NEW WEBINAR: Watch Netcraft's latest deep dive into P2P messaging scams like never before. Watch now  

Resources > Guide > Guide to detecting and disrupting fake ads

Guide to detecting and disrupting fake ads

Fake ads targeting your organization’s brand can damage your online reputation and financial bottom line by disrupting your online marketing campaigns and directing prospects away from your online stores and other digital channels. They also threaten the online safety of your customers—and prospects—who might click a fake ad that directs them to a malicious website under the control of cyber criminals.

The first online advertisement—a banner advertisement for tech site Wired—appeared back in 1994. Netcraft’s Web Server Survey began in 1995, tracking just 20,000 websites. In 1998, GoTo (later Yahoo!) first offered advertising on its search results pages that corresponded to the typed query. Google adopted a similar search ads auction model in 2002.

In the decades since, internet use has dramatically increased, ecommerce has transformed all aspects of business and online digital advertising has become an essential component. At the same time, there’s been a shift away from traditional advertising mediums (such as print or television) towards digital platforms.

Unsurprisingly, this has also led to a corresponding growth in fraudulent advertisements. A white paper from Juniper Research reported that the global cost of ad fraud in 2022 was $68 billion.

In this guide, we will focus on how to detect, disrupt, and ultimately take down fake search ads. We will also examine:

  • The techniques that cyber criminals use when creating fake search ads
  • How these techniques have evolved
  • The types of cyber attack that fake ads facilitate
  • How Netcraft’s digital risk protection platform detects, blocks, and takes down fake ads

What are fake ads, and how do they work?

Fake ads are digital advertisements created by cyber criminals, masquerading as legitimate online promotional material from established organizations and appear on legitimate websites, social media platforms, as well as search engine results pages, also known as SERPs.

Fake ads are quick to create and will duplicate popular brands (including names, logos, fonts, taglines, and other brand assets) to create a convincing-looking copy. When clicked, the user will typically be directed to a malicious website, at which point the cyber criminal can carry out a number of different cyber attacks.

A fake advert might direct users to fake shops purporting to sell branded goods that drives traffic away from your legitimate site. Users might receive a low cost copy of your product, or no product at all damaging your brand’s reputation.

A fake ad could also link to a copy of your own website with a deceptive domain name that is so similar to yours that customers believe they are still interacting with your website, when it is in fact controlled by a criminal. These sites could then be used to steal payment and personal information from your existing (and potential) customers.

Criminals could even embed malicious code (or malware) within the ad itself, which can infect a users device if clicked on, a technique known as malvertising.

Just as online advertising has evolved since the era of the animated banner ad, fake ads have also become more sophisticated as web users become more mindful about what they click.

Fake social media ads

Cyber criminals will create ads to advertise fraudulent Facebook pages, as well as fake Twitter and Instagram accounts, created to mislead and confuse potential victims. They can include scam celebrity endorsements designed to trick victims into visiting fake shops and other malicious websites.

Fake adverts on the biggest online platforms have tricked almost one in ten people into paying out for scam purchases. Research conducted by UK consumer champion Which? suggests 3.8 million British citizens may have lost money to a scam advert that appeared in their social media feed, with only one in three (35%) of those surveyed said they trust adverts that appear on social platforms.

Legitimate marketing campaigns on social media use huge amounts of customers’ data to create precisely targeted adverts across these platforms. Unfortunately, this business model (where the user has consented to share their details) means that scammers can also create laser-targeted fake adverts, based on data such as likes, interests, age, location and browsing behavior. Furthermore, if users click on a fake ad, they’re likely to see more of them in their social feeds, as these sites use algorithms to recommend similar content.

A fake advert in a Twitter feed purporting to be from Ted Baker. Cyber criminals will often target luxury brands in their adverts

Fake search ads

Criminals exploit users’ reliance on search engines to insert fake ads into the pages of search results. This is an effective tactic for several reasons:

  1. Many users rely on search engines to access a website (rather than typing the URL into their browser’s address bar).
  2. Many users will inherently trust the results returned by established search engines, and may not realise that the results can be manipulated.
  3. There are few ways for a user to notice an advert is fake before clicking due to the ability of the attacker to copy another advert in it’s entirety, including the displayed destination.

Fake search ads are often extremely convincing, especially when the domain they are impersonating is displayed as the destination, as the example below shows. In this recent cyber attack, a user entering the word ‘Amazon’ is presented with the following page of search results:

Search results for the term ‘Amazon’, apparently displaying links to the legitimate Amazon website.

This authentic-looking search result is in fact a fake ad. As we can see, it displays many of the elements that we associate with genuine results, such as the legitimate Amazon URL ( and convincing looking details (Free shopping on millions of items). However, users who click on the link are directed to a ‘tech support scam’, pretending to be an alert from Microsoft Defender.

Tech support scam, purporting to be an alert from Microsoft defender.

Since the ad displays the same domain name as the site it is targeting, and it is also the first link to appear in the results page, many users may believe that it is the most relevant result for their search. Furthermore, the ad publisher (in this case Google) will not necessarily know that the ultimate URL that the fake ad directs the user to is malicious.

What is the potential impact of fake ads?

Regardless of the method chosen, cyber criminals behind fake ads are almost always motivated by financial gain. These attacks only require modest technical ability to exploit your organization’s digital channels. Here are the most common types of cyber attacks that are carried out as a result of clicking on fake ads.

