Last year, Interflora won a landmark court case against Marks & Spencer. M&S used Google AdWords to place adverts on search results for their competitor’s brand terms. The legal battle had much more at stake than lost e-commerce revenue and trademark infringement though. It highlighted an issue that has been prevalent since 23rd April 2013, when Google allowed anyone to place paid search listings on brand search results.
Security experts have recommended using Google to navigate to sensitive websites for years, helping to protect users from phishing sites hosted on typo domains and links from hacked third-party websites. Thanks to Google’s new revenue-boosting ad policy though, that top search result for your bank, online bookshop or government portal could be anyone.
Google’s advertising platform became a free-for-all, with only the biggest of vices off-limits to advertisers. Google would argue that they clearly identify advertisements on search results and give the user a choice of both paid and non-paid (“organic”) listings. But does the average internet user really know the difference? Many will click on the top result whether it’s organic or not, assuming that Google will take them to the official and trusted website.
Real Life Examples
I was waiting for a flight in Sydney airport with a friend last year, destined for Los Angeles, California. A middle-aged Australian lady was sitting at the table next to us, franticly trying to fill in her ESTA visa application online using a smartphone before boarding the flight. Noticing her struggling and panicking, I offered to help fill out the form for her. Just before hitting submit, I noticed that the lady was being charged $50 for the application, compared to the $14 that I had paid weeks earlier. It turned out that she’d Googled [ESTA], clicked on the top listing (a paid ad) and been sent to a scam website with “esta” in the domain and styled exactly the same as the official government site.
After getting back from my travels, I watched a BBC documentary covering online fraud and how banks are reluctant to help their customers get their money back. One of the fraud victims interviewed, labelled himself as a computer expert, denying claims by his bank that he must have given someone all of his online banking details. The programme then cut to a close-up of his computer screen, as he Googles his bank’s name, clicks on the top advertisement and enters his online banking details.
This wasn’t an elaborate Ocean’s Eleven plot by fraudsters, nor was Derren Brown employed to psychologically ween out the man’s banking log-in and PIN. I would put money on the mystery being solved by searching for the bank name in his browser history and finding the phishing website, that he inevitably visited after clicking on a Google AdWords listing at the top of the search result.
As most men clear their internet history regularly and religiously (to help speed up the browser, of course), it would be hard to prove my theory. My only choice was to pretend to be an online fraudster, naturally.
Testing My Theory
After researching UK trademark laws and searching the IPO trademark database, I found that Nationwide Building Society was my safest bet for the experiment. The domain nationwide-banking.co.uk was available, it contained 2 generic words and had a hyphen to make it look less official. There’s no trademark in the UK for [nationwide banking], with the nearest similar claim [nationwide online banking] being struck-off the register in 1997. At the time, Nationwide’s paid search coverage was very bad as well, with no typos, variations or terms such as [nationwide online banking] protected.
Rather than hurt or worry anyone, I wanted my experiment to help educate internet users, even if it was only a few people. The new “Nationwide Banking” website (which is still live) therefore featured a one-pager explaining why visitors weren’t seeing their online banking login screen and how to protect themselves in the future.
Setting up an ad campaign in Google AdWords, I started to doubt my own theory – surely it’s not this easy? Despite bidding on brand terms such as [nationwide] and obvious phishing flags such as [nationwide online banking], my campaign was approved and active within hours. No FSA verification, human vetting or hurdles, just a valid credit card needed.
Within minutes of going live, the traffic started trickling in (I only targeted 3 keywords). My frugal ad budget and some quality issues meant that I didn’t always win the top ad position, which brought down my overall click-through rate (2.4%, which isn’t as low as it sounds due to scrapers, automated tools and abandoned searches driving impressions up). Over the 24 hour period that the ad was live, 122 people clicked through to my “Online Banking” website. They could have chosen the official website in the organic results below my advert or spotted that my web address clearly wasn’t official, but instead clicked on the top result out of habit. Each potential phishing victim cost me just £0.76 (roughly $1) and nobody including Google ever did flag the ad campaign or report the website. In fact, Google sent me automated emails trying to tempt me into re-activating the ad campaign with free vouchers.
Where We Go From Here
Even though only 122 Nationwide customers clicked through in those 24 hours, I’d guess that a large percentage of them would happily hand over their banking details. All I would need to do is clone the Nationwide website using a free web scraper, buy an SSL Certificate (giving me a https:// URL) that requires nothing but an email verification and collect the form data. I’ll never know for sure though, as doing this would break several laws, even if I didn’t record the bank details. Not bad for $1 a pop though.
This experiment isn’t new, the difference is that other people are doing it to empty bank accounts, use your credit card or acquire personal details to be used on a loan application. The details given on a US ESTA visa application are enough to pass most banking security checks.
Google users searching for [credit cards] expect adverts and a variety of different websites. But they don’t expect the top result for brand and government searches to be the winner of a bidding war, or the benefactor of a badly setup/managed AdWords marketing campaign.
Come on Google, do you really need to make that few million dollars of extra revenue at the expense of your users? Implement manual-verification and strict controls on brand bidding, start protecting your users better.
Google AdWords Trademark Policy:
Fake Online Banking Website:
Some responses on Twitter
— Gerry White (@dergal) January 13, 2014
@robkerry nice read and obviously more interesting for me considering you used a bank as the example. Wonder if Nationwide picked up on it
— Tom Barker (@TomABarker) January 13, 2014
— Patrick Altoft (@patrickaltoft) January 13, 2014