Search engine phishing, also known as SEO poisoning, is when cybercriminals use search engine optimization to appear as the top results on a search engine in an attempt to lead searchers to a spoofed website. The spoofed website is made to look like a legitimate site so that those who click on it proceed to log into their accounts like usual. What they don’t know is that cybercriminals will be able to steal their login credentials and use them to compromise their account or multiple accounts if they reuse their passwords.
Search engine phishing is a scam that anyone is vulnerable to falling victim to. It’s important to learn about how it works and the steps someone can take to prevent themselves from becoming a victim of this type of phishing scam.
What is a Search Engine?
A search engine is a tool that enables anyone to search for information on the internet. Some popular search engines include Google, Yahoo!, DuckDuckGo and Bing. Many people use search engines on a daily basis, so it’s no surprise that cybercriminals are using search engine optimization to get more people to fall for their scams.
What is Search Engine Optimization?
Search Engine Optimization (SEO) is the process of improving a site’s visibility on search engines. The better a site’s search visibility is, the more likely searchers are to click and discover it. This leads to an increase in site visitors which can turn into customers or an audience that keeps coming back for more.
How Does Search Engine Phishing Work?
Search engine phishing starts off with a search. Whenever we want to search for something online, we go straight to our favorite search engine and type it into the search box. The results that appear are called the Search Engine Results Page (SERP) or simply just “search results.” When it comes to search results, it’s important to note that only 0.63% of searchers click on the second page of Google when they’re searching for something. So, it’s imperative for companies to appear on the first page in order to get clicked on.
By using SEO, cybercriminals can rank higher on search engines and make their spoofed sites more noticeable to searchers. While we rely on search engines to give us the most accurate and helpful information, it’s inevitable that cybercriminals will try to trick us.
Through search engine phishing, we may not even realize that we’re on a spoofed site until it’s too late. However, there are a few signs to look out for that let you know the site you’re on is a spoofed one. Some signs include:
- Random pop-ups appearing
- Your device overheating
- Your device running slower than usual
- Misspellings and/or grammatical errors
- A weird-looking URL
Search Engine Phishing Example
Below is an example of search engine phishing.
How to Stay Protected From Search Engine Phishing
Here are a few of the ways you can protect yourself from falling victim to search engine phishing.
Double-check the URL before clicking on a search result
When searching for something online, the search results that appear always show the full URL of the site you’ll be taken to, otherwise known as the website address. It’s important to always check the URL of a site before clicking, even when it appears in search results, because you may notice that something is off. If there’s a site pretending to be a bank like Chase, the spoofed URL may look something like Chasee.com.
Another way you can double check a site’s URL is by using Google Transparency Report. All you need to do is right click on a search result and select “copy link address” from the dropdown. Once you’ve copied it, you can paste it into the tool and it’ll let you know if the site is safe to go on. If it’s not safe, the tool will tell you and you should not click on the search result.
Get a password manager
A password manager is a tool that aids users in generating, managing and securely storing their passwords. With a password manager, the only password they have to remember is their master password. Many password manager applications have an autofilling feature to make logging into accounts seamless for users.
A little-known benefit to a password manager is that it won’t autofill your login credentials if the website address doesn’t match what’s saved in the record in your vault. This can prevent you from entering your credentials at all and protect your account from becoming compromised.
There are tools that will let you know if a search result is safe to click on based on the URL and content on the page. One tool is McAfee WebAdvisor which puts a green check mark next to a search result if it is safe to click on. When the tool detects that a site may be unsafe, a red flag warning appears to the right of the search result.
What To Do if You Fall For Search Engine Phishing
In some cases, someone may notice they’ve fallen victim to search engine phishing after going on the site and entering their credentials. If this happens to you, here are a few of the steps you can take to lessen the impact.
Run antivirus software and anti-malware software
It’s possible that you or someone you know may fall victim to this type of phishing scam because search engines are a tool that we all use on a daily basis. If you do, one of the most important steps you must take is to run antivirus and anti-malware software on your device. Spoofed sites may contain malware so it’s important you take steps to remove any that may have been unknowingly installed while you were on the site.
Change your password right away
If you realize you have inputted your credentials into a spoofed site, you need to change your password as soon as possible. If you don’t, cybercriminals can compromise your account. Depending on the account they compromise, they can do serious damage and even go as far as stealing your money.
Password managers simplify the process of managing and remembering your passwords and make changing your passwords to ones that are strong and unique a seamless experience.
Phishing scams continue to get more sophisticated and search engine phishing is one example of the lengths cybercriminals will go in order to trick people into falling for their scams. Learning about them is one step in the right direction, but being vigilant about phishing scams is just as important. Learn more about common types of phishing attacks and how you can stay protected from them.