Fake Customer Service Numbers on Real Websites
By Greg Collier
We usually tell readers to visit a company’s official website when they need a customer service number. It’s long been the safest way to avoid fake listings or shady third-party services. But a new tactic used by cybercriminals may force us to rethink that advice. A recent report from Malwarebytes reveals a troubling development in search engine abuse that puts even cautious internet users at risk.
The issue begins with a sponsored search result on Google. Cybercriminals are paying for ads that appear when users search for customer service support from trusted brands such as Apple, Bank of America, Facebook, HP, Microsoft, Netflix, or PayPal. At first glance, the ad appears legitimate. It often leads to the actual website of the company in question. But here’s the twist. The page you land on displays a fraudulent customer service phone number, not the official one.
What makes this tactic so effective is that the browser still shows the correct web address. From the user’s perspective, everything appears to be in order. The site design is correct, the branding is familiar, and the URL is clean. But the contact information has been manipulated using what’s known as a search parameter injection attack.
In simple terms, the attackers craft a URL that takes advantage of the company’s internal search function. That search query then gets reflected back onto the page. Because the site does not properly sanitize or validate the input, the attacker’s text, including a fake phone number, is displayed directly within the legitimate layout of the website. The result is a convincing, dangerous piece of misinformation hiding in plain sight.
For example, someone looking for support from Netflix might be directed to a Netflix help page, complete with a scam number prominently displayed. The same applies to PayPal or Bank of America. If a victim calls that number, they are greeted by someone pretending to represent the brand. The goal is to extract sensitive information such as login credentials, banking details, or to convince the caller to install remote access software that gives the scammer control of their device.
According to Malwarebytes, Apple was among the more deceptive examples. In that case, the page showed a message saying there were no results for the user’s search, followed by a prominently displayed number to call for help. It was all part of the same trap.
HP’s example was slightly more obvious, as it included some visible clues like odd phrasing before the attacker’s message. But the sense of security that comes from seeing a recognizable brand URL often overpowers a user’s instinct to double-check.
Fortunately, tools like Malwarebytes Browser Guard have started flagging these types of manipulations. When one of these scams is detected, the software displays a warning labeled “Search Hijacking Detected,” explaining that the content has been altered.
While this is an encouraging step, it’s not a perfect solution. Many users do not use browser protection tools, and many more still place complete trust in top search results. That trust is what scammers are exploiting. They are counting on people to assume that if a website is real, the phone number must be as well.
This trend raises important questions about the integrity of search platforms, the responsibility of large brands to safeguard their online presence, and the growing sophistication of scams. It also calls for a renewed focus on user awareness. Before calling any support number, it’s now more important than ever to verify it independently through past communication from the company or trusted contact methods.
The rise of search parameter injection scams highlights the evolving nature of online fraud. It’s not just about tricking people into visiting a fake site. It’s about planting bad information in the spaces people already trust. And that makes it harder to know what, or who, is real.
Leave a Reply