The first Google search result can, in fact, be a malicious one.

A new report suggests that users have lost over $4 million to fake Google Ads. Just over the last month, more than 3,000 users have fallen victim to this scheme.

To achieve this, threat actors invested over $15,000 to run malicious advertisements.

Phishing Websites Are Now Promoted via Google
Phishing Websites Are Now Promoted via Google Ads; How Can You Protect Your Business? Pixabay

Ads show up as the highest result in Google's search results — increasing the likelihood that a user might click on it and enter their card information or passwords.

The victims were none the wiser since phishing sites were copies of legitimate and trustworthy sites (mostly crypto platforms, such as Lido and DefiLlama).

This major case is a reminder that social engineering practices aren't done exclusively via email.

How are scams via Google Ads even possible, and what can you do to protect your business from phishing?

First, let's dive even deeper into the latest crypto Google ad scam.

Exploiting Google Ads For Phishing

Threat actors paid for the ads to appear first in the Google search. They targeted keywords that are likely to lead users to websites in which they would normally enter their credentials.

Most of the websites that were exploited in the latest phishing scheme would lead to crypto-related platforms. Hackers focused on them because of the high cost-per-click for crypto-related terms — $1–$2 on average.

Phishing is mostly financially motivated. Therefore, it's no wonder the sites impersonated financial platforms such as Orbiter Finance, Zapper, and Stargate.

After entering their wallet data into the login of the phishing site, cybercriminals would drain the wallets of the user.

Moreover, false crypto phishing sites had high conversions. Out of 7,600 users who visited the site through the ad, more than 40% entered their confidential information.

To bypass the Google Ad review procedure, threat actors used versatile methods that aided them in avoiding debugging and parameter distinctions.

Once the scam ad ranked first, all the bad actors had to do was wait for someone to log into the fake website with their genuine wallet data.

Google Ads Imitating Your Business

Besides the latest case of crypto platform scams via ads, there has been a general surge in Google ad-based scams.

They typically work on similar principles.

Malicious sponsored results seem trustworthy because they impersonate brands people know and trust.

Just like everyone else, scammers can purchase the high-ranking keyword that is connected to your business and lead the victims to the phishing version of a website of your brand.

In many cases, the scam website would rank even higher (in a sponsored search) than the real site of a business.

When a person clicks on the ad, it leads them to a seemingly legitimate website of a company they know and trust.

When they enter their credentials or wallet information, the hackers obtain their data.

Since many employees reuse their credentials for business and private accounts, this could mean that a hacker now has the passwords and usernames that grant them entrance to a network of your businesses.

As a result, your brand can suffer reputational or financial losses due to association with the scam.

Or gain illicit access to your systems.

What can you do if someone exploits your brand to scam unsuspected users?

Start here:

  • Keep an eye on the keywords related to your business as they appear on Google's search engines — this will help you identify the fake Google Ad campaigns of your brand
  • Teach your employees how to recognize phishing URLs — to decrease the possibility of them clicking through to malicious phishing websites
  • Watch out for similar domains that are being registered — it's possible that bad actors are making them for phishing campaigns

While Google has a responsibility to improve the detection of phishing websites, there is a growing number of Ad campaigns that bypass their review processes.

Therefore, it's important to be wary of such sites and do what you can to protect your business and employees.

Preventing Ad Phishing

How can you protect your staff against phishing ads?

Most businesses introduce phishing awareness training. Scams mostly target employees, so it makes sense to add training for the general workforce. Financial companies have to conduct it for compliance purposes.

However, education is only a part of the solution — which doesn't necessarily yield wanted results. Employees tend to skip through the training to complete it as fast as they can. Or have difficulty seeing the role they play in protecting a business against cyber attacks.

Nine out of 10 companies admitted that they've been the victim of phishing via email. Scam emails impersonating someone an employee trusts is the first example that comes to mind where phishing is concerned.

The majority of phishing awareness training is also focused on the recognition of scam emails.

Here are other measures you can take to protect your company against phishing ads:

  • Have strict policies about not using work devices for private purposes
  • Block ads and several websites to decrease the chance of employees clicking through them as they browse the web
  • Employ cybersecurity solutions to protect your company. For instance, a firewall that recognizes and blocks malicious sites and antivirus software
  • Expand phishing training to cover versatile types of phishing

Phishing Is More Than Scam Emails

Email is the most common channel that bad actors use to conduct scams. Regardless, phishing comes in versatile forms.

Threat actors hide behind telephone calls. Or mobile texts that seem to be from the bank.

The latest case of Google Ad scams shows that they can even lurk behind even seemingly legitimate websites of the brand an employee trusts.

In the corporate context, a user clicking on a malicious ad can reveal the sensitive data of the company to hackers.

To fight malicious adverts:

  • Block ads on all browsers
  • Have devices that are strictly used for work
  • Add a layered set of security solutions to your architecture (including advanced anti-phishing solutions, firewall, and antimalware)