Phishing via Google Search & Ads
Criminals purchase sponsored Google listings to position cloned login pages above legitimate results, capturing credentials when users search for their bank or service.
Part of: Phishing
Last reviewed: 1 June 2026
Search-based phishing — sometimes called search engine optimisation poisoning or malvertising — involves buying paid search placements for terms users type when they want to reach their bank, email provider, or other important service. The sponsored result appears at the very top of the page, indistinguishable in layout from a legitimate search result, and links to a convincing replica login page.
Unlike email phishing, which must reach the victim's inbox, search phishing intercepts users at the moment of intent, when they are actively trying to access the very service being impersonated. This makes it highly effective.
How this scam works on Google Search & Ads
A user searches for their bank's name and clicks the top result — a paid ad — without noticing the destination URL is slightly different. On the cloned login page they enter their username and password. Credentials are captured and the user is redirected to the real bank's website so they notice nothing unusual.
Some variants operate through lookalike domains ('your-bank-secure-login.com') while others use compromised or redirect-chain URLs that briefly show a real domain before forwarding to the phishing page, defeating casual URL inspection.
Common red flags
- Search result URL for a financial or important service looks slightly different from the official domain
- Sponsored ad appears at the top for a search like '[bank name] login'
- Login page loads but the URL in the address bar is not exactly the service's known domain
- Page requests unusual additional information at login such as full card number or PIN
- Page loads slightly more slowly or has minor visual differences from the genuine site
How to protect yourself
- Bookmark key services (banking, email, government portals) and access them via bookmark, not search
- Always check the URL in the address bar before entering credentials
- Use a password manager that auto-fills only on the exact saved domain — it will not fill on lookalike pages
- Enable MFA so stolen passwords alone cannot access your account
How to report it
- Report the phishing ad to Google via the report option on the ad
- Report to your national cyber authority and to the organisation being impersonated
- Change your password immediately if credentials were entered on a suspicious page
Frequently asked questions
Is it safe to click on sponsored search results?
Sponsored results are not inherently unsafe, but you should always verify the destination URL before entering any credentials or personal information. The safest habit for accessing important services is to use a saved bookmark rather than a search result.