Why your 'Contact Us' page should ditch the email address
BlackTechLogy: All websites need a contact CSS form to fend off hackers
“Who in their right mind would try to phish an attorney?” That was my first thought when I was hired to investigate an email a law firm received. The email sender asked for the attorney’s credit card information to renew his web domain. The form looked like a legitimate bill from a credible company and had his website on it. But when he contacted me to ask was someone trying to “steal his site,” I was more confused by him receiving the bill at all.
I’d already worked on the backend of his three sites, updating almost every page. And I knew that all three domains were set up for autopay. So why was this company asking for credit card information they already had?
Granted, a repeat client may ask for an updated credit card once the prior card expires. But asking for full name, address, credit card info and several other financial questions set off red flags immediately. But there was another conundrum. The actual web hosting company had been bought by another company, so it was very possible that this new “company” needed to update their records.
ADVERTISEMENT ~ Amazon
As an Amazon Affiliate, I earn a percentage for each purchase with my referral links.
The result? It was a phishing scam. After confirming autopay was not turned off and calling his web hosting company, I asked for the new name of the web hosting company. It was not this company name on the bill. So how was this new company able to get the law firm’s contact info? It didn’t take much effort. Although the attorney had an HTML “Contact Us” page, his prior web editor had plastered his email address all over the site. Why would anyone need to fill in the CSS fields of the “Contact Us” form? They could just copy and paste his email address, and contact him (or send messages under his email address) without his knowledge.
While I thought it was insane to hack law firm websites, the problem is hackers are overly confident (and often successful). And unless they get caught, pretty much anybody can be a victim of spoofing and phishing scams.
