Phishing is a technique where bad actors impersonate trusted brands, including yours, to trick people into sharing sensitive information like passwords, payment details, or account credentials.
Because Duda customers build and manage websites for their own clients, phishing attacks in the Duda ecosystem can target multiple levels: you directly, or your clients through impersonation of your business. This guide provides practical steps to protect both your Duda account and your clients.
Duda's systems have not been compromised. These phishing campaigns are conducted by external actors who use publicly available business information to impersonate Duda customers. This guide is provided for informational purposes only and does not constitute an assumption of any responsibility or liability by Duda.
-
Duda will never ask for your account password via email, phone, or chat.
-
Duda will never request payment information through email links.
-
Duda will never contact you or your clients through your site's forms or CRM tools.
If you receive a message that does any of the above, it is not from Duda.
-
Check the sender's email address. Look for misspellings, extra characters, or domains that mimic legitimate addresses (e.g.,
support@dudda.coinstead of@duda.co). -
Watch for urgency or threats. Messages pressuring you to "act immediately" or warning of account suspension are common tactics.
-
Hover before you click. Preview link destinations without clicking — if the URL doesn't point to a domain you recognize, don't click it.
-
Verify independently. If a message claims to be from Duda, log into your Duda account directly (not through the email) to confirm.
-
Use SSO if available to centralize access management and enforce your organization's security policies.
-
At minimum, enable two-factor authentication (2FA) on your Duda account and all associated services — email, domain registrar, hosting, and payment providers.
-
Use strong, unique passwords for each service. Change them immediately if you suspect they may be compromised.
-
Audit user permissions regularly and remove access for anyone who no longer needs it.
Properly configured email authentication is one of the most effective ways to prevent attackers from sending emails that appear to come from your domain:
-
SPF (Sender Policy Framework) — specifies which mail servers are authorized to send email for your domain.
-
DKIM (DomainKeys Identified Mail) — cryptographically signs outgoing emails so recipients can verify they genuinely came from your domain.
-
DMARC (Domain-based Message Authentication, Reporting & Conformance) — instructs receiving mail servers on how to handle messages that fail SPF/DKIM checks, and gives you visibility into unauthorized senders.
Review your DMARC reports regularly to detect unauthorized use of your domain.
-
Keep operating systems, browsers, and plugins up to date.
-
Use reputable antivirus / endpoint protection software.
-
Enable disk encryption on all devices used to manage client sites.
-
Limit browser extensions to trusted, necessary ones — malicious extensions are a common vector for credential theft.
Since phishing attacks may target your clients by impersonating your business, we recommend:
-
Tell your clients what you will and won't do. Let them know you will never ask for passwords or payment information via email.
-
Encourage clients to verify before acting. If they receive an unexpected email appearing to come from your business, they should contact you directly using a known phone number or email — not through links in the suspicious message.
-
Ask clients to forward suspicious emails to you so you can assess, report, and alert other clients if needed.
-
Change all passwords for affected accounts immediately.
-
Contact your domain registrar to secure domain access and enable registrar-level locks.
-
Run a full malware / antivirus scan on any device that may have interacted with the phishing content.
-
Notify affected clients and advise them to monitor accounts and contact their financial institutions.
-
Report to Duda at [dedicated phishing email/form] so we can track the campaign and assist.
-
File a report with the relevant authorities (e.g., FBI IC3 at ic3.gov, FTC at reportfraud.ftc.gov, or your local equivalent).
This guide is provided for informational purposes only as a resource for Duda customers. It does not constitute legal, cybersecurity, or professional advice. Duda makes no representations or warranties regarding the completeness or effectiveness of these recommendations and assumes no responsibility or liability for the actions of third-party threat actors or for any losses arising from phishing campaigns, unauthorized access, or other security incidents.