According to The Federal Bureau of Investigation, in 2022, phishing took the top spot as the most reported cybercrime by a wide margin. While scammers using deceptive e-mails and SMS messages to trick victims is nothing new, the FBI has also warned that cybercriminals are impersonating brands using search engine ads to defraud consumers. In these scams, the fake ad’s purpose is to trick consumers into clicking on the ad which takes them to a phishing site where the scammer hopes to trick a visitor into divulging their credentials, identity information, or payment data.
In general people tend to trust search ads and results from Google assuming they go through some sort of vetting. This is a myth. We don’t think Google is doing enough to proactively prevent this fraud from occurring on their platform.
In this article we’ll explain the threat, share examples we’ve helped customers mitigate, argue that Google isn’t doing enough to address the issue, as well as, what brands should do in the meantime.
UNDERSTANDING THE THREAT
Why have scammers been able to use Google Ad Phishing as a tool for Fraud?
Google ads are online advertisements presented to a search engine user based on what they type into the search field. In the image below, you’ll see a number of Google ads displayed for a search of “best electric lawnmower.”
The ads that end up displaying to a Google user is determined by advertisers bidding on certain keywords. In the electric lawnmower example you’ll see ads marked with Greenworks, EGO, Walmart, Lowe’s and Ace Hardware brand names. While Google claims other variables affect which ads are shown when, the highest bids probably have an outsized effect on which ads are displayed.
Interestingly, Google allows people to bid on a brand name as a keyword even if they don’t own the trademark or have affiliation with the brand. For example, you’ll see ads from vendors appear when you search one of their competitors.
While competitors bidding on your brand name can be frustrating, even worse are scammers bidding on your brand name. It’s as if not only is Google happy to pocket the proceeds of a bidding war between you and your competitors, they’re also happy to pocket the greater proceeds resulting from inviting yet another party to that bidding war – scammers!
EXPLODING A MYTH
Google isn't doing as much as you think to make sure the ads they present on their search engine results are safe or legitimate
We want to explode a myth to help both brands and consumers protect themselves – Google isn’t doing as much as you think to make sure that the ads they present on their search engine results are safe or legitimate. We know this because we’ve seen multiple examples of Google ads posing as trusted brands but directing anyone that clicks on them to malicious sites set on stealing credentials, payment information, or identity data.
Scammers have realized that thanks to Google’s trademark policies, they are able to bid on any keywords they want with as much influence over placement as any brand – as long as their pockets are deep enough.
How Do Scammers Exploit Google Ads for Fraud?
At Allure Security we’ve seen at least two Google ad phishing scenarios play out.
- The first is relatively straightforward – a scammer creates an ad impersonating a trusted brand, bids on that brand’s name as a keyword, and then directs a click on that ad to a phishing site.
- In the second, the scammer puts a bit more work into the scheme in order to evade detection by presenting different content when a Google Click ID is generated.
To start, scammers publish a website at the domain intended to receive the ad’s traffic. If you enter that URL into your browser and visit the site without having clicked on a Google ad, you’ll be greeted with benign content (e.g., content about “thingies” using our example in the image below).
However, if the Google ad containing the same URL is clicked, a Google Click ID (GCID) is generated and passed through in the URL. The malicious site then recognizes an appended GCID which triggers a redirect to the scam site impersonating the searched brand the visitor searched.
The display of the benign content if the website is visited directly (vs. by clicking on the ad) seems to be enough to circumvent Google’s ad review.
Hat-tip to Guardio Labs for a great rundown of other examples of the “MasquerAds” threat that uses the GCID.
Why Can’t Brands Count on Google to Stop Scammers from Impersonating Them in Ads?
In many cases Google won’t restrict (or even investigate) the use of trademarks in keywords. Anybody can bid on your brand name as a keyword – be it a competitor or a fraudster targeting your customer base – it’s all fair play according to Google:
- “In response to trademark owner complaints, we may restrict the use of trademarks in ad text.”
- “We don’t investigate or restrict trademarks as keywords”
- “We may restrict trademarks from appearing in the subdomains of display URLs.”
- “We don’t investigate or restrict trademarks in the second-level domains or post-domain paths of display URLs.”
This suggests that Google will not stop a scammer from using your brand name in the subdomain, second-level domain, or post-domain path of the URL displayed in their fraudulent ad. They might stop a scammer from using your brand name in a subdomain, but only if you complain about it and you need to see it in the first place in order to report it.
“So it’s up to every business to monitor the impossible to monitor Google ad space. And then to bear the cost of dealing with Google.”
– Allure CEO, Josh Shaul
The advertising industry maintains very small margins, so they may choose not to invest in additional vetting due to the extra cost.
As far as we can tell, Google does next to nothing to proactively address this issue which seems counterintuitive. As more consumers become aware of this attack vector, their trust in and clicks on Google ads will plummet. Google ads will quickly lose value and brands won’t bother using Google ads if consumers don’t trust them.
Now we’re not advocating for Google to implement draconian trademark enforcement actions to stop consumers and others from using brand names they don’t have rights to. But doesn’t it seem reasonable to ask for a bit more due diligence to ensure they’re not letting scammers use trademarks to defraud people that use Google?
The Impact of Fraudsters Abusing Google Ads
If potential customers looking for your brand engage with a phony sponsored ad and fall victim – many of them will blame, lose trust in, and ultimately, leave your brand. These ads can cause irreparable reputation damage for brands online.
As fraudsters continue to bid on keywords relevant to your brand, customer acquisition costs increase with them. Since scammers are both driving up the keyword advertising prices and poisoning the results, the return on digital marketing efforts becomes less effective as they increase in price. Consumers lose trust in the ads they see and click less frequently. When consumers click on a fake ad, they land on a scam website, causing you to lose the opportunity to engage with those prospects.
So, what is a brand to do?
5 Tips to Mitigate Fake Online Ads Targeting Your Brand and Customers
In addition to general online brand protection best practices, take the following steps to mitigate the risk of fraudulent Google ad phishing targeting your brand and customers:
- Google seems to require that you register your trademark with them in order for them to accept your reports of ads abusing your brand so be sure to register your trademark with Google at https://services.google.com/inquiry/aw_tmauth
- While it’s not scalable or comprehensive, search your brand name or product name on Google to see what ads display that are not yours – are they from competitors or scammers or both?
- If you spot a fraudulent ad, be sure to collect the ad’s “clickstring” and then report it using Google’s ad/listing reporting form at https://support.google.com/ads/troubleshooter/4578507?sjid=14272532859836924271-NA
- Google uses separate forms for different types of trademark, copyright, and counterfeit goods complaints:
- Trademark complaints – https://services.google.com/inquiry/aw_tmcomplaint
- Counterfeit goods – https://services.google.com/inquiry/aw_counterfeit
- Copyright violations – https://support.google.com/legal/troubleshooter/1114905
- Consider partnering with an online brand protection vendor such as Allure Security that can take ownership of all of these tasks and free your staff up for higher value work
The Impact of Fraudsters Abusing Google Ads
- Contact us right now if you’re noticing scammers impersonate your brand with the Google Ad phishing and/or want to get ahead of the issue.
- Get educated about an expected surge in fake iOS apps impersonating trusted brands.
- Get free actionable advice for handling parked domains impersonating your brand on our blog.