Also that's very bad if some still use PHP 5.6 or older, need to inform those as well to update their site.
Few years ago I found out that one of my client have phishing attack on their wordpress site from a third party. So, I got email letter from Netcraft Takedown Service, which is AI I think.
The attack was tricky because it was restricted. It was only visible from certain countries. So if I went to the client website, I only discovered that the site loading time was oddly long, other that that, everything seemed fine. Then, when I started to see changes in wordpress php files, then the situation was clear what was going on.