Bank Website Being Flagged as Phishing Site?
By Jason Sherrill on Wednesday, April 23, 2014
Banks are naturally concerned when a customer reports that her security software is identifying the bank's website as a potential phishing site. In many cases, these reports are false positives and do not mean that someone has compromised your website, but there are steps that you should take to ensure the safety of your website and to assure your customers that the site is safe.
While banks should take any perceived report of a security issue with their website seriously, the majority of reports that we help our clients investigate are a result of faulty security software installed on the visitor's computer or network. But how can you know for sure?
Assess the Amount and Types of Warnings
When beginning your investigation, the first important fact to ascertain is how many customers have reported the issue. If your website receives more than a few hundred visitors per day and your site has been compromised, you will likely receive inquiries from multiple customers in a relatively short period of time. Communicate with your customer service team and maintain a log of all requests. Collect as much information from customers as possible, including
- The exact security threat language their software is reporting
- Name of the security software reporting the threat, and if applicable, the version of the software
- URL where the visitor received the report
- The type and version of security software the customers are using
- When the customer first noticed the issue
- The computer operating system and browser the customer is using
- What type of internet connection the customer is using, as well as the ISP
Perform a Malware Scan
There are many good malware and vulnerability scanners that can detect common exploits and malware that may exist on a website. For example, one of the services that we provide to our clients is SiteLock™, which is a reasonably reliable tool for identifying malicious content on your website. As with any automated solution, it's not 100% effective and can report false positives, as well as miss certain zero day exploits. Nonetheless a malware scanner that performs a daily scan of your website is a good idea and a standard practice we recommend to all of our clients.
Review Your Website Code
Automated solutions are a good ingredient in your security recipe, but since they're not perfect, you should also manually inspect your website's code if you have received a report that your website has been flagged as a phishing or other security threat. Pay particularly close attention to any JavaScript references or calls or POSTs to third-party websites. If you see a request or POST to a third-party URL that you don't recognize, investigate it to confirm that the URL is legitimate and that the third-party website hasn't been exploited. We have seen numerous cases where the bank's website has not been compromised, but a third-party from which it is pulling content has been compromised and thus the visitor's security software is triggering a warning.
If you're not familiar with your website's code, ask your web developer. If you don't have a web developer on staff or on retainer, reach out to colleagues to get a recommendation for a competent web developer who can assist. The money you spend will provide value by way of the peace of mind you'll gain from knowing that someone who understands code and security has given you an all-clear on your website.
Contact the Security Vendor that Flagged Your Site
If you have determined that your site is free of any malware, be sure to contact your customer's security software vendor to notify them of the false positive and to ask them to review your site. Since most security software relies on definitions that are shared by hundreds, thousands, or even millions of users, there is a good chance that other customers who use the same software will also receive warnings. In addition, it can help the software vendor to better tune their software and save you from wasting time investigating false reports.