How to spot and avoid scams and malware in search results

It’s called “malvertising,” and if you’re not careful to spot it, you could burn yourself.

Washington Post reader Jack Wells recently wrote to me after a scare. “I’m afraid I may have been hacked this morning and I was wondering if you could give me some advice on how to deal with it,” he wrote.

Here’s what happened: Wells had gone to DuckDuckGo, the privacy-focused search engine I also use, and typed “citibank login” hoping to visit the banking portal. The first item appeared to be an ad for Citibank’s login page, so he clicked on it.

Strangely, Wells was brought to a blank screen. So he hit the back button and discovered that he was on a page whose actual address ended in “.ru” (for Russia) and was most definitely not Citibank.

Simple tips to help you spot online scams

Apparently, Wells fell for a deceptive search ad designed to trick people into accidentally sharing their passwords or downloading malware. When I asked DuckDuckGo about his experience, spokeswoman Allison Goodman said the company couldn’t reconstruct it, but suspected he might have clicked on an advertising link, which has now been removed.

“We have seen this very rarely; Scammers are evolving their tactics, regularly launching and removing sites to avoid blacklisting,” she said. The ads on DuckDuckGo are served by Microsoft, which also places them on its own Bing search engine.

“We take misleading or fraudulent advertising very seriously,” Microsoft spokeswoman Caitlin Roulston wrote via email. “Microsoft prohibits such content, including that which may reasonably be considered misleading, deceptive, or harmful to site visitors.”

Now the really bad news: Scam search ads aren’t just a problem on DuckDuckGo and Bing. They’re also a problem with Google, the world’s most-used search engine. There are ads for fake banks, fake websites for the IRS and other government agencies, and fake crypto wallets to name a few.

In August, Senator Richard Blumenthal (D-Conn.) wrote in a letter to Google CEO Sundar Pichai that the search giant had a “disturbing record of insufficient due diligence against fraud and abuse” in ads. His letter cited a 2021 investigation by my colleague Jeremy Merrill Finding that advertisers were impersonating government websites. Google said it removed these types of banned ads, but then the senator’s office checked and found that similar ads were still popping up — suggesting Google’s countermeasures weren’t very effective. (Merrill found similar issues with DuckDuckGo’s Microsoft ads.)

In July, researchers from Malwarebytes reported how unsuspecting Google users searching for popular keywords – including “youtube” – were able to click an ad and hijack their browser with fake alerts urging them to call fake Microsoft agents for assistance. And in 2021, Check Point Research identified a Google ad phishing campaign that had resulted in at least half a million dollars worth of cryptocurrency being stolen.

How does that even happen? The core problem is that many search ads are sold through self-service systems that don’t necessarily require advertisers to be authorized or have their links verified by humans. The bad guys sometimes try to create thousands of accounts at once in hopes that some will pull through.

The companies claim they have the problem under control.

“When we become aware of these cases, we will take action to remove them as soon as possible,” Microsoft spokeswoman Roulston said. “We then apply the feedback in our detection mechanisms to improve our ability to detect and remove similar ads in the future.”

“We always work to stay one step ahead of bad actors, some of whom use sophisticated measures to disguise their identities and circumvent our policies,” Google spokesman Davis Thompson said in an email. “People deserve to feel safe on our platforms and we will continue to improve our enforcement practices to combat abuse and fraud.”

The non-stop fraud economy is costing us more than just money

like what According to Thompson, in recent years Google has introduced new certification policies, ramped up advertiser verification, and increased the company’s capacity to detect and prevent coordinated fraud. But he wouldn’t say what percentage of the company’s advertisers are now verified.

We don’t yet know how big the problem is. In 2021, Google said it blocked or removed 38.1 million ads for “misrepresentation” and 58.9 million ads for violating its financial services policies, both before and after they ran. Microsoft wouldn’t say how many scam ads it removes.

So what can you do about fraudulent advertising?

It starts with awareness. Many of these attacks try to exploit a very common online behavior: searching a website by name instead of typing its full URL in the address bar. So get in the habit of typing everything into your browser yourself — instead of typing “citibank login,” type citi.com in full.

Another suggestion: save browser bookmarks for the websites you use most often.

Personally, I have a habit of not clicking on search ads. If you look below the ads further down the page, you will find the real search results, selected and ranked by popularity and actual usefulness. And if you install an ad blocker in your browser, you won’t see any ads at all – good or bad.

What should you do if you think you clicked one of these bad ads? For Wells, I recommended a two-step plan similar to what I would recommend to anyone who thinks they’ve been hacked.

First, I suggested that he scan his computer for viruses and malware. This is important whether you’re using Windows or a Mac. I use Malwarebytes, which is free to download (or as a permanent shield if you subscribe). It will find and quarantine malicious software you may have downloaded.

Secondly, I suggested him to change his bank password. Bad Guys Phishing for credentials is probably the #1 risk facing most people on the internet. The security mistake many people make is reusing passwords across different websites, apps, and services. This is a problem because if the bad guys get one of your passwords, they’ll try to use it elsewhere to access your accounts, data, and maybe even your money.

The only workable solution is to use a different password everywhere and manage them in a program called a password manager. The good ones are generally safe to use and not as annoying as you might think.

After we sorted him out, Wells told me the experience would change his online behavior. “I didn’t really expect scams to show up in online searches, but now that I know they can, I’ll be on the lookout for them,” he said.