What’s the one thing that all websites have that could make them a target for scammers and phishers? Website reputation. What is website reputation? Website reputation is much like that of your own reputation: how people see your website, it’s presence online, whether or not people feel safe when on your site, etc. What’s particularly important about having a non-negative website reputation is how it appeals to hackers and scammers. Why? So that they can use it to launch phishing campaigns collecting your personal data.

How to Spot a Phishing Scam

Phishing scams are everywhere – I get them in just about every inbox I have, on social media and even by phone. But, the ones that are most dangerous are the ones that look real – unless you look really closely. A common tactic of phishers is to use a domain (yoursite.com for instance) which has a positive, or at least, non negative website reputation, to spoof their phishing campaign through a compromised site using a series of redirects and encryption to make the path difficult to trace.

Troy Hunt, owner of haveibeenpwned.com, published a comprehensive blog post covering how this happens, what to look for when visiting a site that is compromised. A dead giveaway is that the url in your browser does not match the link you clicked on. For example, if you were to click a link to login to Gmail, Netflix or any services you may use that require a login, and the url in your browser doesn’t match that particular service (IE Gmail should connect to mail.google.com and not some arbitrary site), that site is compromised and that link that you clicked on is part of a phishing attack to gain your login credentials.

Troy’s article goes into detail about how phishers do this, and cites some specific examples of perfectly harmless sites being used for phishing campaigns. So, how does this relate to your website? Well, first, your site would be compromised and open to attack via phishers and scammers. Second, as they begin fraudulently using your site to mount phishing campaigns, your site’s reputation gets trashed. Once your site reputation is affected, it is very difficult to improve that and restore your website reputation to its former glory.

How Do You Protect Yourself and Your Website?

Practicing good safety techniques when browsing the web, your email, etc. is always important but it’s particularly important in protecting youself against phishing scams and people that our out to damage your website reputation to fraudulently solicit others for their phishing campaigns. What should you do to protect yourself?

Always Use Common Sense

It’s important to always think before your click – because what you click may not be what you think it is. Email spoofing, particularly with webmail such as Hotmail, Yahoo, AOL (yes, people still use AOL) and even Gmail, has been running rampant for a long time. Usually, those types of phishing campaigns are easy to spot: there’s just a link and very little else, or some badly written text. NEVER click those links. Anyone you know who really wants you to check out a link will write more details about the link they are sending. If you don’t have a particular service associated with a particular email address (For example, if you only use Netflix with a home email and not with a work email), you obviously know that it’s a fraudulent email and mark it as spam and just delete it. Be skeptical; if it looks like spam or a scam, get rid of it.

Consider Creating Difficult to Hack Passwords

Most services that require passwords will force you to use numbers, capitial letters, special characters, a haiku, the blood of a virgin – alright, maybe not the last two, but you get the idea. Using a variety of characters can help you prevent your password from being hacked. A good rule of thumb is to make the password 15 characters or more, using a variety of the characters mentioned above. Additionally, especially with WordPress, even though you may have an “Admin” login, don’t use it – here’s why. Admin accounts are the most commonly used username, particularly with WordPress. By using an Admin account, or even having one you don’t use, gives the hacker 50% of the login combination. Create a user account and make them an Admin instead. That way, you’re not giving the hacker an unfair advantage.

Control Access to Your Hosting Account

This seems like a given, much the way you would protect any login, however, once someone gets control of your hosting, it can be very difficult – and costly – to have any of their activities removed from the account. Only allow trusted users to have access and even then, don’t give them full adminstrative control over the account.

Occasionally, I’ll receive requests from people asking to do some guest blogging on my site – I approach these with trepidation – I don’t want their posts to injuriously affect my blog, my site, my website reputation. I make sure that the user is vetted through my own searching – social media accounts, email account validation, company that they contact me on behalf of – all this BEFORE I reach out to them regarding their request. Remember – it’s your site and your website reputation. At the end of the day, it’ll be up to you to protect – or fix – your website reputation, not them. Be cautious up front.

Exercise Caution and Skepticism

Skepticism? Yes, skepticism. Most things out there that are too good to be true, really are just that – too good to be true. Use caution when checking out that latest free movie on Netflix, those free credits on Google Adwords or connecting with someone about a cool guest blogging opportunity. Think about the offer – do your homework. Ask questions. Not every too-good-to-be-true offer is a scam, but I’ve seen enough people who have been victimized out there to know that there’s a lot of vulnerabilities. Making sure you’re protected is the key.

As I’ve mentioned before, I use Wordfence on all my sites. In addition to their powerful features, they provide regular blog posts that highlight the latest scams going around, how they are being executed and what to do to avoid being a victim of them. It helps me protect my website reputation and keeps me aware of vulnerable plugins that could allow hackers into my site. If you have a WordPress site, I highly recommend it.

Website reputation is extremely important and something you should work toward to keep positive and away from those who would attempt to discredit it for their own deceptive phishing campaigns. I hope you’ve found this post helpful and to consider how important website reputation is to your own website.