Identifying malicious websites in Google Ads 'where ads showed'

ByMark Lincoln/April 13, 2024/inBusiness, Marketing

How to Stop Fake Website Enquiries from Google Ads

We all get spam emails. These are often pretending to represent particular people or businesses and include a link which will then ask you for login details or otherwise do dodgy things to ruin your day. Others ask you to reply and start a long conversation that will ultimately lead you to hand over your life’s savings.

But some emails appear to look legitimate, with fake names, phone numbers, email addresses and enquiry messages. Worse, they can sometimes use real email addresses and phone numbers along with local-sounding names, likely scraped from leaked data or other sources in order to appear more genuine and to get past more spam filters.

Messages are often along the lines of “contact me” or “contect me,” or even manage to roughly relate to the products and services on your website.

So what’s the point of these fake enquiry emails?

At first I thought that the phone numbers were designed to redirect to some kind of pay-per-minute phone number, but they all seemed to be disconnected, or were other businesses that were confused when we called them. The email addresses usually bounced immediately, showing they didn’t exist, and there were no links in the messages so nothing to click.

The first clue to understanding their purpose came when I realised where the enquiries were coming from. Many website form providers include the ability to show which page of your website the form was completed on, and even the referring website that sent the visitor to your website. These can show the parameters at the end of the website address, i.e. the various data that helps track the click in services like Google Analytics, Google Ads, Meta, etc.

In the enquiry email that was received following the completion of a form, the ‘page completed on’ URL included parameters for ‘gclid=’ followed by a unique number. This stands for ‘Google Click Identifier’ (definition from Google here), which shows that the visitor has likely clicked through to your website from a Google Ad.

As a one-off, this might not be too concerning, but a trend in fake website form submissions that were all from Google Ads should immediately throw up red flags. If you’re paying for Google Ads with the aim of getting conversions on your website (e.g. enquiries via forms), then you very much don’t want this budget to be used up by fake enquiries.

In itself, this still didn’t explain why the forms were being completed, but it gave me some good ammunition to be able to search Google for a solution more effectively.

I came across a Reddit thread by someone who had a very similar issue. People were completing forms on their website with no purpose, getting past reCAPTCHAs and spam filters with ease. A handful of well-intended responses didn’t solve the problem, until one user with the name polygraph-net replied and hit the nail right on the head.

A Reddit user's reply showing a solution to fake enquiries from Google Ads

The simple reason for fake enquiry from your Google Ads

People make money from displaying Google Ads on their content, and some people have found a trick to make more money from Google Ads with minimal effort and at your expense.

This website – the one you’re reading right now – is a good example of a humble content producer trying to share a little knowledge, help people, and earn a little (emphasis on little) money in return. I’ve created this website using the WordPress platform, signed up for a Google Adsense account, and I’ve allowed Google to display ads in optimised locations on the website. I don’t tell Google which ads to display, I allow Google to tailor those to the visitor (with a few caveats to ensure better quality ads appear… sorry if that’s not the case for you right now! It’s not always that easy to control).

As the website creator and content producer, I get a very small share of the revenue generated from a click on ads appearing on my website. A business sets up ads in their Google Ad account, Google places that ad on a website, a consumer of the website’s content clicks the ad, Google charges the business and gives a small portion of that charge to the website owner… unless the consumer has adblockers because they believe they’re special and deserve to read others’ content for free, but that’s another story.

This is the typical, honest format for revenue generation through Google Adsense and is one way as to how people like me can make a little money by writing articles for the web.

However.

For every method to make money, there’s someone trying to hack that method and make more money with less effort.

So let’s say I have some technical skills and I don’t care if I ruin honest business’ attempts to generate income so that they can pay their employees. Let’s call this character Bad Mark.

Bad Mark creates a basic website with very little effort (it’s very easy to register a website address – domain – and then use website building platforms to build the bones of a website in just minutes). He then sets up a method to publish regular articles to that website. This could be done by scraping content from other websites using their RSS feed, simply taking their content and republishing it to your own website. Of course, with advances in AI, this could also be done by arranging an AI service to regularly fire out content and images as new articles. It really doesn’t matter if the content is trash, he just needs to show Google that he has an active website, and occasionally show a curious business owner or marketer that his website is a real one in the event that they come looking.

