The Washington PostDemocracy Dies in Darkness

Scams are showing up at the top of online searches

Searchers, beware: That Google, Bing or DuckDuckGo ad might be ‘malvertising’ — phishing campaigns and malware hiding behind legit-looking links

Search engine page with a fishhook plunged into the first result
(Emma Kumer/The Washington Post)
7 min

Add one more to the list of online places bad guys are hiding: the very top of search results.

Nasty scams and malware are preying on your trust by hiding behind the ads that sit on top of search pages. Google, DuckDuckGo and Bing are being paid to put them in front of us, and they haven’t figured out how to stop it.

It’s called “malvertising,” and if you’re not vigilant at spotting it, you could get burned.

Washington Post reader Jack Wells wrote to me recently after a fright. “I am afraid I may have been hacked this morning, and I wonder if you could offer any advice on how to deal with it,” he wrote.

Here’s what happened: Wells had gone to DuckDuckGo, the privacy-focused search engine I also use, and typed “Citibank login” in the hopes of visiting the banking portal. The first item appeared to be an ad for the Citibank log-in page, so he clicked on it.

Strangely, Wells got taken to a blank screen. So he hit the back button and discovered he was on a page whose actual address ended in “.ru” (for Russia) and was most definitely not Citibank.

Simple tips to help you spot online fraud

It appears Wells had fallen for a scam search ad used to trick people into inadvertently handing over their passwords or downloading malware. When I asked DuckDuckGo about his experience, spokeswoman Allison Goodman said the company wasn’t able to re-create it, but it suspects he may have clicked on an ad link that now had been removed.

We’ve seen this happen very rarely; scammers evolve their tactics and spin up and take down sites regularly to avoid getting onto blacklists,” she said. The ads on DuckDuckGo are run by Microsoft, which also places them on its own Bing search engine.

“We take misleading or fraudulent ads very seriously,” emailed Microsoft spokeswoman Caitlin Roulston. “Microsoft bans such content, including what can be reasonably perceived as being deceptive, fraudulent, or harmful to site visitors.”

Now the really bad news: Scam search ads are not just a problem on DuckDuckGo and Bing. They’re also a problem on Google, the world’s most-used search engine. There are ads for fake banks, fake sites for the IRS and other government agencies, as well as fake crypto wallets, just to name a few.

In August, Sen. Richard Blumenthal (D-Conn.) wrote in a letter to Google chief executive Sundar Pichai that the search giant has demonstrated a “troubling record of inadequate due diligence against fraud and abuse” in ads. His letter cited a 2021 investigation by my colleague Jeremy Merrill finding that advertisers impersonated government websites. Google said it had taken down these kinds of forbidden ads, but then the senator’s office checked and found similar ads were still popping up — suggesting that Google’s countermeasures weren’t very effective. (Merrill found similar problems with DuckDuckGo’s Microsoft ads.)

In July, researchers at Malwarebytes reported how unsuspecting Google users searching popular keywords — including “youtube” — could click an ad and have their browser hijacked with fake warnings urging them to call fake Microsoft agents for support. And in 2021, Check Point Research identified a Google-ad phishing campaign that had resulted in at least half a million dollars worth of cryptocurrency being stolen.

How does this even happen? The core issue is that many search ads are sold through self-service systems, where advertisers don’t necessarily need to be authorized or have their links checked by humans. The bad guys sometimes try to create thousands of accounts simultaneously, in the hopes that a few get through.

The companies claim they are on top of the problem.

“When we become aware of these instances, we take action to remove them as soon as possible,” Microsoft spokeswoman Roulston said. “We then apply the feedback into our detection mechanisms to improve our ability to detect and remove similar ads in the future.”

“We are always working to stay ahead of bad actors, some of whom employ sophisticated measures to conceal their identities and evade our policies,” Google spokesman Davis Thompson said in an email. “People deserve to feel safe on our platforms and we’ll continue to enhance our enforcement practices to combat abuse and fraud.”

The nonstop scam economy is costing us more than just money

Like what? Thompson said in recent years Google has launched new certification policies, ramped up advertiser verification, and increased the company’s capacity to detect and prevent coordinated scams. But he wouldn’t say what percent of the company’s advertisers are now verified.

We also still don’t know how big the problem is. In 2021, Google says it blocked or removed 38.1 million ads for “misrepresentation” and 58.9 million ads for violating its financial services policies, both before and after they ran. Microsoft would not say how many scam ads it removes.

So what can you do about scam ads?

It starts with awareness. Many of these attacks are trying to exploit a very common online behavior: looking up a website by name instead of entering its full URL in the address bar. So get in the habit of typing it all out yourself into your browser — instead of typing “citibank login,” type out in its entirety.

Another suggestion: Save browser bookmarks for the sites you use most often.

I am personally in the habit of not clicking search ads. If you look further down the page below the ads, you will find the real search results which have been selected and ordered for their popularity and actual usefulness. And if you install an ad blocker in your browser, you won’t see any ads at all — good or bad.

What should you do if you think you have clicked on one of these bad ads? For Wells, I recommended a two-step plan that is similar to what I would advise anyone who thinks they might have been hacked.

First, I suggested he scan his computer for viruses and malware. That is important whether you’re using Windows or a Mac. I use Malwarebytes, which is available as a free download (or, if you subscribe to it, as a permanent shield). It will find and quarantine bad software you may have downloaded.

Second, I suggested he change his bank password. Bad guys phishing for log-in information is probably the No. 1 risk for most people online. The security mistake many people make is reusing passwords on different sites, apps and services. That’s a problem because if the bad guys get one of your passwords, they will try using it to access your accounts, data and maybe even money elsewhere.

The only practical solution is to use a different password everywhere and to keep track of them in a program known as a password manager. The good ones are generally safe to use and not as annoying as you might think.

After we had gotten him sorted, Wells told me the experience would change his online behavior. “I hadn’t really expected scams to show up on online searches, but now that I know they can, I will be on the lookout for them,” he said.

Help Desk: Making tech work for you

Help Desk is a destination built for readers looking to better understand and take control of the technology used in everyday life.

Take control: Sign up for The Tech Friend newsletter to get straight talk and advice on how to make your tech a force for good.

Tech tips to make your life easier: 10 tips and tricks to customize iOS 16 | 5 tips to make your gadget batteries last longer | How to get back control of a hacked social media account | How to avoid falling for and spreading misinformation online

Data and Privacy: A guide to every privacy setting you should change now. We have gone through the settings for the most popular (and problematic) services to give you recommendations. Google | Amazon | Facebook | Venmo | Apple | Android

Ask a question: Send the Help Desk your personal technology questions.