Brand Protection

    Monitoring Can Help Keep Your Brand Safe From Search-Ad Phishing

    Search-ad phishing is yet another cybercriminal activity that threatens brand safety – yet many marketers are still unaware.

    by Alex Bender

    Key Points

    • Search engines have revolutionized how we get information about products and services, but bad actors regularly impersonate brands to create malicious lookalike search ads that scam customers.
    • Search engines like Google constantly work to weed them out, but they can’t catch ‘em all – companies have a duty to fill in the gaps to protect their customers and keep their brands safe.
    • Online brand protection strategies that monitor for impersonation attempts throughout the web – and especially within your supply-chain – should be coupled with cybersecurity awareness training to help keep your brand-loyal customers safe and build brand equity.

    Editor's note: This is the second in a series of articles by marketing SVP Alex Bender about brand safety and brand protection from a senior marketer's perspective. Brand safety has always been part of a brand’s defensive marketing strategy, even before the label “brand safety” emerged, and the rise of digital marketing has empowered criminal hackers to steal money or information from brands, eroding customers' trust in them. Now, marketers must recognize the need to protect their brands, and build a culture of brand protection at every level of their organizations.

    Search is how many customers find products and services – and even your business locations – so it’s about as integral to modern business as anything there is. About a third of US consumers use search engines to find information about local businesses daily, an additional 16% do so multiple times a week[1] and 46% of clicks go to the top three ads on the results page.[2]

    So what do you think happens when cybercriminals create fake search ads that impersonate reputable brands and lead to malicious websites?

    Although most marketers don’t think of cybersecurity in the context of brand safety, it’s important for companies to have a comprehensive online brand protection strategy that addresses the problem of search engine ad phishing attacks. Otherwise, your unsuspecting, loyal customers could fall for malicious attacks that can tarnish hard-earned brand trust.

    What Is Search-Ad Phishing & How Does it Damage Brand Safety?

    Search-ad phishing, also known as Google ad phishing, is a form of cyberthreat that hides malicious links within sponsored search engine results to trick people into clicking. It’s like phishing emails that impersonate your brand, but it’s a search ad. Clicking can, for example, lead to websites impersonating your brand, spoofed social media accounts, or fake phone numbers.

    Typically, the bad actor aims to trick customers searching for a brand’s website or contact information for retail stores, utility companies, financial institutions, insurance, and cloud services – to name only a few. For example, in 2018, Microsoft’s Bing search engine hosted an ad that directed users to a fake Google Chrome download with potentially malicious content.[3] And even after Microsoft removed the bad ad, it reappeared later in the year.[4]

    In another example, a woman in Lee County, Florida, who was having trouble with her business Facebook page, clicked the first ad at the top of the search page to get contact information for a Facebook representative. But the number was a scam, and she ended up losing $435 and sharing her personal information with a cybercriminal, according to the Lee County Sheriff’s Office.[5]

    Fraudsters also sometimes change the contact number of established places to scam unsuspecting users – not an ad per se, but still a form of search engine phishing that can harm your brand if an unwary customer were to fall for a phishing attack.

    In either case, the fraudster might phish for personal information, or they might direct the victim to download an app or share access to their computer or smartphone in order to drop malware, request money, or harvest personal information.

    Yet another way cybercriminals conduct search-ad phishing is by creating fake companies that claim to offer low prices for your brand’s products or services. If the customer takes the bait, the bad actor may download malicious software, harvest personal information or sell counterfeit products.

    When a brand-loyal customer gets caught in one of these search-ad phishing scams, they feel betrayed in a time of need. The bad taste left in that customer’s mouth gets associated with your brand – even though your brand wasn’t technically responsible.

    Search-Ad Phishing is a Complex Issue to Solve

    As with many aspects of cybersecurity, search-ad phishing is hard to solve because the internet was originally architected on trust. And tech’s top search company is trying hard to solve it. Google consistently works to pull ads that violate its advertising policies, and in 2019 it blocked and removed 2.7 billion bad ads, as well as suspended nearly one million advertiser accounts for policy violations.[6]

    In April 2020, Google announced plans to require all advertisers to prove who they are and where they operate from.[7] But Google says the measure could take years to fully implement – meaning even if they can catch ‘em all, it won’t be for a long time. Plus, cyberattackers are always finding ingenious ways to stay ahead of the curve.

    While all internet users would be better off with cybersecurity awareness training, brands can’t put all of the onus on the individual; they must take responsibility to protect their customers and trusted vendors within their supply-chain, too. Otherwise, they risk losing loyal patrons to the brands that do actively work to keep everyone safe.

    Brands Should Be Proactive in Protecting Customers – and Their Own Brand Safety

    Marketers should be joining forces with their company’s cybersecurity teams to develop integrated online brand protection strategies that monitor online channels for brand exploitation. It takes a concerted, coordinated effort, but it can pay off. One European jewelry brand reclaimed about a million site visits and increased search traffic by 50% without increasing ad spend after enforcing an online brand protection strategy that aimed to monitor and take down brand impersonation attempts, according to the World Trademark Review.[8]

    Beyond monitoring, brands have a duty to teach their customers about cybersecurity issues that could affect them. Brand safety campaigns that teach good cyber hygiene to customers can help build brand equity by showing your customer that the brand genuinely cares about them. And it can help them develop a keen eye for scams. For example, offer content to customers that teaches them the following best practices:

    • Always type in the website’s URL; don’t trust links.
    • Keep your eye out for typos, grammatical errors, inconsistent fonts, and other anomalies in links, emails, and text messages.
    • Beware of pop-up advertisements and, again: type in any links.
    • Always report malicious advertisements, phishing attempts, and impersonated websites to the brand’s cybersecurity team and the search engine hosting the impersonations.

    The Bottom Line

    Search-ad phishing is another way cybercriminals impersonate brands to prey on the trusting relationships between companies and their customers. While search engines like Google strive to keep these types of brand exploitation and phishing attacks at bay, it’s a challenge to nip every problem in the bud. Brands must step up to fill the gaps – it’s no longer enough for marketers to focus their brand safety efforts on simply avoiding bad content or providing valuable content to customers and prospects at the right time. Marketers should start working more closely with corporate cybersecurity professionals to protect their customers from malicious phishing attacks that can damage customer relationships and harm brand safety.


    [1]U.S. frequency of online local business search 2019,” Statista

    [2]PPC Statistics and Trends,” PowerTraffick

    [3]Microsoft removes fake Bing ad that looked like a Chrome download site,” ZDNet

    [4]Bing Is Pushing Malware When You Search for Chrome,” How-To Geek

    [5]Phishing Scheme Doesn't add Up for Local Victim,” Lee County Sheriff’s Office

    [6]Stopping bad ads to protect users,” Google Ads & Commerce Blog

    [7]Increasing transparency through advertiser identity verification,” Google Ads & Commerce Blog

    [8]Brand protection in the digital world,” World Trademark Review

    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top