Scammers have developed an ingenious new method to insert fake tech support numbers onto legitimate websites like Apple and Netflix, potentially exposing millions of Americans to fraud through trusted platforms they use daily.
Key Takeaways
- Scammers are injecting fake support phone numbers directly onto legitimate websites like Apple, Netflix, and PayPal through search parameter manipulation
- The scam works by placing ads at the top of Google search results that lead to real websites but with fraudulent phone numbers embedded
- Even when the browser’s address bar shows the legitimate website URL, scammers can still display fake support numbers through the site’s search function
- Both the CIA and NSA recommend using ad blockers like U-Block Origin as protection against these sophisticated scams
- To protect yourself, avoid clicking on ads to visit websites, verify phone numbers through official channels, and be wary of urgent requests for personal information
A Sophisticated New Scam Targeting Major Platforms
A troubling new technique called “search parameter injection” is allowing scammers to place fake tech support numbers directly on legitimate websites including Netflix, PayPal, Apple, Microsoft, and Bank of America. Unlike traditional phishing scams that create fake websites, this method manipulates the real websites themselves, making detection extremely difficult for average users. The scam begins when victims click on sponsored ads at the top of search results, which then direct them to the actual company website but with malicious code that injects fraudulent phone numbers into the site’s search results or support pages.
“Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands,” says Jérôme Segura.
Malwarebytes Labs has identified a tech support scam that uses malicious URLs to embed fake phone numbers within legitimate site searches. Here's how to identify and avoid falling victim to this attack.
Link:https://t.co/ngFE9N3tkG pic.twitter.com/xKLaAWh5MZ— Lifehacker (@lifehacker) June 24, 2025
How the Scam Works
The scam exploits a vulnerability in how websites handle search parameters. When users click on sponsored Google ads, the scammers add hidden characters to the URL that don’t appear in the address bar but instruct the website to display fake support numbers. This technique bypasses the common security advice of checking a website’s URL for legitimacy, as the browser correctly shows you’re on the official website. The deception is particularly effective because it exploits the trust users have in legitimate company websites.
“For instance, on Netflix, the site’s search function ‘blindly reflects whatever users put in the search query parameter without proper sanitization or validation,’ creating a weakness the scammers exploit,” explains Pieter Arntz from Malwarebytes.
Once victims call these fake numbers, scammers posing as legitimate technical support representatives attempt to extract personal information, credit card details, or gain remote access to victims’ computers. They often create a false sense of urgency, claiming accounts have been suspended or compromised to pressure victims into taking immediate action. This social engineering tactic is designed to bypass rational thinking and exploit fear.
Protecting Yourself From These Scams
There are several effective strategies to protect yourself from these sophisticated tech support scams. First and foremost, avoid clicking on ads to visit websites you’re looking for. Instead, type the company’s web address directly into your browser or use bookmarks for sites you frequently visit. This simple step eliminates the opportunity for scammers to inject malicious parameters through ad clicks. Consider using alternative search engines like DuckDuckGo that prioritize privacy and may have different ad policies than Google.
“The moral of the story is don’t click on ads if you want to go to a particular website,” said an unnamed source.
Installing a reputable ad blocker like U-Block Origin can significantly reduce your exposure to malicious ads and websites. Both the CIA and NSA recommend using ad blockers for safer web browsing – a powerful endorsement of their effectiveness against sophisticated online threats. When you need technical support, always obtain contact information directly from the company’s official website by typing in their address manually, or from official communications like account statements or emails you’ve previously verified as legitimate.
Red Flags to Watch For
Several warning signs can help you identify potential tech support scams. Be suspicious of phone numbers that appear directly in a website’s URL or address bar, as legitimate companies don’t typically embed contact information this way. Watch for strange characters or encoded text in URLs, which might indicate parameter injection. Be especially wary of urgent messages claiming your account has been suspended or compromised, as scammers rely on creating panic to override your rational thinking.
“Malwarebytes Labs has identified a tech support scam that uses malicious URLs to embed fake phone numbers within legitimate site searches,” reports Malwarebytes Labs.
If you do call a support number, be extremely cautious if the representative requests remote access to your device, asks for payment information, or pressures you to make immediate decisions. Legitimate support staff rarely request remote access without clear justification and will never ask for your full password or PIN. If something feels suspicious during a support call, hang up immediately and contact the company through their official channels to verify the legitimacy of your previous interaction.
