apparent "full" spectrogram is not everything ... it's not always that simple!
Unfortunately there is also a way to fake the spectrum itself, meaning, it is possible to turn an MP3-like spectrogram into a FLAC-like "full" spectrogram. I have seen examples of that and they can even fool a person using graphical spectrum analyzers, if they are not experienced. I won't say more about how that's done since I don't want to be giving anyone ideas (I may only explain how to detect such files or send learning examples, if anyone is interested). A well made fake from an already good lossy file may be literally impossible to detect though.
Web-shops selling lossless music and websites streaming lossless music are also not perfect. They rely on label supplying their releases and all the websites (shops and streaming sites) get the same files. And there are labels which sell fake WAV / FLAC files (lossy re-encodes). And I'm not talking about a handful of releases. I'm talking about complete catalogues! I keep a list of those and there are already over 20 labels from the electronic music genre (dance, house, trance, etc.) on there that I know about. One huge "offender" is DIY (Do It Yourself Multimedia Group) including all of its sublabels (Major Records, Liquid Sound, Nitelite, D-Lite Records, ...). Then there's Nocolors, Bit Records, Tornado, and the list goes on. And those are just from the genres I'm interested in. I have friends that worked in the music industry that told me that for older releases it is possible that the labels simply "lost" the digital masters after they went out of business or were acquired by other labels. But, there are even instances of digital downloadable releases dated 2017 that are being sold in lossy WAV/FLAC on web-shops. Most of the releases I checked are clearly unjustifiably fake, because I know that they are lossless on CD, but lossy on WEB WAV/FLAC. Web shops should definitely not be selling those to people who pay premium for lossless files but get exactly the same quality as MP3, or slightly better according to spectrogram (whatever lossy codec the label used), but definitely not lossless. By the way, again, all web-shops carry the same files since the labels send them all the same release. So if you get a lossy file from one web-shop, don't expect to get a different file from another web-shop. Just stick with the shop that makes less fuss when it's time to get a refund.
I have written to several bigger web-shops known in the electronic music genre and they are mostly unaware or unprepared for this (or they are playing stupid and waiting for people to start complaining). Once confronted they do issue refunds though, and I have seen releases taken down. Still, they don't automatically check all releases they receive from labels so there are A LOT of fake WAV/FLAC files being sold to gullible customers at this very moment. It is definitely a MUST to have Spek on your PC if you're buying lossless music on-line, even from legitimate web-shops offering digital downloads. Oh, and I also know of retail CDs that some labels mastered from actual MP3 files. So not even ripping a physical CD can be a sure way of getting a real lossless track. Again, use Spek for everything if you're dealing with lossless music files!