Commercial PPC.com
from Commercial Reality Ltd

 

AdWords™ Management Services

How to spot and react to AdWords phishing emails

An AdWords phishing email is one that is made to look as though it has been sent to you by Google. Typically it will invite you to log in to your AdWords account in order to update your credit card details by clicking a link that again looks as though it is genuine and will take you to Google's site.

However, these emails are often HTML emails which means that a link may look like one thing yet be something else. For example, this link http://www.commercialppc.com looks as though it will take you to this site but in fact will take you to acompletely different web site.

So the appearance of the link can give you a false sense of security which is compounded by the appearance of the landing page itself which is designed to look exactly like Google's own AdWords log in page. This is not at all difficult to do - you can just copy and paste the HTML source code in Google's own page and place it on your own server and then copy across the images as appropriate.

So you click what looks like a genuine Google link and land on what looks like a genuine Google page where you can enter your log in details.

Do that and you have given a complete stranger total access to your account. Continue the process and provide updated credit card details and you've given them away too.

So how do you spot an AdWords phishing email?

At the moment one of the easy ways is to look at the source code of the email. Within Outlook you can do this by right clicking the email and viewing the source code. You can then use Ctrl-F to search this code and what you want to do is search for the characters "http". This will find all links in the email.

Then you need to look at those links carefully because in many cases they are disguised to look genuine.

Here's an example:

http://adwords.google.com.session-6222514947603779047134.22642255061578455432104134.sys68.ru

Note how the first part looks genuine. But the full URL actually ends in sys68.ru. All the intervening data is designed to confuse and look official.

So the domain name is in fact sys68.ru which probably has absolutely nothing to do with Google at all and looks highly suspicious.

What happens if you provide your log in details?

There are several risks.

  1. It will allow the phishers to access your AdWords account and use it. They can then quietly implant parasite campaigns that spend your money slowly and which may not be spotted easily in a big account.
     
    Or they can suddenly spend a great deal of your money overnight. Note that this is much more likely in an account with a large credit rating and a history of spending a lot of money. I know of a case where several thousands of pounds was spent over night in one account that was subject to unauthorised access.
     
    Using a tool like the AdWords editor it is possible to create substantial campaigns and upload them quickly and then delete them later on so you could find that a complex campaign has been installed overnight whilst you sleep and removed again before you get in to the office. If you display only active campaigns in your summary page you might miss this activity for a while and of course if you log in infrequently you could miss it for ages.
     
  2. You might be persuaded to enter your credit card details.
     
  3. Don't forget too that if you give out your AdWords account log in, you are in all likelihood giving out your password and log in details to a Gmail account, a Google Docs account and an Analytics account too.
     
    Something to think about!

There is a fourth risk too which is pretty significant and for security reasons I don't want to write about it here. However, if you have a concern about AdWords phishing and would like to know more, just get in touch.

How to avoid AdWords phishing scams.

Always log in to your account via the Google log in page and not from a link. Always check the source code of emails with links in them.

Test: would you fall for this?

Consider this scenario:

You get an email that looks to be from Google about an upcoming AdWords training webinar. You click the link for more info and it all looks genuine when you get to the landing page. There's Google branding everywhere etc.

You then get asked to register your interest by providing your email address and when you do that, you receive a confirmation email from Google (or so it appears) asking you to log in to your account to complete the registration process by clicking a link that takes you, apparently, to the Google log in page.

But it could all be bogus.

So you always need to be very alert to the risks and never provide your account details unless you are absolutely certain that you are on one of Google's own sites.

Clearly these risks also apply to other PPC advertising systems but because of Google's strong market position there seem to be many more phishing attempts using AdWords than other systems. Google is actively working to reduce phishing fraud. You can find out more here.


Further reading
Shocking Intellectual Property in your AdWords account
Click Fraud and IP Exclusion