Reputation: The Phisher's Elixir

HTTPS certification. Anti-DDOS protections. CAPTCHA verification. All of these constantly evolving and expanding terms for protecting websites. It can get really frustrating having to keep up with the latest cyber-security techniques for your online services. Often an organisation’s website doesn’t collect any credentials, they don't have any payment info and in many cases, the site is simply a static representation of content that rarely changes.

So sometimes it’s probably best to do the bare minimum if your site doesn’t contain anything valuable, right? If all that is the case, why on Earth would a hacker even make an effort to breach it?
One word: Reputation.
More specifically, a non-negative reputation because that's a valuable thing to attackers wanting to mount a phishing campaign. This happens on an alarmingly regular basis and there was a perfect illustration of precisely this when it was discovered that spammers were hosting files on Equifax's website in the massive data breach that happened earlier this year.
In a nutshell, in order to send convincing phishing emails, hackers crave legitimate domains so that they can defraud victims more easily. It makes it far harder for your browser’s built-in anti-phishing protections to work if the phishing attempt is coming from an otherwise normal website. This is what hackers can use your domain for, even if they can’t hack any valuable information directly from you. Domains with non-negative reputations are valuable - that's the attraction here.
Phishers are desperate to avoid the following browser warnings:
Don’t give them the help they need. Get HTTPS protection and secure your website!