Now that Bad Mark has a website with regularly updated content, he applies for a Google Adsense account. On approval (Google needs to tighten up this process it seems) he places Google Ads on his website in the same way that I’ve done. He wants to generate revenue from clicks on those ads, and if those clicks are identified by Google as resulting in successful website enquiries (conversions) for Google Ads’ customers, then he’s going to make more money for every click and Google is going to want to show even more of those ads on his website.

With trashy, regurgitated content, it’s not likely that they’re going to attract any real visitors to their website. They may not even want it to show up in Google search results and attract attention. Instead, they now do one of two things.

The first is that they may be setting up bots. These are automated processes that are designed to click ads on their website, visit the advertiser’s legitimate business, bypass spam filters, and complete an enquiry form. These bots would have to be very sophisticated. Google is actively trying to eliminate fake clicks from business’ ad accounts and they want to provide the best system for advertisers and publishers alike, so the bots would need to appear to very human-like in their methods. They also need to bypass the spam filters on the forms themselves. And they are doing – I’ve tried various honeypot options, Google reCAPTCHA, Cloudflare Turnstile, and more, and the forms kept getting filled in. I set up strict filters through Cloudflare to prevent negative bot traffic (there are positive bots out there that should be visiting your website) from visiting the website in the first place. I filtered out traffic from entire countries whose residents would have no real reason to visit our website and would offer us no value. I even replaced the whole enquiry form system (Gravity Forms) with a more professional and costly platform (Formidable Forms) and the fake enquiries kept coming through.

This has lead me to believe that either the bots in the first method are quite advanced and are bypassing these anti-spam systems, or the malicious website publishers are using a second method: humans. It’s possible that there are rooms of real people out there who simply visit the malicious website, click ads, and complete enquiry forms. They would need to constantly change their IP address to ensure Google doesn’t realise that a series of enquiries are all coming from one location, but there are VPN systems that could do this quite easily.

If it is humans that are filling in your forms, then there’s very little you can do to stop them from actually completing the form. After all, if you’re blocking a human from completing your form, you’re going to be blocking genuine customers as well.

So how do you stop fake form enquiries?

The key to stopping these fake form enquiries on your website is to halt them at the source.

By all means, your website and your forms should be robust and have good security and anti-spam measures in place anyway. Methods to do this include using reputable enquiry form services like Gravity Forms and Formidable Forms (having used both, I’d recommend the latter for a more professional and advanced form solution). On those forms, you then need a ‘I’m not a robot’ style captcha system, with Google reCAPTCHA and Cloudflare Turnstile being solid – and free – options. You can also add more security to your website and block malicious bots with the likes of Cloudflare’s Bot Fighter and Super Bot Fighter (no really) services.

BUT! While the above will help with most spam and malicious bots, it doesn’t solve this specific problem. And I know. I’ve tried all of the above.

The solution is to stop your Google Ads from appearing on the malicious websites.

This is a two-step process. The first step involves identifying the websites that are sending the traffic that is filling in the forms, and the second step involves telling Google Ads to not show your ads on those websites.

Step 1: Identify malicious websites that are sending Google Ad traffic that is completing forms

(Can you tell that I’m struggling to make my subheadings more concise?)

If you’re managing a website for a business and are running ads through Google Ads, or any platform that you’re paying to send quality customers to your website, then you need methods in place to show when a visitor has completed a form on your website. Typically, on completing a form, your website visitor sees a success/thank you message on the same page or they’re redirected to a ‘thank you’ page on your website. At this point, you should be marking that visitor’s action as a conversion. Someone visited your website and their visit converted into a lead for your business. This is important data.

If you haven’t set up conversions in your Google Ad account yet, you can view Google’s article on conversion tracking or simply search for this to find thousands of resources that can help.

Now that you have conversion tracking in place, you should be able to see conversions in your Google Ad account. You may need to adjust the columns showing in order to display conversions, and note that Google may be recording a range of other actions as conversions that are irrelevant here. You can create a custom column to show your specific enquiry form conversions.

Once you can see conversions are being recorded in your Google Ad account and you’ve confirmed which conversions are specifically those from completed enquiry forms, you need to find out specifically which individual websites sent the ad traffic that resulted in the completed enquiry form. Clear as mud? It’ll be pretty clear once you see it on your screen.

To do this, within your Google Ad account, head to Insights and reports, then When and where ads showed, then Where ads showed.

