SEO Poisoning: Train Employees, Watch Your Search Results

SEO poisoning is a new tactic that scammers use to steal credentials. It can be difficult to detect, and it can harm the reputation of your business if scammers attempt to spoof your identity.

What Is SEO Poisoning?

SEO poisoning is a type of phishing attack. Cyber criminals create a fake version of a website or a landing page, then use search engine optimization (SEO) techniques to get it to rank highly in online searches.

This technique emerged for a simple reason: cyber security employee training teaches workers to never click on links in texts or emails. Because that training has had some success, cyber criminals have changed their tactics. They still send fake texts and emails that you have likely seen, claiming to be from Amazon, Ebay, PayPal or some other major online company. The email includes a link to click to resolve some phony problem, such as a package that cannot be delivered, or loss of account access.

People with good online habits know to never click on these links. Instead, they go directly to the website, log in and see if there is a problem. This is where SEO poisoning may be effective: By setting up a fake site that looks legitimate and ranks highly in search results, scammers can capture login credentials just as if the target had clicked a link in an email.

The scam relies on the trust people have in search results, and their tendency to quickly click the first or second link that they see without investigating in closely. Once thieves have an individual's login, they can take control of their accounts and potentially compromise business systems.

In some cases, criminals buy paid advertising that appears at the top of search results to trick people. Those ad campaigns get shut down quickly, sometimes in just a few hours, but they can snare unwary individuals while they are online. Criminals time their ad buys and SEO poisoning efforts to coincide with mass emails, hoping to steal credentials before their campaigns and sites get kicked out of search results.

Fake Sites Can Harm Your Reputation

There are two ways that SEO poisoning can damage your online reputation, and potentially damage your search rankings. The first and most obvious risk is someone spoofing your website and using it for criminal activity. Never assume that you will be immune to this. While top sites remain the biggest targets for spoofing, any site that requires users to log in can become spoofing victims. Even nonprofits can be spoofed, if their sites collect donations or personal information.

The best defense against SEO poisoning and spoofing is to check your branded search results regularly. Search your company's name and your main website URL at least once a week. If you find sites ripping off your identity, report them to the search engines immediately.

The second danger lies in abandoned websites. Some businesses have old websites, promotional sites or microsites that have not been used, or in some cases, accessed, for several years. Sites like this are a prime target for takeover by cyber criminals, who rely on older domains and sites to legitimize SEO poisoning campaigns. Make a point to review all of your online properties and to shut down any that are no longer in use. URLs should be forwarded from out-of-date sites to your main site, which prevents scammers from hijacking old domains for criminal activity.

Easy Steps to Avoid SEO Poisoning

Employees should be taught to be skeptical about any link they come across, even at the top of search results. Follow these steps to avoid clicking on a fake site:

1. Never click on links in texts and emails.?This rule still applies. If you receive an email or text with some alarming information, be suspicious. Then go directly to the site from a web browser.
2. Look at links before clicking.?Even if the link is an ad, even if the link is at the top of the search page, study it carefully before you click. Most businesses have an easy-to-remember URL, like amazon.com, ebay.com or paypal.com. Search engines always show the link address under the search result, for both paid advertisements and organic search links. Check those links, and check the spelling to make sure it's accurate. When in doubt, try typing the URL into the bar at the top of your browser. If it's a site you visit frequently, the full URL should appear.
3. Only click on top-level links.?Scammers may try to fool you by asking you to look up a "customer service" or "client login" page. Ignore that advice. Only click on links pointing to the top-level domain, such as etsy.com or mercari.com.

As a final way to protect yourself, consider refreshing or starting your cyber security training.