Bank of America phishing site

I would contact the business in question. They are the ones who are most directly affected and can also shut it down quickest. Of course, the phishers will probably just move on to another server to host their requests, but if the site owners act quickly, it will at least immediately invalidate any past phishing messages that have gone out, potentially saving a lot of people a lot of trouble.

Contacting them through the website is not as bad of an idea as it seems. Such hacks inevitably like to keep a low profile (which is to say that the website itself usually continues to work), because if they break anything the infection is more likely to be found and fixed, ending their phishing campaign. Having previously helped people pick up the pieces after a wordpress site gets hacked, often times the "infection" can go on unnoticed for quite a while before someone finally notices. Usually it is unintended side-effects that finally ring the alarm bells: I saw one site on a VPS where every email sent out by the spammers resulted in a small log file stored on the servers disk. The logs weren't being monitored, but after a few million emails got sent out the server ran out of inodes and crashed.

All that to say that if you submit a contact through the contact form there is a very good chance that it will actually goes to the owners. There are such a wide-variety of ways to manage contact forms on wordpress sites, there isn't an easy way for hackers to just turn it off or intercept it after breaking in. I doubt they bother trying. That being said, you can always try to find some public contact information for the company and contact them directly: you might not call them (unless you are in australia), but you can probably find an email.

Multiple carriers in the USA allow you can forward the text message to 7726 (SPAM).

I would think attempting to contact the owner of a hacked website through the website itself would be an exercise in futility.

Think about the possible outcomes:

  1. the message is not read be either the attacker or site operator - in this scenario, there is no net benefit to anyone

  2. the message is intercepted by the attacker - the attacker now knows the address from which you sent your message (i.e. you might consider doing this from a low value account, e.g. hotmail, gmail etc if it's not an anonymous web form). But no benefit to other potential victims nor the site operator

  3. the message is sent to the site operator - they are likely to take action. Whether that action will be effective or not...? but there is a good chance that at least temporarily, fewer victims will access the phishing

  4. the message goes to both the site operator and the attacker. The phishing site is now essentially burnt - while you could argue that this allows the attacker to cover his tracks before moving the site elsewhere, its more likely that the attacker has already done everything they can to hide their connection to the phishing site, hence the outcome is the same as 3

On balance, I think there's a net benefit to sending the notification.

I have reported it to Google but that seems a bit like reporting a burglary to the NSA.

Not really - IME they do seem to take some action on these. Although they also monitor sites like phishtank - reporting it there too would be a good idea.