Phishing Pages on Your Website: Takedown Notices, Explained

By · Updated · 6 min read

If someone found a phishing page on your website, a fake bank, PayPal, or Microsoft login form sitting in a folder you never created, your site has been compromised and is being used as free hosting for someone else's fraud. The page needs to come off your server today, the backdoor that planted it needs to go with it, and the takedown notices piling up in your inbox need actual replies, because phishing gets a site blacklisted faster than any other kind of hack.

I want to say the reassuring part first: getting a takedown notice does not mean you're in legal trouble, and it doesn't mean anyone thinks you're the fraudster. Banks and security teams send these to hacked site owners all day long. It means your server is being borrowed. Panicked owners forward me these emails weekly, and the situation is nearly always fixable within a day.

Why is there a fake bank page on my site?

Phishing crews need places to host their fake login forms, and hacked small-business sites are perfect: real domains with real reputations that spam filters don't distrust yet. The attacker breaks in through an outdated plugin, a stolen password, or an already-present backdoor, then uploads a phishing kit, usually a zip file that unpacks into a folder with a name like /secure-login/, /chase-verify/, or a random string like /x8k2/. Inside is a pixel-perfect copy of a bank's login page and a small mailer that sends every stolen username and password to the attacker.

Then they blast out phishing emails linking to the page on your domain. Your site does the hosting; you inherit the consequences.

The mail you'll get, and who it's from

Phishing has an entire reporting ecosystem, so once the campaign starts, notices arrive fast. You might hear from the impersonated bank's fraud team, from your hosting company, from national CERTs (computer emergency response teams), or from monitoring firms like Netcraft that hunt phishing on behalf of banks. Some notices are polite requests with the exact URL listed. Some are stern legal-sounding form letters. Your host's version may come with a deadline and the words "account suspension."

Read them carefully, because they hand you the single most useful fact: the exact path of the phishing content. Save every notice. And take the deadlines seriously; hosts really do suspend accounts over unanswered phishing reports, since their own IP reputation is on the line.

Why phishing blacklists you so fast

Browsers and blacklist operators treat phishing as the most damaging category there is, worse than malware in terms of response time, because every hour a fake bank page stays up costs real people their savings. Google Safe Browsing can slap the red "Deceptive site ahead" warning on your domain within hours of a report. PhishTank, OpenPhish, Netcraft, and the antivirus vendors follow quickly, and suddenly Chrome, Firefox, Safari, and half the corporate firewalls in the world are blocking not just the phishing folder but your whole site.

Check where you stand with my free blacklist checker, which covers the major lists in one pass. If Netcraft specifically flagged you, I keep a walkthrough at Netcraft blacklist removal.

Removing the kit properly

Before deleting anything, capture evidence: copy the phishing folder somewhere off the site, note the file timestamps, and pull your access logs for the period. Timestamps plus logs usually reveal how the kit arrived and whether the attacker is still getting in. My technical indicators checklist covers this in more depth.

Then remove the phishing folder entirely, and keep going, because the kit is never the whole story. Whatever uploaded it is still there: a web shell in wp-content/uploads, a modified plugin file, an admin account you didn't create. On a case last fall, the phishing folder was the fourth kit that server had hosted; the first three had been deleted by the owner over two months while the uploader script sat untouched the whole time. Hunt uploads for PHP files, compare core files against fresh copies, review users, then update everything and rotate every password: hosting, WordPress, FTP, database. If that's more than you want to take on, my malware removal service exists for exactly this.

Answering the takedown notices

Once the content is gone, reply to each notice, briefly. Something like: "The phishing content at [URL] was removed on [date]. The site had been compromised through [what you found, if known]; the vulnerability has been closed and all credentials rotated. Please confirm the report can be closed." That's it. Nobody expects a lawyer's letter, they expect the URL to return a 404, and most reporters re-check automatically. If the notice came from your host with a deadline attached, reply to that one first and say plainly what was removed and when, because the host is the only party in this story who can switch your site off.

Then clear the blacklists. Request a Safe Browsing review through Search Console (my guide to removing the Google warning walks through it), report the fix on PhishTank if you're listed there, and work down anything else the checker found. Phishing listings usually clear fast once the page is verifiably gone, often within a day or two, precisely because these systems re-verify constantly.

Keeping it from happening again

Phishing kits come back to servers that stay easy, so spend twenty minutes making yours annoying. Block PHP execution inside wp-content/uploads with a short .htaccess rule; most kits and their uploaders live there, and that one change breaks them. Update WordPress, plugins, and themes, and delete the plugins you stopped using in 2021. Turn on two-factor authentication for admin and hosting logins. And if your FTP password predates your last three computers, retire it.

Watchfulness helps too, because the earlier you catch a kit, the fewer notices and blacklists you face. A file-change monitor, whether through a security plugin or my own monitoring service, flags a new folder full of PHP within hours instead of weeks. I also suggest signing your domain up for Search Console alerts if you haven't, since Google will email you when Safe Browsing flags anything. None of this is exotic. Phishing crews work in bulk and pick soft targets; a modestly hardened site simply stops being worth their time.

If you'd rather have this handled

The genuinely hard part isn't deleting a folder; it's being sure you found the uploader, the spare backdoor, and the hole they came through, because a second kit means the notices start over and the blacklists trust you less each round. My Bulletproof Cleaning is $195 and covers the full job: evidence preserved, kit and backdoors removed, entry point closed, blacklist reviews filed, notices answered. Send me the takedown email that scared you and I'll take it from there.

Common questions

Someone found a phishing page on my website. Am I in trouble?

Not in the way you fear. Banks, CERTs, and security firms send takedown notices to hacked site owners constantly; they know you're a victim whose server is being borrowed for fraud. What matters is acting quickly: remove the phishing content, close the hole it came through, and reply to the notices confirming removal. Ignored notices are what lead to suspensions and lasting blacklisting.

What is a phishing takedown notice?

It is an email from a bank's fraud team, a hosting provider, a national CERT, or a monitoring firm like Netcraft telling you that a specific URL on your site hosts a fake login page. The notice includes the exact path, which is genuinely useful for cleanup. Reply after removal with the date it was taken down and a note that the vulnerability was closed.

How did a fake bank login page get on my server?

An attacker broke in, usually through an outdated plugin or theme or a stolen password, and uploaded a phishing kit: a zip that unpacks into a complete copy of a bank's login page plus a script that mails stolen credentials to the attacker. Your domain's clean reputation is the asset they wanted, since links to it slip past spam filters more easily.

Will deleting the phishing folder fix the problem?

Only temporarily. The folder is cargo; the uploader that placed it, typically a web shell or backdoor elsewhere on the server, remains after you delete it, and a replacement kit often appears within days. A real fix removes the kit and the backdoors, closes the entry point, updates everything, and rotates all passwords. Then the takedown notices actually stop.

How long until the browser warnings go away after removing a phishing page?

Usually fast, compared to malware cases. Phishing blacklists re-verify their listings constantly, so once the URL returns a 404 and you request a Safe Browsing review through Search Console, warnings commonly clear within one to three days. Confirm the cleanup across the other lists too, since PhishTank, Netcraft, and antivirus vendors each maintain their own entries.