This is called “malvertising,” and if you’re not vigilant in spotting it, you can get burned.

Washington Post reader Jack Wells wrote to me recently after a scare. “I’m afraid I may have been hacked this morning, and I was wondering if you could offer any advice on how to deal with this,” he wrote.

Here’s what happened: Wells went to DuckDuckGo, the privacy-focused search engine I also use, and typed in “Citibank login” in hopes of visiting the banking portal. The first item appeared to be an ad for the Citibank log-in page, so he clicked on it.

Strangely, Wells was brought to a blank screen. So he hit the back button and discovered he was on a page whose actual address ended in “.ru” (for Russia) and was definitely not Citibank.

Simple tips to help you spot online fraud

Wells appears to have fallen for a search ad scam used to trick people into accidentally giving out their passwords or downloading malware. When I asked DuckDuckGo about her experience, spokeswoman Allison Goodman said the company wasn’t able to recreate it, but it suspects she may have clicked on a now-removed ad link.

“We have seen that this rarely happens; Scammers change their tactics and regularly rotate and delete sites to avoid getting on blacklists,” he said. Ads on DuckDuckGo are run by Microsoft, which also places them on its own Bing search engine. .

“We take deceptive or misleading ads very seriously,” emailed Microsoft spokeswoman Caitlin Roulston. “Microsoft prohibits such content, including what could reasonably be perceived as misleading, deceptive, or harmful to site visitors.”

Now the really bad news: Scam search ads aren’t just a problem with DuckDuckGo and Bing. They are also a problem for Google, the most used search engine in the world. There are ads for fake banks, fake sites for the IRS and other government agencies, as well as fake crypto wallets, just to name a few.

In August, wrote Sen. Richard Blumenthal (D-Conn.) in a letter to Google chief executive Sundar Pichai that the search giant has shown a “disturbing record of inadequate due diligence against fraud and abuse” in ads. His letter cited a 2021 investigation by my colleague Jeremy Merrill discovered that advertisers are impersonating government websites. Google said it had removed these types of banned ads, but then the senator’s office checked and found similar ads were still appearing — suggesting Google’s measures weren’t very effective. (Merrill found similar problems with DuckDuckGo’s Microsoft ads.)

In July, Malwarebytes researchers reported how unsuspecting Google users searching for popular keywords — including “youtube” — could click an ad and have their browser hijacked with fake warnings that urging them to call fake Microsoft agents for support. And in 2021, Check Point Research identified a Google-ad phishing campaign that resulted in at least half a million dollars worth of cryptocurrency being stolen.

How does this happen? The main issue is that many search ads are sold through self-service systems, where advertisers don’t have to authorize or have people review their links. Bad guys sometimes try to create thousands of accounts at once, hoping that a few will get through.

Companies say they are on top of the problem.

“When we become aware of these opportunities, we take action to remove them as soon as possible,” said Microsoft spokesman Roulston. “We then apply the feedback to our detection mechanisms to improve our ability to detect and remove similar ads in the future.”

“We’re always working to stay ahead of bad actors, some of whom use sophisticated measures to hide their identities and evade our policies,” Google spokesman Davis Thompson said in an email. “People deserve to feel safe on our platforms and we will continue to improve our enforcement practices to combat abuse and fraud.”

The relentless scam economy is costing us more than money

Like what? Thompson said in recent years Google has rolled out new certification policies, increased advertiser verification, and increased the company’s capacity to detect and prevent affiliate scams. But he would not say what percentage of the company’s advertisers are now verified.

We still don’t know how big the problem is. In 2021, Google said it blocked or removed 38.1 million ads for “misrepresentation” and 58.9 million ads for violating its financial services policies, before and after they ran. Microsoft won’t say how many scam ads it’s removing.

So what can you do about scam ads?

It starts with awareness. Many of these attacks try to take advantage of a very common online behavior: searching for a website by name instead of entering its full URL in the address bar. So get in the habit of typing it all into your browser — instead of typing “citibank login,” type citi.com in full.

Another suggestion: Save browser bookmarks for the sites you use most.

I personally make a habit of not clicking on search ads. If you look down the page below the ads, you’ll see real search results that have been selected and sorted for their popularity and actual usefulness. And if you install an ad blocker in your browser, you won’t see any ads — good or bad.

What should you do if you think you’ve clicked on one of these malicious ads? For Wells, I recommended a two-step plan similar to what I would advise anyone who thinks they may have been hacked.

First, I suggested that he scan his computer for viruses and malware. That’s important whether you’re using Windows or Mac. I use Malwarebytes, which is available as a free download (or, if you subscribe to it, as a permanent shield). This will find and quarantine any bad software you may have downloaded.

Second, I suggested he change his bank password. Bad guys phishing for log-in information are probably the No. 1 danger for most people online. A security mistake many people make is reusing passwords across different sites, apps, and services. That’s a problem because if the bad guys get hold of one of your passwords, they’ll try to use it to access your accounts, data and maybe even money elsewhere.

The only practical solution is to use different passwords everywhere and keep track of them with a program known as a password manager. The good ones are usually safe to use and not as annoying as you might think.

After we fixed him up, Wells told me that the experience would change his online behavior. “I never really expected scams to show up in online searches, but now that I know they do, I’ll be on the lookout for them,” he said.