Scammers Weaponize Google Ads to Inject Fake Support Numbers into Legitimate Brand Websites

Fraudsters are exploiting fake search engine advertisements to manipulate results for users seeking technical support from major companies including Apple, Bank of America, Facebook, HP, Microsoft, Netflix, and PayPal.

This deceptive scheme follows a familiar pattern of exploiting consumer trust in established brands through sponsored Google search results, but incorporates a sophisticated new twist in its execution.

Malwarebytes Labs researchers Pieter Arntz and Jérôme Segura discovered that cybercriminals begin by purchasing sponsored Google advertisements impersonating major corporations. These ads direct users to what appears to be legitimate company websites.

"However, in our recent discoveries, visitors are redirected to authentic sites with one crucial modification," the researchers explained in their weekly report. "Users arrive at the genuine help and support sections of brand websites, but the criminals replace the real phone numbers with their fraudulent contact information."

Despite the browser displaying legitimate website addresses that raise no immediate red flags, the attackers overlay authentic websites with false information, steering users toward fraudulent support channels.

When victims call these fake numbers, scammers impersonate official brand technical support representatives, attempting to harvest personal information, payment card details, or gain remote access to devices.

"A more technically accurate description of this attack would be a search parameter injection attack, since scammers construct malicious URLs that embed their fake phone numbers into legitimate site search functions," the researchers noted.

The security experts provided several protective measures users can implement against technical support scams, including monitoring for phone numbers embedded in website URLs, watching for suspicious or urgent language like "call immediately" or "emergency assistance" in browser address bars, paying attention to in-browser warnings about known scams, and remaining skeptical when websites display search results without user input.

"Before contacting any brand's support line, verify the official number through previous company communications such as emails or social media posts and compare it with search result findings," the researchers advised. "If discrepancies exist, investigate thoroughly until you confirm the legitimate contact information."