As I reported back in late-March, there has been a new crop of phishing scams now targeting both Google and Yahoo advertisers.

Google finally officially responded this week by posting “How to avoid getting hooked” on their official Google Blog as well as emailing apparently all Adwords advertisers with an email which refers people to this article as well as notification that there have been reports of phishing attempts that falsely appear to be from the standard Adwords email address.  Google reminds advertisers that Google’s AdWords team would never send an unsolicited message asking for advertiser’s password or other sensitive information by email or through a link sent via email.   They also ask that advertiser’s report any phishing email to them completing their Report Phishing Form.

Google’s post goes on to include tips on how to avoid phishing- whether you are a Google advertiser or not, I highly recommend you follow these steps to protect yourself from any phishing attempts.

I frequently receive forwarded messages from clients and friends asking advice or clarification on messages they have received in email that promise them incredible traffic or fantastic results in Google search listing positioning.  Sometimes I’m advised “You should offer something like this” or sometimes I’m asked “Can you do this?” or even “Is this spam?”

Here’s one such email I had forwarded to me recently:

 Hi,

I would like to get your company on the 1^st page of Google anytime a potential client was searching for your product or services.

Within a week I can have your company listed in the top spots of Google for less than $5 a day. I do not bill my clients for our month to month services until they see their company listed on the top of Google and 100% satisfied.

To avoid any conflict of interest I only list one industry professional on the top spots of Google per city! Areas are filling up fast must inquire asap!

For more info Call 24/7 Pre-Recorder Message 888-xxx-xxxx or you can simply reply with the best way to contact you.

Thanks,  <name removed>

Here’s my response to this and many other messages I’m sent:

Yes, SPAM is extremely prevalent in the SEO fields.  Also, extremely misleading statements.  What many of these spammy companies are doing now  is setting up a PAID Google Adwords campaign for ONE specific keyword (think an exact match to “Spanish Translations in Sacramento” as opposed to “Sacramento Spanish translations” or “Spanish translations” etc).  Then they set a LARGE pay-per-click bid to try to get the top paid listing (up in “Sponsored Listings”) for that one and only one keyword.   I’ve been seeing a lot of solicitations to this affect and know a couple of people that bought in.

Problem is, if your ad is actually CLICKED and someone actually visits your website and the company has a maximum daily budget set(to keep their expenses down), your ad won’t display anymore that day.  But they are counting on people only checking for their listing that first time, get them sold on the sale, and just letting the pay-per-click ad coast- meanwhile being charged for doing no additional work.  Also, they have a built-in “excuse” to not accept industry professionals in fields that are far more costly than “less than $5 per day” allows — they will just tell them they already have “the” spot filled for that industry.

Setting up an Adwords campaign like this is simple enough for anyone to do on their own, so you’re better off setting your own budget. Or having a certified Google Adwords Professional (like me) set up a more effective campaign using a broad range of keywords to get the best traffic for your money.

I usually try to educate people and send them to Google itself for advice on how to tell if they are dealing with a legitimate SEO company:

http://www.google.com/support/webmasters/bin/answer.py?answer=35291&topic=8524

Most these spammers (including the one above) violate several bullet points that Google warns against.

Remember, SPAM is defined as unsolicited email messages of a promotional nature.  Many times we forget this when we get an offer that seems interesting to us.  Every once in a while, out of the thousands of emails the spammers have indiscriminately sent (to retired grandmas, 7-year olds, college students, and anyone else that has an email address) they manage to hit someone in the target market (you, as business owner).  It may even sound personal (they have mail merges insert your name if they have it) but if you didn’t request the information, its SPAM nonetheless.

Today a client forwarded an email message to me–worried it meant that her Yahoo Search Marketing account was going to be canceled.  The body of the message is at the bottom of this post.  This message is nothing but a scammers attempt to phish for Yahoo advertiser’s account names and passwords in order to hijack accounts and access personal or billing information that are on file in the account.  I would expect they have an equivalent phishing scheme set up for Google Adwords advertisers. 

I am glad my client forwarded me the message rather than responding.  The link included in the message (I’ve removed it below for safety reasons) takes the scam target to a website that looks like Yahoo but is NOT owned by Yahoo.  Be vary wary of links within emails particularly from large companies such as eBay, Paypal, Yahoo, and Google.  Always check that these direct to CompanyName.com, NOT something like company.anotherdomain.com. Your safest bet is to always use your EXISTING bookmarks or go to the company’s home page and find the login link from there. 

Here’s the scammer’s email.  Note the sense of urgency and the limited options given for response (”do not respond to this email”, no customer service phone number- just the phishing link)

Renew Your Account Now !

Dear Advertiser,   This is your official notification from Yahoo! Inc. that the service(s) listed below will be deactivated and deleted if not renewed immediately.    As the Primary Contact, you must renew the service(s) listed below or it will be deactivated and deleted.   Renew Now your Yahoo Sponsored Search services.

