A sophisticated new scam is targeting users of popular services like Netflix, Apple, and Bank of America, manipulating search results to display fake support numbers directly on the companies’ legitimate websites.
This deceptive tactic, dubbed “search parameter injection” or “reflected input vulnerability,” tricks unsuspecting individuals into calling scammers who then attempt to steal personal and financial information.
Cybersecurity firm Malwarebytes recently highlighted this alarming trend, explaining how fraudsters are leveraging paid Google ads. When a user searches for customer support, for example, “24/7 Netflix support,” a sponsored ad appears among the top results.
Clicking this ad does lead to the actual company website, but with a crucial difference: a fake support number is pre-populated in the site’s search bar or prominently displayed on the help page.
The danger lies in the legitimacy of the URL. Because the browser’s address bar shows the authentic domain (e.g., netflix.com, apple.com), users are lulled into a false sense of security, believing they are on a genuine support page. However, the seemingly official phone number on display is controlled by the scammers.
Once a victim calls the fraudulent number, the scammers, posing as legitimate customer service representatives, employ various social engineering tactics. Their goal is to coax individuals into divulging sensitive data like login credentials, bank account details, or even to grant remote access to their computers. For financial institutions like Bank of America, the objective is often to drain the victim’s accounts.
Experts advise extreme caution. Red flags to watch out for include phone numbers embedded directly in the URL, suspicious search terms like “Call Now” or “Emergency Support” in the address bar, and an abundance of encoded characters (like %20 or %2B) in the link. Additionally, if a website displays search results before you’ve even typed a query, or uses urgent language to pressure you, it’s a strong indicator of a scam.
To protect yourself, always navigate directly to the official website of the company you wish to contact, rather than relying on search results or ads. Verify contact information through trusted sources, such as official company communications or their main website’s contact page.
Remember, legitimate support desks will rarely ask for your full login credentials or direct access to your computer for routine issues. Staying vigilant and informed is key to safeguarding your digital and financial security against these evolving threats.
