Phishing is one of the most successful and widespread cyberattacks in the world. It costs businesses and individuals billions of dollars every year. Most people have a basic idea of what it is — a fake email pretending to be from your bank. But the mechanics behind how phishing actually works, and the role that ordinary business websites play in it, are less well understood.
How Phishing Works
A phishing attack starts with a message — an email, a text, sometimes a social media message — designed to look like it's from a trusted source. Your bank. PayPal. The IRS. Microsoft. Amazon. The message creates urgency: your account has been suspended, there's suspicious activity, you owe a balance, your password needs to be reset immediately.
The message contains a link. The link leads to a page that looks exactly like the real thing — same logo, same colors, same layout. You enter your username and password. Those credentials go directly to the attacker. The real site never sees them.
That fake page has to live somewhere. And that's where your website comes in.
Why Attackers Use Small Business Websites
Phishing pages need a host — a web server to serve them from. Attackers could set up their own servers, but those get shut down quickly and the IP addresses get blacklisted. A much better option, from the attacker's perspective, is to use someone else's legitimate server.
When a small business website gets compromised, attackers often use the server's legitimate reputation — its domain age, its history, its real content — as cover. They install a phishing page in a subdirectory the owner never looks at. The rest of the site keeps running normally. The owner has no idea.
Security filters that might block a brand-new suspicious domain are less likely to flag a five-year-old business website. The phishing page has better reach, lasts longer, and is harder to detect — because it's hiding behind your legitimacy.
What This Looks Like in Practice
Your website continues to look and work normally to you. Meanwhile, at a URL like yoursite.com/secure/paypal/login, there's a perfect copy of the PayPal login page. Thousands of phishing emails go out pointing to that URL. People enter their PayPal credentials. Money gets stolen. PayPal reports the page. Your hosting account gets suspended. Your real site goes down.
You didn't do anything wrong intentionally. But your site facilitated fraud — and your hosting provider, payment processors, and potentially regulators don't distinguish between "victim" and "participant" when the activity happened on your server.
How to Protect Your Site — and Others
- Keep your website software up to date. Phishing pages get installed through the same vulnerabilities that enable other types of attacks.
- Use strong, unique credentials for your hosting account and CMS. Attackers also get in through stolen login credentials.
- Monitor your site for unexpected file changes. A new directory or PHP file you didn't create is a red flag.
- Set up alerts for when your domain appears on phishing or malware blacklists.
- Work with a hosting provider and developer who take security seriously.
The Shared Responsibility of the Web
The internet is a shared environment. A compromised website doesn't just hurt its owner — it becomes a tool that harms strangers who have no relationship with the business at all. Taking your website's security seriously is partly self-interest and partly responsibility to the people who use the web around you.
If you'd like a security review of your site or help implementing proper monitoring, we're here.