Google takes aim at cybercrime web. — © AFP THOMAS COEX
Fake websites and SMS spam equate to millions of dollars for scammers. These things have been around since the Old Testament was a rather precocious brochure. They all still work.
A recent banking scam in Australia highlights how easy this money is. All that was needed was a genuine-looking Google ad, a fake website, and someone lost $30,000 instantly.
Online banking scams are pretty common, and in the news all the time. The signs were there; a dodgy URL on the website, for one. Nice to know after the event, but expensive. This could and does happen to anyone, anytime. The tricky bit, however, was the Google ad. This used the right URL and was a fake ad.
Let’s get all folksy and internet-realities-ish:
- No vetting on the ad. A fake ad can sit there quite safely?
- Scammers are hardly likely to be paying-per-click. How are these ads set up?
- Consumers have no inbuilt way of checking the validity of links.
- Banks often refuse to compensate for scams. (Not too impressive; you’d think banks would watch for fake ads pretending to be them.)
- What legal recourse does someone who’s been scammed have? If you’re out of pocket, who do you sue?
I’ve seen it myself. I got a Yahoo notification which led straight to a fake link and an instant hack. I watched myself lose access to 2 of 3 email accounts instantly. It cost me $300 and some time running around on the ceiling to get it fixed. It’s staggeringly easy to do.
… This brings us to a basic issue – Verification of ads, in this case, but the wider issues of fake links, as well.
Who’s liable for fake ads? Google, or the advertiser, or nobody much?
There are a few major points to be made here, with a caveat: I don’t know to what extent Google can be held liable. I don’t know if this issue has been tested at law. What I do know is that sooner or later, it will have to be before a court.
Google Ads Terms of Service may cover liabilities to some extent, but they can’t cover fraud using Google’s ads. There are legal rights involved. A court would have to find Google wasn’t liable. (A word search of the TOS indicated no use of the word “fraud” in the TOS? Not being covered equates to possible legal issues.)
However – When it comes to actual transactions, the issue remains fraud. It’s a criminal offense. Do Google Ads enable fraud in cases like this by the omission of basic checks? Can anyone claim to be anyone else and make money out of it?
(Sorry, Google, but in self-defense, you DO need to look at this. As a hellish precedent for massive class actions, this one comes with way too many obvious risks. To say nothing of screwing up the world’s advertising as well.)
Google advertisers also have a few issues:
- Do fake ads devalue legitimate ads? Could be. It’s a definite bone of contention. In this case, (see link above) the fake ad was above the real bank ad.
- What protection do legitimate advertisers have against this sort of misrepresentation?
- How does a third party take out an ad purporting to be a bank or anyone else and get away with it?
- Does Google Ads verify with the existing client that an ad is legitimate?
It’s not that hard to do basic verification. A plaintiff may well ask why it wasn’t done before a fake ad was placed. These dots join all too easily for a civil suit. You see why this is such a minefield.
A fix of sorts
There’s a thing called “due diligence”. In this instance, the process verifies the fundamentals of a transaction. This is pretty basic; things like, “Does this client actually exist,” and “Is this the real bank placing this ad,” yes or no, etc.
For advertising like this, simple confirmation of ad placement by the bank would be the required process. Quick and efficient. Google would also have direct access to payments by the authentic client dating back a long time, but not the fake client.
Basic bookkeeping, really, and easy for a pretty simple custom blockchain. It adds a line to the book entries, but that’s about all. This would also generate an entry on the part of the customer, “Confirmed ad placement”.
Fake transactions can only go so far. The last thing a fraudster wants is an audit trail, and there usually isn’t one with scams, for obvious reasons. Verification short-circuits the fake ads before they can be placed.
Google is in a pretty thankless position in several ways. There’s plenty of case law holding service providers liable for anything and everything. It’s definitely a current thing for lawsuits.
The fact that these fake ads seem to sail through the placement process is hardly a great look for Google, either. It’s godawful PR at the heart of Google revenue.
So here’s the suggestion – Fix this. Shut down the scammers, and maybe create some proprietary or open-source anti-scam software. The online paradise will thank you.