1. News
  2. Cybersecurity News

Could clicking on Google search results cost you all your passwords? Maybe…

Google says it's on the case, but users need to step up their protection, too

Photo (c) Ole CNX - Getty Images
If anyone needs proof that cybercriminals leave no stone unturned, all they need to do is check out this claim from MakingUseOf (MUO): Clicking on Google search results could cost you all your passwords!

This new twist on phishing is built around attracting eyeballs to the very top of Google’s search results where Google’s algorithms attempt to reflect the things someone is looking for or a paid placement by a company.

MUO said that these evil-doers might include an excerpt taken from a dictionary or a website, a range of similar questions to your query, two or three ads, and then the actual search results from Google.

And if someone clicks on one of the fabricated links or ads, they’re immediately transported to a brilliantly spoofed website where a hacker will gladly take passwords, personally identifiable information, and other important digital credentials off their hands.

MUO’s David Rutland pointed to Microsoft Outlook as a prime example. He said that if a user was searching for “Outlook help” and clicked on a malicious link, they could easily wind up at what they think is a real Microsoft-driven site where they put in their Outlook username and password to log in.

“The visual style of most of these elements is different enough from the meat of the results that it's easy to scan past them and scroll down,” Rutland wrote. “The adverts, however, are not immediately recognizable. They use the same link color as regular results, and have the same length of summary and selection of site links to URLs within the website.” 

And to an unassuming user, that could spell trouble – particularly for older users.

“Clicking adverts by accident is a familiar and frustrating feeling. It's made worse by the fact that there's a tendency among older computer users to simply type the name of the service they want to use into the search field and then click on the top result, rather than type in the actual URL,” Rutland said.

Google comments

When ConsumerAffairs asked Google to verify MUO’s claims, a spokesperson said it is, indeed, aware of what’s going on, and it’s voluminous – to the tune of blocking over 100 million phishing attempts every day. Nonetheless, the company said it’s doing everything it can to get these hackers out of its – and our – lives.

“Bad actors often employ sophisticated measures to conceal their identities and evade our policies and enforcement. To combat this over the past few years, we’ve launched new certification policies, ramped up advertiser verification, and increased our capacity to detect and prevent coordinated scams. We are aware of the recent uptick in fraudulent ad activity. Addressing it is a critical priority and we are working to resolve these incidents as quickly as possible.”

Safety suggestions for consumers

Google said that even though it’s the company’s job to do everything it can to block bad ads on its platform, “sometimes bad actors can temporarily evade our detection.” 

To help consumers prevent being sucked up in this fake ad vortex, Google shared some tips and tools. 

Learn more about the ads you see and the advertisers behind them: Google said that by clicking on the three dots that appear next to an ad, a user can go to My Ad Center which includes basic information about the advertiser, including whether or not they are a verified business. 

When ConsumerAffairs tried out that trick, we have to admit it was pretty impressive. Not only were we shown when the source was first indexed by Google, but also if our connection to the site was secure or not.

It also has a nifty feature where a user can remove a specific search result so it doesn’t pop up in the future.

In the coming months, Google said it will be rolling out additional transparency tools so that searchers can learn even more about the advertisers behind an ad.

Spot malicious behavior and double-check URLs: Hackers love big brands because if someone is in a hurry to get something fixed or a question answered, they may not take the time to fully inspect the validity of a site’s URL or whether a phone number is real or not. And, being careless can lead to being fleeced by a cybercrook pretending to be one of those big brands.

To get around that issue, Google recently started adding site names to search results and ads on mobile, so users can more easily identify the website that’s associated with each result at a glance.

“You should always be wary if someone is urgently requesting you to do something like send money, provide personal information, or click on a link. Chances are, it could be a scam,” the company said.

Enroll in 2-Step Verification (2SV): Google – as well as Apple and Microsoft – have been working toward a passwordless future, but we’re not there yet, so for now, passwords are here to stay. And that calls for extra precaution.

Google is encouraging everyone to, at minimum, enroll in 2-Step Verification (2SV). Taking that step adds another layer of protection to online accounts by requiring the user to not only enter their password, but an additional piece of information as well. 

“This way, if your password is stolen, a bad actor still needs more information to gain access to your account. And to keep those credentials safe in the first place, we also encourage the use of Google Password Manager,” the company told ConsumerAffairs.

“Google Password Manager will not only create unique passwords that are hard to crack but will also store them all for you so you don’t need to keep that little piece of paper in your drawer you write them all down on.”

Take an Identity Theft Quiz. Get matched with an Authorized Partner.