Yes, scammers can use Google search ads to redirect to scam websites

Many people know to be wary of scams, malware and phishing links hidden in emails and text messages. 

But what about the sponsored links at the top of a Google search? Do you have to be cautious of which links you click on, even if the URL in the search result looks legitimate? Some people are claiming in social media posts that scammers can create Google ads that appear to link to a legitimate website, but actually redirect users to a scam website.  

THE QUESTION

Can scammers use Google ads to redirect people to a website different from the one displayed on the ad?

THE SOURCES

• Google
• FBI
• Malwarebytes, a cybersecurity company

THE ANSWER

Yes, scammers can use Google ads to redirect people to a website different from the one displayed on the ad, although it is a violation of Google’s ad policy.

WHAT WE FOUND

When you search for something on Google, you will often see results labeled “Sponsored” at the top of the page. These are ads that companies, organizations and individuals have paid Google to promote at the top of certain searches. Each ad displays a URL to the website it’s supposed to link to below the company’s name.

While it is against Google’s ad policies, scammers can use Google ads to display a seemingly trustworthy URL on a sponsored search result link that then redirects people to an entirely different and possibly malicious website.

In December 2022, the FBI warned people that scammers were using search engine ads like those on Google to impersonate brands and direct users to malicious websites. Google and cybersecurity companies refer to this malicious advertising practice as “malvertising.” 

A recent example of this kind of malvertising involves scammers impersonating Zoom, the video conferencing app, according to cybersecurity company Malwarebytes. Scammers bought ads displaying the https://www.zoom.us/ URL, which is Zoom’s actual website, but instead redirected people to fake lookalike websites with URLs ending in “onelink[.]me.” The malicious websites then told its victims to download malware under the guise of a Zoom download.

A Google spokesperson confirmed to VERIFY that malicious ads like these violate its ad policy.

“We do not allow advertisers to use cloaking techniques in their ads that interfere with Google’s review systems, or hides or attempts to hide non-compliance with Google Ads policies,” the spokesperson said. “We also do not allow advertisers to spread malicious software via Google Ads.”

Google reviewed the fake Zoom ads and are removing those in violation of its ad policies, the spokesperson said.

Not all ads that redirect users to different URLs are malicious, and Google ads do allow advertisers to redirect users in specific ways. One reason an advertiser might do this is so they can display a simple, easy-to-read URL within an ad that takes the user to a more specific URL within that same website, a Google Ads Help page explains.

But Google requires ads to accurately reflect which app or website the user is being directed to when they interact with an ad, the Google spokesperson said.

The search engine does frequently take down malicious ads when they find them. In 2022, Google blocked or removed 1.36 billion ads for abusing its ad network, according to the annual Google Ads Safety report.

A person can report an ad they suspect is malicious to Google’s ad safety team, the Google spokesperson said. This can be done by clicking the three dots that appear next to the ad and then clicking the “report this ad” button. Google will prompt you to complete a short form upon doing so.

“After completing this, our reviewers will take a look at the ad and remove it from our platform if it violates our policies,” the spokesperson said. 

The best way to avoid falling victim to this kind of scam is to never click the ad links at the top of Google’s search results, Malwarebytes and other cybersecurity companies say. Instead, just type in the official URL yourself if you know it or click a search result that isn’t an ad. 

If you do click on the link in a search ad, double-check the URL once you’re there to make sure it’s not mispelled or otherwise different from the real site.

“Sometimes ads are compliant to the best of our knowledge, but then users have a negative experience when they go to the website and are asked to share passwords, logins, or financial information,” the Google spokesperson said. “Users should always use caution and verify the URL is accurate before sharing personal information.”

Victims of malicious Google search ads can report the fraud to their local FBI field office at www.fbi.gov/contact-us/fieldoffices, the FBI says. You can also report fraudulent or suspicious activities to the FBI Internet Crime Complaint Center at www.ic3.gov.