Three-quarters of leading brands in the US and UK reportedly fall victim to identity theft in Google Search Ads.
Consequences range from financial losses for the targeted business to customers becoming victims of fraud, according to a new report by search marketing security firm, Marcode.
How it works. Scammer trick consumers by impersonating the targeted brand’s domain and ad copy. They intentionally pay for ad placements that show up when users search for those brands.
Here is an example of a fraudulent ad impersonating the flight comparison company, Skyscanner:
Making matters worse the targeted brand, due to Google’s policy of serving just one ad per domain, the legitimate brand’s ad is excluded from the search results when these scammers manage to secure an ad spot.
Undetected. Brands are often unaware that they have been victims of fraud as the issue tends to go undetected due to limitations in Google’s internal reporting tools.
Why we care. If customers fall victim to fraud under your brand’s name, it could severely damage your business’s reputation. People may hesitate to make future purchases due to fear of being conned. Moreover, if your business heavily relies on Google Ads, these scams could limit your campaign’s reach, leading to fewer leads and a lower return on investment (ROI).
Phishing scams. An example of a phishing scam ad can be seen below:
When users click on what appears to be a genuine ad, they are directed through a series of hidden redirects without the user’s knowledge.
The end result is a fake website that invites users to join a game, promising a voucher that can be used at the targeted store, as shown below:
Predictably, the user consistently “wins” this game, only to be redirected once more to another site where they are prompted to provide personal information.
A spokesperson for Marcode commented:
“We’re aware that multiple complaints about these issues were filed with Google, as we’ve collaborated with some of the affected brands.”
“Interestingly, during the period of creating this report, we noticed a significant decline in the frequency of such scams in the US and UK.”
“However, these bad actor accounts shifted their focus to target Germany, while seemingly pulling out of the US and UK market.”
Affiliate scams. Affiliate hijacking was found to be more prevalent than fraud, affecting 75% of the sites in the study.
In a hijacked ad scenario, the user is directed to the brand’s website with an affiliate code attached. This leads the brand, such as Dyson in the case demonstrated below, to pay a commission to the hijacker for any sales generated from that click.
A spokesperson for Marcode commented:
“While affiliate marketing has its advantages, a key issue lies in the presence of bad actors within these networks.”
“It’s a brand’s decision to engage in affiliate marketing, but networks need to improve their vetting processes.”
“Our focus here is on how these bad actors manage to stay hidden and the potential negative impact this has on brands.”
Key findings. The researchers who conducted the report found that retail giants such as Amazon, American Airlines, Lego, Pizza Hut, and Samsung were all victims of identity fraud within Google Search Ads. Additional findings include:
Of the 120 brands monitored, 90 experienced some form of hijacking.
Over a 90-day period, researchers detected persistent phishing scams on 20 brands from a group of six advertising accounts.
Affiliate hijacking affects up to 67% of brand search traffic for the worst-hit brands.
Some Google Comparison Shopping Services (CSS) are misused to drive e-commerce traffic which has been hijacked by affiliates.
What Google is saying. A Google spokesperson did not immediately respond to Search Engine Land’s request for comment.
Deep dive. Read our guide on how to detect and address user data leaks for more information on data safeguarding and privacy protection.