Phishing attacks

Phishing is a type of online scam where criminals impersonate legitimate organizations in an attempt to trick victims into sharing personal information, such as passwords or credit card numbers. Phishing attacks can lead to real personal losses for each victim, as well as reputational and financial risk for the organizations that are targeted.

A phishing site tricking victims to enter their username and password for their WELLS FARGO account.

Phishing attacks have evolved over the years, going far beyond the stereotype of criminals in a far-off place sending badly punctuated emails in the hopes of tricking a naive user to submit their bank account details. Modern phishing attacks can be very difficult to spot, even by experienced users, and are expertly designed to mimic official communications.

Fake shops

Claiming to offer highly discounted goods, many fake ads will contain links to fraudulent online stores (or fake shops) that impersonate the websites of luxury brands and established retailers. These shops are often a front to capture payment details and other sensitive information that users submit at the checkout stage of the transaction. Money can then be stolen from the account and these details can also be used to create further cyber attacks or sold on to other cybercriminals. For most victims, goods are rarely delivered, and those that are will most likely be counterfeit.

A fake shop selling luxury sporting goods

How can Netcraft combat fake ads?

Netcraft’s automated brand protection platform operates around the clock to detect cyber threats including fake ads, phishing attacks, malicious search engine advertisements, executive impersonation, social media impersonation and 100+ more attack types. Detected threats are analyzed using our automated threat intelligence platform and those targeting customers begin the disruption & takedown process. Netcraft’s platform contains several components designed to combat the rise of fake ads.

Search engine monitoring

Netcraft’s Search Engine Advertising Service automatically detects fake adverts targeting your brands, including country specific adverts on sites such as Google, Bing, Yahoo and DuckDuckGo. Upon detecting a Google Adwords or Bing attack, the advert is submitted to our takedown system where countermeasures are started to get the ad taken offline.

Social media monitoring

To combat fake ads on social media, Netcraft’s social media monitoring and takedown platform enables you to track platform misuse and launch takedowns against criminal impersonation attempts across Facebook, Twitter, Instagram, TikTok, Telegram, and Pinterest. In addition, Netcraft can disrupt fake executive profiles that mimic your high profile employees. These can become highly convincing once criminals have built sufficient fake connections, and use direct messaging to conduct advance fee fraud, scams and extract sensitive information.

The Netcraft difference

We are the world’s largest takedown provider, and centrally positioned in the global fight against cybercrime. Our detection, disruption, and takedown solutions are highly automated, powered by the vast amounts of data we collect every day and backed by the expertise of our in-house team.

A unique combination of cutting-edge automation, unmatched scale, and a reputation for excellence and transparency built over decades of work—all powered by a passion to make the digital world a safer place—gives Netcraft’s solution an edge that simply cannot be replicated.

Rapid disruption and takedowns

Core to Netcraft’s digital risk protection platform is its automated takedown services which leads the industry in terms of speed, effectiveness, and sheer volume—Netcraft has taken down over 20 million cyber attacks to date and is responsible for one-third of global phishing attack takedowns.

Using Netcraft’s extensive knowledge of internet infrastructure, and its position as a highly respected authority within the space, Netcraft knows precisely who to reach out to, which channels to use, and what to say.

Unmatched volume & scale

Netcraft’s cybercrime detection, disruption and takedown platform is powered by sophisticated automation operating at scale, built with unique insight from our people. Able to operate autonomously and around the clock, Netcraft identifies and validates cybercrime attacks quickly and accurately. Early detection leads to early disruption, which reduces the impact of cyber threats.

Trusted threat intelligence

Netcraft transforms millions of daily reports of into actionable threat intelligence covering diverse threat types including fake ads, phishing, scams, fake social media profiles and malware. We use real-world web browsers, flexible automated interaction, machine learning, and AI to explore cyber attacks and their inner workings.

Our external threat intelligence data is used to protect billions of people through partnerships with browsers, antivirus companies and internet infrastructure providers. Netcraft’s feeds are global, and cover all impersonated institutions, not just our takedown customers.

At the heart of the internet ecosystem

We capitalize on our long-standing relationships within the infrastructure community to quickly mitigate the harmful impact of cyber attacks. Netcraft has spent decades at the heart of the internet ecosystem. High-quality data combined with a focus on demonstrating evidence and clear communication has earned Netcraft the respect and trust of key internet infrastructure providers, such as leading domain name registrars and hosting companies.

This commitment to transparency can be observed across the detection and disruption process—from providing comprehensive evidence of a validated cyber attack to infrastructure partners to sharing real-time status updates on an active takedown with our customers.

About Netcraft

Netcraft — the global leader in cybercrime detection and disruption — is a trusted partner for five of the top ten most valuable companies, twelve of the fifty largest banks, and seven of the top fifty governments of the largest economies in the world. Our comprehensive threat feeds, early fraud detection capabilities and swift automated countermeasures are unparalleled in the industry.

We perform takedowns for nearly one-third of the world’s phishing sites, blocking over 190 million malicious sites and counting. Many of the largest brands and organizations around the world trust Netcraft. Our customer base includes a diverse mix of industries, sizes, and organizational types, including leading companies within the financial, retail and technology sectors.

Find out more

Netcraft’s mission is to detect and disrupt cybercrime at scale through constant innovation, extensive automation, and unique insight, delivering a safer online experience for everyone.

To find out how Netcraft’s cybercrime detection, disruption and takedown platform can protect your organization and your customers, you can request a demo, or find out more about our online brand protection platform.