Last month, SparkToro released some analysis of search behaviour worldwide. Apparently 15% of all searches are from people just trying to get to a website they use regularly. Rather than typing in facebook.com or reddit.com, they just type Facebook or Reddit into the bar in their web browser and let Google find their full address.
That’s fine. These days it probably doesn’t take more than a couple of extra seconds to bring up the search results and click/tap on the top result.
The problem is that scammers know this.
Recently, reports have been made (and confirmed by Google) that some Ads accounts are deliberately targeting “Google Ads” and showing faked results leading to fake pages, asking people to enter their Google credentials to access their Google Ads account. Except, all you’re doing is actually giving your login details to these scammers, who will then have access to your Google Ads account. Which you will still be paying for.
As you probably guessed, these ads are being run through accounts these scammers have already seized control of through nefarious means. So it’s no skin off their nose if your ads account spends a few thousand pounds getting new victims to their fake websites. Or if Google subsequently suspends your account for violating their terms of service.
You might not even know it. Apparently these scammers are quite adept at hiding their fake ads amongst your genuine campaigns. If you aren’t paying attention, you might think that the results you’re getting are just increased traffic to your website, rather than evidence of a crime happening at your expense.
And don’t think this is a rare occurrence. Malwarebytes estimates that thousands of Google Ads accounts have been compromised in the last few months.
What YOU can do to protect yourself
The easiest thing you can do is to simply go to the ads interface directly. The address is easy to remember: ads.google.com which really doesn’t take long to type and is easy enough to bookmark.
Beyond that, you should have two-factor authentication set up. This prevents the hackers from accessing your account even if they have your username and password. Anytime someone tries logging into your account from a new device, they have to confirm either with a mobile app or code sent via text message. It might seem annoying, but honestly, if you’re using the same one or two devices to access online accounts for anything, it’s not much of a hassle and it’s the simplest way to protect yourself, your identity, and your money.
What is Google doing about this?
This sort of behaviour is, unsurprisingly, already a clear violation of Google’s rules, so they are looking at ways of identifying advertisers doing this sort of thing and stopping them. Addressing the problem is slightly more complicated than how Google would normally handle such violations, as they are aware that the accounts running these ads are victims themselves.
We also know that it may not just be Google Ads being targeted with these fake ads. That 15% of Google searches used for easy navigation of the internet? That’s made up from just 148 search terms. With YouTube, Gmail, Amazon, and Facebook amongst the most common of those.
Any time you are going to a site where you are likely to log in, if you’ve clicked an ad to get there in the past couple of months, you may have given your login details to criminals. Now might be a good time to check your accounts are still secure:
• Change your current password. Make sure it’s unique - i.e. don’t use the same password for different websites, as if it is compromised on one, all of the websites you’ve used that password for will be compromised.
• Make sure nobody has accessed your account and changed your email address or recovery options.
• Set up two-factor authentication.
