How fraudsters are taking advantage of your Google search results

Google search

Imagine you are having problems with your Spotify account and what to call support for help. If you are like me, you might search ‘Spotify phone number’ in Google and expect to see the phone number in the search results.

You would have seen this result below with a phone number displayed prominently. You may have quickly glanced at the URL to confirm that it is coming from Spotify’s website which this search result is.

Do you think this search result is genuine?

Would you have called the phone number?

If the answer is yes, then you would have called a fraudster! This phone number is not Spotify’s phone number. It’s a fraudster pretending to be Spotify, and they have achieved this by using SEO to get this search result displayed on search engines such as Google.

Look closer at the URL

Taking a closer look at the URL you might see the term ‘search’ in there. This is our first clue that foul play is at hand. As mentioned before, this is a URL from Spotify’s website, and the fraudster has used the search form to make the number look like it is from Spotify’s support page.

This is a screenshot of the page the result takes you too. Anyone can use the box to search Spotify’s support pages. The fraudster has utilised this vulnerability.

How can you stop this from happening on your website?

This has been allowed to happen as Spotify allow Google to see search pages on their site. Furthermore, they enable data entry into the search form which appears in the URL once the user hits search.

For example, if I search ‘how to cancel membership’ the URL is updated with that query in the URL.

By allowing Google to crawl these search pages, the fraudster can link to the page, allowing Google to index the page. This can be easily prevented by not indexing internal search results so it won’t show up in search engines. You should prevent Google and other search engines from crawling pages with search results, or any other page where text will be injected into the URL. This can easily be done using the robots.txt file.

Want to know more? You can contact us with any questions you may have.

Looking for more?