SERVICE: Yahoo Sponsored Search
EXPIRATION: April, 1 2008Thank you for using Yahoo Inc service.
We appreciate your business and the opportunity to serve you. Yahoo Inc. Sponsored Search Service*Note:Please do not reply this Customer Service e-mail.

ed. 4/14/08
As expected, I have seen my first example of the Google-version of this phishing technique. Here’s an example email below:

Dear Google AdWords Customer,

Your ads have stopped running because we were unable to process your billing information.

We will reactivate you account after you update your billing information.

In order to reactivate your account, please sign it to your account at
http://adwords.google.com/select/login  (<<< this URL did NOT link to page that is displayed, but a page meant to LOOK like Google’s login page), and update your billing information.
Once your account is reactivated and your billing information has been processed,
any your ads and campaigns can begin running immediately on Google.

Advertise your business on Google
No matter what your budget, you can display your ads on Google and our advertising network. Pay only if people click your ads.

———————————————————————————-
The Google AdWords Team

It makes me so angry and frustrated…  Another past client scammed by a company claiming their domain was up for renewal. 

Virtually no legitamite registrar sends renewal notices by fax or postal mail!  If you are or have ever been my client, please, please, please just CALL me if you receive any sort of bill, renewal, “urgent notice” that you receive by FAX or postal mail (or a PHONE call) regarding your domain name or website.  I have YET to see any that are legitamite or relevant.  They are scams.  I know it looks like a real bill.  I know they seem very convincing that you “must act now or risk losing your domain”!  They know you just want it out of your hair, you don’t want to worry about the details, you just want your website to be up and running, and that $30-$100 is under your threshhold for an expense that you’d think twice about (fyi, domains are under $10 per year).

Take some extra time to consider:

• Do you recognize the company?  If not, you can look up who the REAL domain registrar is by plugging your domain name into any WHOIS tool.  My favorite search tool is http://whois.domaintools.com.  Go ahead, go plug in your domain name and see what sort of information (your name, address, phone, fax number) are available for anyone else to see as well.
• Is it the same company that your previous bill came from? You should have your most recent bills on file to check and a record of how to contact Billing and Technical Support.  If you don’t know, can’t remember, or can’t find it, use WHOIS or other tools to find it.  If you are or have been my client in the past, feel free to call me for this information.  I won’t always have a current record (if you changed your website or transferred registrars since we originally worked together, for instance) but chances are good that I can still track it down for you. 
• When is your domain renewal date? Is it actually the date they are claiming? If you don’t know now, look it up.  Note it on your calendar.  Even if you have the domain on auto-renew, make someone check on this occasionally (yes, at least once a year!)
• Are you sure this is your domain name, letter for letter?  Most scammers get you by specifying a domain name that is so close, that its hard to notice.  That way they can say legally they were providing you with a service and that their letter PLAINLY (not!) stated that you were registering MYDOMAINNAME.CA or MYDOMAINNAM.COM not MYDOMAINNAME.COM.  Buyer Beware!!!

I do offer an annual Domain Monitoring service for $50 a year.  Its not something I push or plug often.  Frankly, I never thought it would be something that anyone would need.  I’m also sure that some people think this service is ridiculous.  But the more I see these types of mistakes, the more I understand that alot of people just don’t have the time or energy to deal with the realities of maintaining a domain without assistance.

You need to renew your domain regularly.  One-year, Two-year, Five-year, 10 years.  At some point its going to come up. 

You need to keep your contact information up-to-date.  This is a legal requirement by ICANN.  You will often see annual requests to confirm your information from many if not all registrars (by EMAIL, but again, you should recognize the company name as your true registrar).

Consider your domain name as important as your lease on an office space.  You certainly know who your business lease is held by and when you need to renew it, right?  

p.s.  Please read the rest of my “Warnings” category for other scams on the internet, particularly fake “listing services” bills which also target website owners.

As a followup to a post I made last year (Beware Fake Listing Services, March 18, 2006) , I wanted to remind people about fake bills that come via postal mail to domain name owners.  I received another one just today on a domain I purchased recently that is exactly the same as the ones they were sending before, but with a new company name.  This year it seems they are going by DLSCORP.NET/Domain Listing Service Corp. and the top says “Domain Listing Service” instead of “Website Listing Service”.  Same company address as last year’s batch of mailings.

This sort of thing is just one of the reason’s most my own domains are registered via proxy (sometimes called “private” or “unlisted” registration.)  For only a few bucks more a year, I can avoid more spam, confusing or deceptive phone calls, and these ridiculous ‘fake’ bills.  I recommend this service to anyone concerned about their privacy and especially anyone who runs their business from their home (otherwise anyone can find your address and phone number via the public whois service).  In fact, this was a reminder to me to add private registration to the domain that was targetted for this mailing!