In August, Prerna (name changed), a program manager at a multinational company in Hyderabad, embarked on what seemed like a routine Google search for a rental car service. She had no idea that a simple click on a search result would lead to a loss of nearly Rs 2 lakhs, a financial blow she is still battling to recover from.
The trap was laid through a sophisticated technique called SEO poisoning, where cybercriminals manipulate search engine algorithms to push harmful websites to the top of search results.
"I was just looking for a car to rent in my city. I went on Google to compare the options available," she recalled how the ordeal began. After her search, several customer service representatives reached out. Among them was Rohit, who claimed to represent 'Ganesha Car Travels'.
Despite not leaving her contact information online, Prerna was suspicious when they called.
"I tried to verify their legitimacy and found their website. It seemed professional, so I decided to go ahead," Prerna explained.
But troubles emerged during the signup process. "The website kept redirecting me to the homepage," she said. "They told me they were fixing it and asked me to download their app instead."
When the app didn’t appear on the Play Store, Rohit had a solution: an APK file sent via WhatsApp, which he insisted was necessary for booking. "Everything looked fine—options, prices, payment details. It felt real," Prerna recalled.
The scam revealed itself during what should have been a simple Rs 150 booking confirmation. “I was redirected to Razorpay, and it seemed like a legitimate payment gateway,” Prerna said, “I entered my credit card details and waited for the OTP to confirm the transaction. But it never came.”
Those five minutes of waiting proved costly. When the OTP finally arrived, it wasn't for Rs 150—it was for Rs 60,000.
"I was shocked," Prerna said. "But before I could react, another OTP came for Rs 98,000."
The scammer had been calling continuously on WhatsApp all this while. “It felt like they were trying to leave behind a trail to create the illusion of my consent, as if I willingly shared the OTPs, even though I hadn't agreed to those amounts,” she said.
Using the APK file, the scammer managed to install an auto-forwarding bug on Prerna's phone, redirecting all her messages to himself. This allowed the scammer to intercept the OTP as soon as it was generated, ultimately draining nearly Rs 2 lakhs from her account.
Decode previously reported how these APK files often disguise themselves as legitimate apps, putting users at risk of data breaches, malware infections, and financial scams.
Frantically, Prerna contacted her bank, but after a 20-day investigation, the bank concluded that the transactions were “secure” because the OTPs were shared.
"But those OTPs were not shared by me," she said with frustration evident in her voice.
Despite filing an FIR immediately, the trail had gone cold. “The police couldn't trace anything. The website was down, and there was nothing left in the account to track,” she said.
Now, she's pursuing legal action against the bank. "They made me wait 20 days, and then sent me a template response," she said. "If I had known sooner, I would have gone straight to the cyber police."
Prerna has sent a legal notice questioning why no chargeback was issued after she reported the fraudulent transaction. Though the bank maintains these were "secure transactions," she's consulting with lawyers on next steps. "Banks have enough resources to prevent this," she insisted. "But the time wasted in the investigation cost me everything. If they had acted faster, we still had some chance."
How SEO Poisoning Works
Prerna's ordeal is a chilling example of SEO poisoning—a sophisticated scam where cybercriminals exploit Search Engine Optimization (SEO) to manipulate search rankings. They create fake, malicious websites that appear legitimate and show up prominently in search results for popular services or trending topics.
In Prerna's case, the fake ‘Ganesha Car Travels’ website appeared convincing and played a key role in gaining her trust. While she isn't certain how her phone number ended up in the scammers' hands, she suspects it could have been through social engineering or data scraping tactics, possibly triggered by a vulnerability in a link she clicked during her initial search.
With the help of SEO poisoning, fraudulent sites often trick users into clicking on harmful links, downloading malware, or providing personal information, turning search engines into tools for spreading cyber threats.
Speaking to Decode, cybersecurity expert Rupesh Mittal explained how malicious actors manipulate search engine rankings by exploiting indexing and advertising loopholes. "By submitting a domain to Google's Search Console and using meta tags strategically, cybercriminals can influence indexing," he noted. "However, this is just one layer of Google's complex ranking system."
