I spend so much time looking at search results that I’ve learned how to effectively ignore the advertising surrounding them, but two recent client incidents have again reminded me that not everyone is savvy to the way that Google and several other search engines present their search results, and more importantly, how advertisements are displayed on the very same page, above the actual search results giving them visual priority over actual, legitimate links. Depending on how harried or distracted you are at the moment, you might not notice that the first few items presented on the results page are actually ads, and this is where things can get nasty. One of my clients was having trouble with Quickbooks and typed this search into Google, “Quickbooks Payroll support”. Below is the actual page that comes up in Google with names and numbers blurred to protect us from being sued by the illegitimate advertiser (click for a larger view):
What’s going on here?
The first two links provided are advertisements, as indicated by the small “ad” icon on the second line of each entry. Easy to miss, especially if you are looking for a phone number (which my client was). Right next to the “ad” icon is the actual domain and URL of the entry. For the entry marked as “1” on my screenshot, the domain was for a company definitely NOT Intuit (the developers of Quickbooks), which would also provide a hint that this “search result” might not be what you think it is. The third entry marked as “2” in my screenshot is the actual link to Intuit’s support website, and (after several clicks) eventually will lead to a real phone number to call for support from Intuit.
My client called that first number at the top of the page and walked right into a classic scareware scam. The “technician” on the other end claimed to be Quickbooks support and promised to help my client with their issue, but they had to resolve numerous “errors” prior to doing so, and they would only perform this work if my client renewed their Intuit “support subscription”. The “tech” showed my client an “log” full of errors and then quoted them an outrageous price for a one-time “cleanup”. Smelling a rat, my client hung up on the scammer and called me. After a quick recounting, I was able to ascertain that they fell down this rabbit hole because the top link on the search results page isn’t Intuit, but an ad designed to trick the unwary into a costly mistake. Once I pointed out the tell-tale signs, my client soberly asked how many other people fall for this trick. Unfortunately, quite a few people get fooled by this scam, and it’s important to point out that buying an ad with that sort of ranking isn’t cheap, so clearly this tactic is paying off.
How do I avoid getting tricked?
Never forget that Google runs ads right next to its search results. Look for the visual clues that differentiate ads from actual search results – legitimate providers always identifies their ads, but their means for doing so isn’t always obvious. Type the URL manually in a new browser window instead of clicking the link. There are numerous examples of domains deliberately registered and used that look like the website they are spoofing, including using unicode characters to produce character strings that look like actual domains but are in fact cleverly-designed counterfeit sites that will lead to further technology ruin. Always be suspicious if a vendor you are calling asks for payment information up front, and even more so if they immediately open with a screensharing invite. Another great way to tell if they are trying to con you is to offer to conference in your IT consultant (me, for example). Legitimate support providers will always agree to this, but scammers immediately make excuses or will try to discourage you from getting a second opinion as your IT person is “probably not qualified” or not good at their job (“otherwise how would so many errors/viruses/problems be on your computer?”) Another client of mine had someone she had called for printer repair ask for a screenshare session and credit card payment to resolve the issue, when all she wanted was help to remove some jammed paper in her printer. She too had been fooled by an advertisement masquerading as a support website for her printer’s manufacturer.
Stay vigilant, and always be careful when calling numbers you find in search results. At minimum, follow the link by manually typing in the listed URL to make sure it leads to your manufacturer’s website, and verify that it’s the legitimate site with a little exploring. Most counterfeit sites aren’t much deeper than a page or two before they try to lure you into giving up your data, so be wary of sites that seem small, broken or unfinished. The top search engines and many antivirus platforms (including Webroot used by C2) also keep track of counterfeit websites and will warn you if something seems suspicious. Keeping your eyes wide open and your brain on the defensive will help you avoid getting goosed by fake ads.
Image courtesy of Stuart Miles at FreeDigitalPhotos.net