Office Of Technology Research and Investigation (OTech)

In a Staff Perspective, “Do Web Hosts Protect Their Small Business Customers with Secure Hosting and Anti-Phishing Technologies?”, the FTC's Office of Technology Research and Investigation examined the security features of a particular web hosting services that cater to small businesses.
The Staff Perspective notes, however, that of the 11 web hosting companies examined by FTC staff, few offer straightforward access to email authentication and anti-phishing technologies. It includes domain-level authentication systems that verify the domain's identity that email claims to be from (SPF and DKIM) and related technology. It can be used to instruct receiving email services to reject the delivery of messages that wrongly claim to be from an address at the sender's domain (DMARC).

The Federal Trade Commission (FTC) released a research report that few Small Business Web Hosting Services could potentially leave small businesses at risk of facilitating Phishing Scams. The Commission finds that many do not provide by default specific email authentication and anti-phishing technologies.

In 2017, the research prompted by a series of FTC held roundtable discussions around the country. Many small business owners said that choosing web hosting and email providers was one of the critical challenges they face.

The research found that many of the examined web hosts help small businesses implement SSL/TLS, with the majority of hosts integrating the process into their basic hosting plans or offering them as straightforward options for an additional fee. SSL/TLS technology ensures users are visiting a legitimate website and not an imposter. It also provides encrypted communications to protect personal information sent between the website and a user's computer and other website security safeguards.

FTC staff found that only two of the web-hosting companies implement SPF or DKIM by default, and none offer support for DMARC as a standard feature of their hosting services. Furthermore, three of the 11 hosts do not provide any method for configuring DMARC. Although the use of DMARC is possible with the other eight hosts, their small business customers would need to have independent knowledge of DMARC and configure it on their own. Something that a small business that is relying on the web host's expertise is unlikely to do.
Among other things, the Staff Perspective recommends that small businesses pay close attention to the security features offered by web hosts so that they can choose a host that will protect their websites and email accounts with SSL/TLS and email authentication technologies. It also urges that web hosts implement these technologies for their small business clients. Finally, it recommends that publications that review web hosts evaluate SSL/TLS and email authentication technologies' availability in their reviews.

Source: Press Release 
Juliana Gruenwald Henderson
Office of Public Affairs
Tina Yeung
Office of Technology Research and Investigation