FTC Report Finds Some Small Business Web Hosting Services Could Leave Small Businesses at Risk of Facilitating Phishing Scams

The Federal Trade Commission today released a staff report that examines 11 web-hosting services that market themselves to small businesses and finds that many do not provide by default certain email authentication and anti-phishing technologies, potentially leaving many small firms at risk of facilitating phishing scams.

In a Staff Perspective, “Do Web Hosts Protect Their Small Business Customers with Secure Hosting and Anti-Phishing Technologies?”, the FTC’s Office of Technology Research and Investigation examined the security features offered by certain web hosting services that cater to small businesses. The research was prompted by a series of roundtable discussions around the country that the FTC held in 2017, in which many small business owners said that choosing web hosting and email providers was one of the key challenges they face.

The research found that many of the examined web hosts are helping small businesses implement SSL/TLS, with the majority of hosts integrating the process into their basic hosting plans or offering them as straightforward options for an additional fee. SSL/TLS technology ensures users are visiting a legitimate website and not an imposter. It also provides encrypted communications to protect personal information sent between the website and a user’s computer, as well as other website security safeguards.

The Staff Perspective notes, however, that of the 11 web hosting companies examined by FTC staff, few offer straightforward access to email authentication and anti-phishing technologies. These include domain-level authentication systems that verify the identity of the domain that email claims to be from (SPF and DKIM) and a related technology that can be used to instruct receiving email services to reject the delivery of messages that wrongly claim to be from an address at the sender’s domain  (DMARC).

In fact, FTC staff found that only two of the web-hosting companies implement SPF or DKIM by default and none offer support for DMARC as a standard feature of their hosting services.  Furthermore, three of the 11 hosts do not provide any method for configuring DMARC.  Although the use of DMARC is possible with the other eight hosts, their small business customers would need to have independent knowledge of DMARC and configure it on their own – something that a small business that is relying on the web host’s expertise is unlikely to do.

Among other things, the Staff Perspective recommends that small businesses pay close attention to the security features offered by web hosts so that they can choose a host that will protect their websites and email accounts with SSL/TLS and email authentication technologies. It also urges that web hosts implement these technologies for their small business clients. Finally, it recommends that publications that review web hosts evaluate the availability of SSL/TLS and email authentication technologies in their reviews. 

The Federal Trade Commission works to promote competition, and protect and educate consumers. You can learn more about consumer topics and file a consumer complaint online or by calling 1-877-FTC-HELP (382-4357).  Like the FTC on Facebook, follow us on Twitter, read our blogs and subscribe to press releases for the latest FTC news and resources.

IR Press

Recent Posts

U.S. Department of the Treasury Releases Final Regulations Implementing Bipartisan Tax Reporting Requirements for Brokers of Digital Assets

Regulations help make filing easier for digital asset holders on taxes already owed WASHINGTON – As part of…

2 days ago

OCC Issues Annual Report for 2024

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today published its 2024 Annual Report.…

1 week ago

OCC Announces Enforcement Actions for December 2024

WASHINGTON—The Office of the Comptroller of the Currency (OCC) today released enforcement actions taken against…

1 week ago

Treasury Maintains Pressure on Houthi Procurement and Financing Schemes

WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) sanctioned…

1 week ago

Treasury Sanctions Georgian Ministry of Internal Affairs Officials for Brutality Against Protesters, Journalists, and Politicians

WASHINGTON — Today, the Department of the Treasury’s Office of Foreign Assets Control (OFAC) is…

1 week ago

Treasury Maintains Pressure on Iranian Shadow Fleet

WASHINGTON — Today, the United States Department of the Treasury is imposing sanctions on four…

1 week ago