Our Phishing Team at FraudWatch International have been seeing an increase in attacks on web hosting websites. Most people, who have a website, would use a web hosting company to publish their site, and would have a web hosting account to manage their files.

“Go Daddy” is one of the biggest web host companies in the world. According to PC Mag, the Editor’s Choice for the top 5 shared web hosting services is: Arvixe, DreamHost,, Hostwinds & InMotion.

When someone receives a phishing or malware email, the website they are directed to, is usually a hacked website which has had malicious files put on it. The cyber-criminals set up backdoor access to the site and then upload phishing or malware files, to catch out unsuspecting users. However, if the criminals send out a phishing email to steal web hosting credentials (for example, “Go Daddy” credentials) and steal someone’s Go Daddy login, they will then have full access to that person’s website, and they can load phishing and malware on it. In a way, this is phishing causing more phishing.

If you get phished for your banking credentials, it is quite clear what is going to happen – money will be stolen. If your web hosting account details get stolen though, it could end up being much worse for you.

Let’s say a small business, such as a Hair Salon, receives a phishing email saying that there has been unauthorised access to their web hosting account. They are given a link to login and reset their password, however, it is actually a link to a phishing site set up to look like their web hosting login page. The hackers can then take over the salon’s hosting account and lock them out, while proceeding to use the Hair Salon website for more phishing by putting malicious files on the website. This is very bad for business. The salon’s site may subsequently get flagged by customer web browsers as having malware. The hackers might even send malware emails out to all of the salon’s clients.

Small businesses that run their own websites are the most at risk of these criminal activities. Their businesses depend on their website, and if a hacker gets full access to it, they could lose a lot of customers. An accountant, for instance, may ask their clients to upload confidential files to their website. Not only is their business at risk, but so is the personal data of all of their clients.

If you have a website, you have a responsibility to protect your clientele. DIY websites are the most at risk. Those small businesses that get their teenage child to set up the website and then never touch it again. If their site is hacked, they don’t know how to fix it; the problem could drag on for months and their site may be completely destroyed or blacklisted by anti-virus software.

If a website is hacked, who is responsible for how the website gets used? Web hosts are partly responsible; depending on the level of hosting the business pays for. Basic hosting usually means the web hosting company has access to your files, so if there is phishing present, they can generally fix it. Sometimes, however, they may not have that level of access, and they may just suspend your whole website, which is again, bad for small business. If you are doing all your business through your website and you are not aware of an issue, it could take you days to speak to your web host, and in that time, you have lost valuable sales or customers.

Often, small businesses try and save money by using WordPress or other free website building software to quickly create a website, however these websites need to be maintained and small businesses need to be extremely careful when clicking links on emails. FraudWatch International regularly calls small businesses to explain to them that their website has been hacked and often the owners don’t know how to resolve this issue.

What to do if your website is hacked:

  • Contact your web host, prove that you are the legitimate business owner and get them to reset your password. Managed hosting services may step in and help fix compromised files, but if you have a dedicated, unmanaged server, all they can do it turn your website off.

Note: They might give you a few days to fix it and then they’ll turn it off, which means your whole server is offline. If you have a public website on that server and then private internal data on that server too, your business will grind to a halt if that server gets turned off.

  • Even if you get your website fixed, Google or anti-virus companies may have already blacklisted your site, so you need to contact them to get your site removed from their list. This step could take you a long time.
  • You may need to hire a web designer to fix your website and remove any malicious files or links.

Prevention is better than cure. Don’t set up a website if you don’t understand how web security works. Use a professional website designer; the money will be well spent.