A lady has been scammed out of $30,000 after clicking on a seemingly legitimate Google Ad.
The lady had Googled ‘Bendigo Bank’ and clicked on the first sponsored ad, which was for Bendigo Bank. The ad not only related to Bendigo Bank and their services, but also displayed the correct URL of their website. It took her to the bank’s website where she proceeded to login and start banking.
What she didn’t realise was even though the web address displayed in the Google Ad was correct, the link actually took her to bendigohank.com. The page was a replica of the bank’s site design but was a phishing website that captured her login credentials. The scammer then proceeded to login to the actual bank website and transferred out $30,000.
This is an incredibly intricate scam and one that even the most IT-savvy and scam-wary person could fall for. Googling a business and using a sponsored ad to reach their website is commonplace, and something we have done ourselves several times. Clicking an ad provides reassurance as to where you’re being sent, knowing that Google scrutinises these ads heavily. So, it’s very scary to see a situation where this has been manipulated to perform a serious data breach.
So who is to blame here?
The Customer?
We don’t think so.
Google doesn’t allow advertisers to put competitors names in their ads. Hence, it’s fair to assume that an ad saying Bendigo Bank is actually for that bank. Especially when the display URL is www.bendigobank.com.au
Sure, the lady could have been ultra careful by typing the website address of her bank directly into her browser. That would have prevented the breach. However, it’s a very legitimate argument that clicking on an ad that has that same web address is a perfectly safe way to access the site. I don’t believe this user was naive or careless in the slightest.
Google?
Google has strict policies and guidelines for their advertisers. The global giant will not approve ads that go to inappropriate sites such as firearms, drugs, links promoting war, racism and a range of other topics. They also won’t approve ads that go to phishing websites and/or attempt to deceive people.
So it boggles the mind how an ad like this got through their approval system.
An advertiser should not be able to create an ad that displays a URL that is for a different domain to the destination URL where the user is taken. When the scammer put in bendigohank.com.au this should have triggered a warning in Google that prevented the ad from being activated.
The ABC article appears to suggest the scammer used special software the manipulate the ad after it passed the vetting process. This is even more concerning! Google makes billions of dollars and has cutting edge technology and security. For someone to be able to find a way to secretly edit ads without Google’s knowledge with this is unacceptable.
Whatever the reason, Google is definitely the responsible party here. As a tech giant who has an overwhelming 92% share of internet searches made through their engine, they have a duty of care to ensure their ads are legitimate. While they do invest significantly in preventing inappropriate advertising, they need to perform a thorough audit to uncover how such an event happened. Google should also consider setting up a fund that can reimburse people scammed by illegitimate ads on their platform.
Bendigo Bank
I dislike the banks as much as the next person but in this case they are not the ones at fault. Since Google doesn’t allow advertisers to use competitors names in their ads, there is no reason why Bendigo Bank should have uncovered what was happening themselves. Once notified, they looked into the scam immediately and within a week, the lady thankfully had her money reimbursed.
Despite not being at fault, Bendigo Bank will likely have a strong Google Ads budget themselves. Even though competitors can’t mention someone else’s brand in their ad (which was violated in this case), they ARE allowed to advertise when people search for a competitors brand name.
If Bendigo Bank’s Google Ads management team were doing a thorough job, they should be keeping a close eye on ALL businesses who are advertising for ‘bendigo bank’ brand phrase. This allows them to get an idea of whether they need to increase their click spend to prevent competitors poaching their business. Had they done such an audit, they may have uncovered a site called bendigohank.com.au appearing in the ads for their brand name, and identified the scam sooner. Food for thought.
Are you a business who runs Google Ads?
If you run a Google Ads campaign, don’t panic. Your ads are NOT susceptible to being hacked or manipulated. The scam involved people creating their own totally independent Ads accounts and campaign and “posing” as the bank.
Your business is not going to get their ads hacked, your account is safe.
Furthermore, if your site doesn’t offer something that scammers could benefit from (such as financial gain from tricking your customers into handing over sensitive info) then they would not even waste their time setting up a clone site pretending to be yours. The sole purpose of the scam was to steal bank details (and thus money). We’d also like to think Google have worked tirelessly to close whatever loophole has allowed this to happen, and prevent it from happening again.
What can we learn from this?
This should be a huge wakeup call for all Australians. Most of us are already aware of how widespread and intricate online scams have become. But this experience shows that even seemingly legitimate activities can become vulnerable, leaving you susceptible to a scam.
Always use the safest and most trusted route to go about your day to day experiences online. If you’re a business owner and want to reduce the chance of hackers infiltrating your website, take a look at our website care plans and other digital marketing services, or contact us at hello@temeritydigital.com.au
