Is it safe to enter my card details on a website I reached by clicking a Google search ad?
Search ads can be purchased by fraudsters to impersonate legitimate businesses. Always verify the URL in the address bar before entering any payment information, even if the ad appeared at the top of search results.
Last reviewed: 10 June 2026
Explanation
Search advertising platforms review ads, but fraudulent listings do appear and sometimes persist for hours or days before removal. Criminals buy ads targeting brand names of banks, government services, and popular retailers, directing clicks to convincing imitation sites. The ad may show the legitimate company's name and even a similar-looking URL in the ad copy, but the destination site is under the criminal's control.
The technical mechanism is straightforward: the ad's display URL may say 'yourbank.com' but the actual click destination is 'yourbank-secure-login.com' or similar. The imitation site replicates the genuine site's design closely. Users who have navigated to the genuine site many times via search may not notice the difference.
The defence is simple but requires a habit change: always check the address bar after clicking an ad. Confirm the domain is the one you expected, spelled correctly, and using the correct domain extension. Look for the padlock, then look at the actual domain — not just whether a padlock is present.
For the most sensitive sites — your bank, government tax portals, pension accounts — consider bookmarking the official URL and navigating directly from the bookmark rather than searching each time. This eliminates the risk of landing on an ad-delivered imitation site entirely.
Common red flags
- The URL in the address bar after clicking is different from the company's known official domain
- The site asks for more login information than usual — password plus security questions plus OTP all at once
- The site design looks slightly off — wrong fonts, different button colours, missing features
- You are asked to re-enter credentials that should already be stored in your password manager
- The ad URL showed a legitimate domain but the page that loaded has a different URL
What to do now
- Check the address bar before entering any information — verify the domain exactly
- Bookmark trusted sites and navigate directly rather than via search
- If you entered credentials on a suspicious site, change your password immediately
- Enable two-factor authentication on your banking and financial accounts
- Report fraudulent ads to the search engine using their ad reporting function
- Report phishing sites to your national cybercrime reporting service
Frequently asked questions
Can I trust the green lock icon next to a URL to confirm a site is genuine?
The padlock confirms the connection is encrypted, not that the site is what it claims to be. Phishing sites obtain valid certificates routinely. The padlock is a baseline requirement, not a trust signal.
My bank appeared as a sponsored result — is that ever legitimate?
Banks do advertise their services, so sponsored results can be genuine. The safest habit is still to verify the domain in the address bar after clicking, rather than assuming the ad is from the real bank.