Don’t worry about heading to a particular campaign first, just do this at the parent level. Set a suitable date range, for example the last 30 days, ensuring that you’ve had fake enquiries within this range.

Once you’re viewing the screen showing websites on which your ads have appeared, rank the table by conversions with the highest at the top. If you have a lot of various types of conversions, you can add a column to this table to only show those conversions from the specific form that is sending you fake enquiries.

Your list should now show some websites that have sent you Google Ad traffic that has resulted in a conversion through a form on your website, with the biggest ‘performers’ at the top (you can apply other filters to only show these converting websites if you like). From this table, you can click each website in order to view it for yourself and determine whether this is a quality website that has legitimately sent genuine people to your website or if it’s likely a trashy website that’s been made for malicious purposes. It should be OK to view these websites, just don’t go clicking around on them and definitely don’t complete any forms on those sites.

How can you tell which websites are sending you spam?

Remember that the publishers of these websites have two goals in mind. The first is to ensure a stream of fresh content, regardless of its quality, with the least amount of effort possible, and the second is to get people or bots to click on Google Ads.

The websites will likely be in a blog or news site format with a list of articles. Signs that these are generated artificially include:

the ‘author’ is always either the same name, the name of the original website that the content was scraped from, or even just a default name of ‘Admin’
the articles are all very generic and seem to be very similar to each other
there are lots of articles posted on the same days
the thumbnail images for the articles are either missing, created using AI, or are generic stock images

I’ve taken screenshots of four of these websites so you can get a feel of what to look for. Note the generic images, poorly formed article titles, unusual author names, and repeated publishing dates. I won’t link to these websites so as not to help them in their cause!

Spam website example: mycanadianuniversity

Step 2: Stop your Google Ads from appearing on these website

Once you’ve identified the offending websites, in your current view – Where ads showed – you can select the checkbox next to each website, then select ‘Edit’ in the blue bar that appears, and then select ‘Exclude from ad group’ or ‘Exclude from ad campaign’. However, this will only stop the ads from within that specific ad group or campaign from appearing on the malicious website.

To properly solve the issue, you would need to do this for all your campaigns, present and future, even if the ads haven’t appeared on the website yet. To do this, you’ll need to head to the “Content suitability” area of your Google Ads account and tell Google more about where you’re happy for your ads to appear.

Along with general categories of content, you can give Google a list of websites to exclude.

This is under Tools > Content suitability > Advanced settings > Excluded placements

From here you can either browse to content like YouTube Channels and App Categories, or you can ‘Enter’ a list of website addresses. Paste in your list of website address that you don’t want your ads to appear on and you’re good to go! Google will now stop showing your ads on those websites.

(Note: I’d previously published this with the method being to use the Excluded placement lists under ‘Shared libraries’, but for that you need to apply the list to each new campaign you create. The ‘Content suitability’ area instead allows you to do this just one for the whole account. Hurray!)

Google Ads Content Suitability Website List

I’ve created a list of some of the websites worth excluding in this shared Google Doc, but note that there will be thousands out there and once they’ve stopped serving their purpose they’ll be deleted and then new ones created.

It’s best to learn the skills to identify these websites for yourself and get in the habit of updating and maintaining your excluded placements list, plus other content and topics that you’re best to avoid showing your ads on. As part of this, you should by now also have the skills to be able to quickly identify which enquiries your business is receiving which are part of this whole scheme.

Be sure to avoid excluding the legitimate websites of hard-working content producers that are kindly opting-in to display your ads on their website.

Where to from here?

Once you’ve followed the above process to:

Gain the skills to identify fake enquiries from your website
Use Google Ads’ tools to track down the source of that enquiry
Add malicious websites to your Google Ad account’s exclusion list

… you should start seeing a drop-off of fake enquiries, ensuring your Google Ad budget isn’t wasted on malicious enquiry and your business staff aren’t frustrated with repeated fake enquiries.

In addition to this, you should always be using best-practice advertising methods to ensure your ads are only showing to your target audience in relevant countries as best of possible, although acknowledging that despite myself doing this, the fake enquiry kept coming until I finally discovered the above process.

Best of luck.

For more like this, be sure to follow me, Mark Lincoln, on LinkedIn.

Photo credit: Man using a laptop by Burst on Pexels.