Google ad phishing can hide malicious links in your search resultsIn addition to being the most popular search engine, Google is one of the biggest advertising platforms on the Internet, serving billions of ads each day. What some people may not realize is that some of those advertisements wind up nestled in Google search results, only marked by a small green box that says “AD” next to the URL. The subtlety of these ads has attracted a special kind of malvertising called Google ad phishing, which aims to trick people into clicking on malicious links by hiding them in Google search results. To learn the dangers of Google ad phishing scams, as well as how to catch and avoid these ads, read on.

How Google ad phishing scams work

Though Google does have requirements and restrictions in place for advertising, nearly anyone can try to buy ads through it. Google does take down ads that violate its policies (Google claims it removed 1.7 billion of them in 2016 alone), but some bad actors still slip through. Phishers can exploit this by creating fake websites that trick people into giving out sensitive information or install malware onto their devices, and then advertising those fake websites to target people searching for the real versions of those websites on Google. Since the ads appear at the top of Google’s search results, many people will click on those links first and get redirected to the phishing site, leaving them vulnerable to hacking and identity theft. Google ad phishing campaigns appear to primarily mimic large retail sites such as Target, Walmart and Amazon, which have big customer bases and deal with financial information, as well as cryptocurrency exchanges, which store digital assets like Bitcoin and offer little protection once an account is compromised. However, they could potentially copy any kind of website and the attack would still work.

Are Google ad phishing scams easy to spot?

Unfortunately, Google ad phishing scams aren’t obvious to spot until you’ve visited the phony site. In fact, a few factors make Google ad phishing especially easy to fall for. First, while people may be used to scrutinizing their emails, text messages and phone calls for phishing schemes, Google search results for popular websites are a less common path of attack, so they garner more trust. Second, because Google lets advertisers specify the demographics of their ads, these scams are highly targeted to specific website users. For example, an ad for a phishing site impersonating Walmart’s website will appear to people actively searching for Walmart on Google, making those people more likely to click on that ad. Lastly, these phishing ads can copy the names, descriptions and even the URLs of the websites they imitate to appear quite legitimate. Unless there are misspellings or errors in the advertising copy, there is almost no way to tell that these ads are malicious before you click on them.

How to protect yourself

The simplest way to avoid Google ad phishing is to just not click on the ads that appear in your search results. Additionally, if you know the URL of the website you want to go to, typing that URL into the search bar directly will let you completely skip the search results page, meaning you can completely avoid visiting a phishing site. If you’ve already clicked on one of these links and don’t know whether you’re on a phishing site, there are several red flags to watch out for. Check the URL to make sure the address of the website is correct, and doesn’t contain any typos or alternate characters. Creators of fake websites will sometimes try something called typosquatting, where they snag a domain that looks similar to the URL of the site they’re duplicating, for instance registering a fake Walmart.com site as Waimart.com. Also, if the website gives you a pop-up message that says your computer is infected with a virus, or if it redirects you to another website you weren’t expecting, these are common signs of a phishing scam or phony website. For example, a phishing ad targeting Amazon customers did both of these things, redirecting visitors to Microsoft and Apple support pages and spamming them with pop-ups containing a phony customer service number.

If you suspect that you’re on a phishing site, report the website to Google and run a virus scan just in case the website did a drive-by download that put malware on your device. For the future, you’ll want to keep your web browser, browser add-ons and operating system up to date to make sure you have the latest malware protection.

Google ad phishing scams can easily take you by surprise and confuse you if you’re not familiar with it, but once you know what to look for, it’s simple to just stay away. For more advice on dealing with the perils of the Internet, follow our technology blog.