Here’s how to avoid being hit by fraudulent websites that scammers can catapult directly to the top of your search results
10 Apr 2025
•
,
4 min. read
When was the last time you searched for something using Google Search, Bing or another gateway to the endless expanse of the internet? What a silly question, right? It may have been just moments ago and perhaps it’s even how you landed on this blogpost.
Others searching online, however, may encounter less favorable outcomes. How so? Our habit of blindly trusting and clicking on top search results has become so predictable that it can be subverted and turned against us.
Rigging the game
Cautionary examples aren’t hard to come by, and I recall one that is too quirky not to mention: some Australians who recently searched for something as innocuous as the legality of Bengal cats in the country didn’t receive straightforward information on pet regulations; instead, they unwittingly ran the risk of having their data stolen following a chain of events that started with a click on a top search engine result.
But even if you’re not a cat fancier, you should know that even a simple search query may breed trouble. Some cybercriminals have for years been using techniques that can push malicious websites dressed up to look legit into the top of people’s search results, typically leveraging either SEO poisoning (also known as black hat SEO) or, even more commonly, malicious search ads.
One sophisticated example of ‘SEO fraud as a service’ was exposed by ESET researchers in 2021 after they found a previously undocumented server-side trojan that manipulated search engine results by hijacking the reputation of the websites it compromises. Similar campaigns were spotted again just weeks ago.
In another example, ESET researchers identified a campaign that deployed ads in Google search results leading victims to phony websites that looked identical to those of popular software, such as Firefox, WhatsApp, or Telegram. The end goal was to gain complete control of the compromised devices.
The risks aren’t lost on Google, of course. According to its latest Ads Safety Report, in 2023 the company “blocked or removed over 5.5 billion ads, slightly up from the prior year, and suspended 12.7 million advertiser accounts, nearly double from the previous year.”
Some threats still slip through, however. Which is why it pays to know about the risks involved in both organic and paid search results, and how to separate the wheat from the chaff.
Hidden in plain sight
The recent meteoric rise of AI tools, for one, has created new hunting grounds for scammers, sparking schemes where fraudsters bought ads for counterfeit ChatGPT sites that redirected people to websites harvesting credit card details. The site below displayed logos of actual OpenAI partners, possibly duping even many tech-savvy victims. Much the same thing happened with other AI tools, including most recently when DeepSeek burst onto the scene.
ESET researchers in Latin America recently spotted a sophisticated campaign that impersonated the La Veloz del Norte bus company campaigns and targeted Argentinians who search for long-distance bus tickets. Travelers who entered their information on the imposter site unwittingly handed over both login credentials and banking details to cybercriminals.
Financial services represent particularly high-value targets. In 2022, ESET researchers in Latin America alerted people to scams impersonating Mastercard through ads.
Staying safe
Most of all, remember that prominence in search results doesn’t automatically equate to legitimacy. Also, chances are high that many people don’t always distinguish between organic results and ads, and criminals take advantage of this especially through malvertising campaigns aimed at people who, for example, search for software.
In some cases, fraudsters may register a typosquatting or similar-looking top-level domain to that of the software publisher in order to dupe the victim, as was the case here with telegraem[.]org. Which is why you should avoid blindly clicking on whatever appears at the top of your search page. Instead, examine the URLs meticulously and look out for any signs that something is amiss. Apply the same level of scrutiny if you’re using Google’s AI search features, as scammers are constantly evolving their methods and find new ways of promoting websites that push scams and malware.
Protect your digital accounts with strong and unique passwords or passphrases, as well as with two-factor authentication. Use reputable security software that can identify and block connections to malicious domains, thus providing an additional layer of protection against deceptive search results.
Also, Google itself offers tools to inspect the results, such as accessing details by clicking the three dots adjacent to sponsored listings, which can expose discrepancies between claims and the true identity. If you suspect that you’ve encountered a dodgy website, you can report it to Google.
Conclusion
We’ve all done it a million times: typed a query, scanned results, clicked on one of them, ‘got our fill’, and moved on. And although classic search engines increasingly compete with the likes of ChatGPT and AI-generated search summaries, the classic search-and-click routine is unlikely to go anywhere any time soon. Old habits die hard, and the risks aren’t going anywhere, either. Search carefully.
