Google's dreaded 'blacklist'

google blacklist
If Google detects persistent malware on a site, it will block the website, potentially freezing traffic until the problem is fixed.

Small businesses are reeling from an increase in cybercrime, but a hacked website can have even greater consequences if Google lists you as "infected."

The search giant is constantly scanning the web's 60 trillion URLs for malware and phishing scams. If it deems a site suspicious, businesses can say goodbye to their customers until the problem is resolved.

"If Google blacklists an infected website, you're basically off the Internet until the website is fixed," said Peter Jensen, CEO of

Google (GOOG) estimates that it flags and quarantines 10,000 websites daily (it doesn't use the term "blacklist"). It not only scans Google's search results and ads, but also flags suspicious URLs typed into browsers. The search engine Bing, run by Microsoft (MSFT), treats infected sites in a similar fashion.

Related: Cyberattacks devastated my business

Being blacklisted can quickly decimate a small firm's reputation and sales.

"Businesses say they're not at fault and shouldn't be penalized. Google [says] it wants to keep the Internet safe for its users," said Jensen, whose firm is contacted 20 or 30 times a day by businesses that have been blacklisted.

Google spokesman Jason Freidenfelds emphasized that point. "About 1 billion people receive protection against phishing and malware every day because of the warnings we show users about unsafe websites," he said.

Margo Schlossberg owns an online handbag business in Washington D.C. that was hacked in September. A Google search for her website still says, "This site may be hacked."

The impact: Traffic to her site dropped 50% in the past month and her sales have been minimal.

"It's the worst time to go through this," said Schlossberg. "The holiday season is very important for my sales, but now I've been blacklisted by Google."

Schlossberg hired an expert to fix her site, which cost $1,000 (although it can cost as much as $10,000 depending on the extent of the damage).

Related: Your computer camera could be watching you

Hackers had attacked several pages, and it's taken a few weeks to clean up her website. She's finally ready to resubmit her site to Google.

StopTheHacker says the process to clean up infected sites typically involves several steps: Identify the malware and how to remove it, determine where the attack originated, change passwords and relaunch the website once it's clean.

Google directs infected sites to its Webmaster Tools. It says it takes about a day to restore websites once it confirms they're clean. But sometimes a company can think its site is clean, but Google's review will find otherwise. This can draw out the process.

Eric Erickson's company sells eco-friendly pest control products online. When his site was attacked in 2009, it effectively paralyzed his business. He said it took 60 days to get back on track and cost several thousand dollars in lost sales.

His site was attacked again in March, but this time he was prepared. "We caught it early because we had enhanced our security," he said. The website stayed off the blacklist.

Web hosting provider DreamHost regularly checks the sites of its 350,000 customers -- 40% of whom are small businesses -- for malware and other security threats. In September, DreamHost identified almost 100,000 infected websites in its network of 1.3 million sites. If customers aren't able to fix the problems themselves, co-founder Dallas Kashuba recommends StopTheHacker to help clean up the site.

Related: New startups are prime targets for cyberattacks

Lynda Zugec's HR consultancy site was flagged and quarantined by Google earlier this year. Hackers had obtained her hosting password and inserted malware into her website.

It took her nearly two weeks to get back online. Even more than an economic impact, Zugec worries the experience could have hurt her reputation with clients.

But even with the financial and logistical hardships, most say Google's hardline is necessary.

"Google has its neck on the line, too," Erickson said. "When people click on your website, Google doesn't want to worry that something malicious will happen to its users."

His advice: "Don't go cheap with your security. You have to invest in it."

CNNMoney Sponsors