First impressions matter, especially online. And if you’re the kind of person who searches “Apple tech support” or “PayPal contact number” on Google when you run into a problem, you might want to pause before clicking the top result. Scammers are hijacking sponsored ads to push fake support listings—even on genuine-looking brand websites.
This isn’t your run-of-the-mill phishing scheme. The twist? Victims land on real pages—Apple, Netflix, Bank of America—you name it. But one key detail is forged: the contact number.
The scam starts with a search—and ends with stolen data
It’s a textbook setup with a deceptive twist. The moment you type in a support-related query, Google’s ad system might show a seemingly harmless sponsored result. That ad, paid for by a scammer, impersonates a trusted brand.
Once clicked, users aren’t redirected to a shady clone site. Instead, they’re taken to the actual support page of the real company. At first glance, everything checks out. The browser bar reads “microsoft.com” or “paypal.com.” The design is spot-on. Nothing screams scam.
But here’s the kicker: the phone number on the page isn’t from Microsoft or PayPal. It’s from the attacker.
How the number swaps happen without changing the website
According to Malwarebytes researchers Pieter Arntz and Jérôme Segura, this isn’t a simple redirect. It’s something a bit more elegant—and sneakier.
They call it a search parameter injection attack. Basically, the fraudster embeds a fake phone number directly into the site’s URL. Because many support pages use internal search features to return help articles or contact info, these attackers exploit that function.
-
For example, a URL like might trick the site into displaying whatever’s in the “search” field, letting the attacker inject their number into the visible content.
-
From there, a bit of JavaScript overlays or modifies the page’s phone number section with the fake info.
-
The victim never realizes the phone number is fake—because everything else looks real.
At that point, it’s game on for the scammers.
The fake tech support numbers open the door to high-stakes fraud
Let’s say you call the number. A polite, seemingly professional person picks up. They sound helpful—too helpful.
They might say there’s an urgent issue with your device or account. They could ask you to download remote access software like AnyDesk or TeamViewer. Or maybe they just want to “verify your identity” with your credit card.
In the worst cases, they gain full control of your computer. And from there, anything goes.
They could:
-
Empty bank accounts
-
Install ransomware
-
Harvest emails, passwords, photos—whatever they want
All from a fake phone number injected into a real website.
Big names are being impersonated—and no one’s off limits
This isn’t some fringe scam targeting niche services. Malwarebytes found that attackers were imitating:
-
Apple
-
HP
-
Microsoft
-
PayPal
-
Netflix
-
Bank of America
-
Facebook
These aren’t unknown companies with weak security protocols. They’re major players with global reputations. That’s what makes this trick work so well: users naturally trust that when they’re on a site like Apple.com, everything they see is legitimate.
But in this case, the trust becomes the trap.
Spotting a scam before it spots you
The bad news? These scams are sophisticated. The good news? They’re not invisible.
Pieter Arntz and Jérôme Segura offered several key signs that something might be fishy:
-
If the phone number appears in the URL itself, that’s a huge red flag.
-
Look out for terms like “call now,” “emergency help,” or anything that seems overly urgent or pushy.
-
Be wary if a page shows search results when you didn’t enter any search query.
-
And pay attention to browser warnings—Google and others do flag many of these fake ads.
One tip that stands out? Compare support numbers with ones you’ve seen before, like in previous emails or app messages from the company. If it doesn’t match, pause.
Why Google can’t stop this overnight
The irony here is hard to miss. Scammers are using Google’s own ad platform to distribute their schemes. It’s like paying a bouncer to let you sneak into the party.
Of course, Google has systems in place. Suspicious ads can be reported, flagged, removed. But these scams evolve fast. A takedown here leads to a new ad there. And since the underlying scam uses legitimate sites, there’s no obvious URL for Google to blacklist.
This isn’t a tech issue—it’s a whack-a-mole problem.
The scam’s sophistication means users must stay sharper
Unlike pop-ups from 2009 screaming “YOU HAVE A VIRUS!”, these scams rely on subtlety. No glaring misspellings. No shady URLs. No sketchy design.
It’s deception via familiarity.
And that’s why they work.
As the Malwarebytes team puts it: the most dangerous cyber tricks are the ones that almost look right. A fake site is easy to spot. A fake phone number on a real site? That’s another story.
