What is search engine phishing?

Search engine phishing is also known as SEO poisoning and takes advantage of our tendency to view search engines as a dependable source of accurate and trustworthy information.

How does search engine phishing work?

Here’s a step-by-step process that explains how search engine phishing works in practice.

Step 1 – Cybercriminals create a fake website

In step one, a cybercriminal creates a fake website that mimics an authentic site. To make the site look as convincing as possible, the criminal also incorporates the authentic site’s layout and branding.

Common targets include banks, tech support services and eCommerce platforms.

Step 2 – The site is promoted

Next, criminals promote the site to have it appear at the top of the search results. The site must appear in a prominent position for the scam to be effective as just 0.63% of users venture onto the second page of Google’s search results.

Sites may be promoted in several ways:

• SEO techniques – some criminals use black-hat SEO tactics (such as private link networks) to rank their sites on the first page. Others may target specific keywords, capitalise on trending topics or utilise other more accepted methods.
• URL spoofing – where criminals promote fake sites with URLs that closely resemble those of the legitimate site.
• Paid advertising – programs like Google’s Paid Search are also exploited for phishing attacks. Compelling ads are crafted to attract unsuspecting users and the position of these ads above the fold increases visibility.

Step 3 – Users search for legitimate services

Users search for a service such as online banking or tech support and enter keywords as usual. Since the use of search engines has become so habitual, many users never question the safety of the information they provide.

Step 4 – Users land on a phishing website and enter their details

Users then click on the fraudulent link and expect to be directed to the legitimate site.

Instead, however, they land on the fake site where their login credentials and other personal information are stolen. In the example above, Bank of America customers are prompted to enter their usernames and passwords on a fake login page.

Other scams may involve malware. In 2022, bad actors tricked users into downloading a free productivity app infected with malware called Batloader. The malware was extremely difficult to detect and was later used to infect systems with ransomware and obtain privileged access to target organisations.

It’s also worth noting that once a user clicks on a compromised search result, they may subject themselves to other types of phishing attacks. These include clone phishing, spear phishing, smishing and pharming – where users are directed to malicious sites even after entering the correct URL.

Step 5 – Data is collected by the attacker

The victim’s information is then collected and used to commit fraud, identity theft or subsequent phishing attacks. Data may also be sold on the dark web.

In the aftermath of search engine phishing, criminals may redirect the victim to the real website to avoid suspicion that an attack has taken place.

The telltale signs of search engine phishing attempts

Spotting search engine scams can be tricky, but here are three common telltale signs.

1 – Offers that are too good to be true

Offers that seem too good to be true are typically seen in eCommerce.

Examples of such offers include:

• In-demand items that are advertised with a 90% discount (particularly event tickets and gaming systems).
• Hotel booking sites that offer substantial discounts (part of clone phishing).
• Product descriptions that promise unrealistic results, and
• Freebies or high-value gift cards offered by well-known brands.

2 – Unusual URLs

We noted earlier that unusual URLs are used to promote search engine scams. They’re also one of the most definitive signs of search engine phishing.

So what constitutes an unusual URL?

Most are variations of the legitimate business’s address that criminals hope are subtle enough to avoid detection.

Variations include:

• Misspellings or extra characters – “www.paypa1.com” instead of www.paypal.com.
• Subdomains in the URL – here, the name of the authentic site is a subdomain of the fake site.
• Homograph attacks – for example, by changing the lowercase “L” to an uppercase “I”, it is almost impossible to distinguish between “www.google.com” and “www.googIe.com”.
• Long URLs with multiple hyphens – like subdomains, hyphens can obscure the destination website, and
• URLs without HTTPS – while this does not always indicate phishing, legitimate websites almost always use secure HTTPS.

Unusual URLs can be extremely effective.

Over the space of 3 months in 2021, Chase Bank became the sixth most spoofed brand in the USA after phishing URLs impersonating the bank rose 300%. Behind the rise were so-called “phishing kits” that criminals buy, sell and use to create their attacks.

3 – Poor website quality

Fake websites tend to be characterised by various obvious and less obvious factors.

These include:

• Low-quality designs.
• Intrusive pop-ups or excessive ads.
• Requests for personal information.
• Grammatical errors.
• Broken links.
• Limited functionality, and
• A lack of contact information.

How to mitigate search engine phishing

Mitigating search engine phishing requires both proactive and reactive measures.

To start, companies can monitor search engine results for any fraudulent sites mimicking their brand and notify authorities. This may include the Australian Cyber Security Centre (ACSC), Scamwatch and the search engine itself.

If a user lands on a suspected phishing site, it is crucial they click away immediately and notify the relevant financial institution(s) if any payment information was entered.

Multi-factor authentication (MFA) should also be enabled by default for key accounts.

Browser tools

With the explosion in popularity of remote work, browsers have become a popular means of attack for fraudsters.

According to LastPass, 62% of employees use unmanaged devices, which makes safe browsing habits a key line of defence.

Tools like Google Safe Browsing warn employees when they attempt to visit malicious sites or download dangerous files.

Firms that desire an advanced level of security can also opt for:

• Real-time checks against lists of known phishing sites.
• Protection from unknown attacks when navigating to a site.
• Deeper scans of downloaded files to check for viruses and malware, and
• Customised protections based on the company’s risk tolerance.

Password managers can also be an effective defence. A little-known benefit of these tools is that they won’t autofill a user’s login credentials if the website address does not match one already stored.

User awareness

Education and awareness campaigns for both customers and employees are critical.

Companies can teach users how to recognise phishing sites and stress the importance of verifying URLs, suspicious links and the presence of a HTTPS connection, among many other measures.

If in doubt, it may also be useful to:

• Check to see how long the site has been registered for.
• Review mail server, firewall and DNS logs for suspicious activity, and
• Research the site. In other words, have others reported it as fraudulent on Reddit, Yelp or similar?

Summary:

• Search engine phishing (also known as SEO poisoning) is a cyberattack where fraudsters manipulate search engine results to promote fake websites that steal personal or financial information.
• Some of the telltale signs of search engine phishing include offers that are too good to be true, poor website quality and unusual or suspicious URL variations.
• To mitigate search engine phishing, companies should routinely monitor search results for fraudulent sites imitating their brand. Increased user awareness of scams and the utilisation of safe browser and password management tools are also worthwhile.