Why your 'Contact Us' page should ditch the email address
BlackTechLogy: All websites need a contact CSS form to fend off hackers
This post is part of a series entitled “BlackTechLogy.” Click here for the archived posts.
“Who in their right mind would try to phish an attorney?” That was my first thought when I was hired to investigate an email a law firm received. The email sender asked for the attorney’s credit card information to renew his web domain. The form looked like a legitimate bill from a credible company and had his website on it. But when he contacted me to ask was someone trying to “steal his site,” I was more confused by him receiving the bill at all.
I’d already worked on the backend of his three sites, updating almost every page. And I knew that all three domains were set up for autopay. So why was this company asking for credit card information they already had?
Granted, a repeat client may ask for an updated credit card once the prior card expires. But asking for full name, address, credit card info and several other financial questions set off red flags immediately. But there was another conundrum. The actual web hosting company had been bought by another company, so it was very possible that this new “company” needed to update their records.
ADVERTISEMENT ~ Amazon
As an Amazon affiliate, I earn a percentage from purchases with my referral links. I know some consumers are choosing to boycott Amazon for its DEI removal. However, after thinking about this thoroughly, I want to continue promoting cool products from small businesses, women-owned businesses and (specifically) Black-owned businesses who still feature their items on Amazon. As of the first date of Black History Month 2025, each new post will ALWAYS include a MINIMUM of one product sold by a Black-owned business. (I have visited the seller’s official site to verify that Amazon Black-owned logo.) I am (slowly) doing this with older, popular posts too. If you still choose to boycott, I 100% respect that decision.
The result? It was a phishing scam. After confirming autopay was not turned off and calling his web hosting company, I asked for the new name of the web hosting company. It was not this company name on the bill. So how was this new company able to get the law firm’s contact info? It didn’t take much effort. Although the attorney had an HTML “Contact Us” page, his prior web editor had plastered his email address all over the site. Why would anyone need to fill in the CSS fields of the “Contact Us” form? They could just copy and paste his email address, and contact him (or send messages under his email address) without his knowledge.
While I thought it was insane to hack law firm websites, the problem is hackers are overly confident (and often successful). And unless they get caught, pretty much anybody can be a victim of spoofing and phishing scams.