Google indexing involves organising and storing web page information in a database, enabling it to deliver relevant results quickly. Cybercriminals exploit this process to gain visibility in search results.
“Running ads is another tactic scammers use to temporarily boost rankings,” Mittal added. “Google’s ad review process takes time, and attackers exploit this delay to spread malicious content,” he said.
SEO analyst Shivani Jadhav highlighted another dark technique known as cloaking.
“Cloaking involves showing one type of content to search engine bots to boost rankings while displaying entirely different, often harmful, content to users,” she explained.
For instance, a website might appear as a legitimate service page to search engines but redirect users to malware-filled or fraudulent pages. This deception fools both users and search engines, propelling harmful websites to the top of search results.
Jadhav also pointed out that some attackers hijack legitimate websites by injecting malicious scripts or creating spam pages, leveraging the site’s authority to increase their visibility.
How SEO Poisoning Exploits Trending Topics
Cybercriminals often target high-demand or emotionally charged topics to amplify their reach. “Attackers capitalise on health-related searches, like rare medical conditions or medications, as well as financial topics such as cryptocurrency, tax filings, or loan applications,” Jadhav said.
Trending topics, including breaking news, celebrity events, and technological developments, are prime opportunities for scammers to capture high-volume traffic. “Scammers thrive in situations where users are emotional, rushed, or are seeking urgent answers,” she added.
For example, a recent SEO poisoning scam in Australia targeted niche audiences searching for “Are Bengal cats legal in Australia?” on Google. The malicious site exploited this obscure query to steal personal information.
“Even obscure searches can be weaponised,” Mittal emphasised. He warned that attackers monitor analytics to identify trending queries and tailor scams accordingly. "After events like the Maharashtra elections, scammers could easily fabricate a fake portal offering prizes or registrations for fictional initiatives related to elections,” Mittal said.
According to the experts, AI has further enabled attackers to scale these operations. Generative AI creates realistic, keyword-optimised fake content, while machine learning predicts trends, helping scammers time their attacks effectively.
Can Simply Clicking on an SEO-Poisoned Link Cause Harm?
No, simply clicking on an SEO-poisoned link does not immediately compromise the system. As Mittal explained, for an attack to occur, there needs to be a vulnerability. "If the browser is outdated, attacks can happen, but simply clicking on a link alone won't cause harm. The real risk comes when you are lured into downloading malware through a clickbait," he said.
However, clicking on a link can still provide server operators with data about the system, and this is true for all websites, not just those involved in SEO poisoning. To understand what information our browser might reveal about our device, the cybersecurity expert pointed to a website called webkay.robinlinus.com.
This site lists the data browsers can collect, such as our location, device charge percentage, software details, hardware information, and more.
How Can We Stay Safe?
Even for digitally literate individuals like Prerna, spotting such sophisticated scams can be challenging. Cybersecurity expert Mittal acknowledged this, saying, “While it’s difficult to catch these anomalies, they are there if you look closely. For instance, no legitimate website will share an APK file through WhatsApp—it will always be available on an official platform like the Play Store, which ensures security checks.”
He also highlighted the importance of monitoring small transactions. “Scammers often rely on our casual attitude towards small payments to capture financial details,” he said.
Mittal advised adopting safer practices, such as setting transaction limits on cards. “It’s a good habit to keep low limits on cards for daily use. For larger payments, temporarily increase the limit through your bank’s app. It might feel cumbersome, but it’s an effective way to keep your money safe,” he said.
Jadhav recommended verifying website URLs, ensuring they use “https” instead of “http,” and using Google’s Safe Browsing tools. These tools are integrated into browsers like Chrome, Firefox, and Safari to provide real-time warnings about harmful websites.
Essential steps to stay safe from SEO poisoning
1) Enable Safe Browsing in Your Browser
In Google Chrome: Open Chrome> Go to Settings> Navigate to Privacy and Security> Select Security> Enable the appropriate Safe Browsing option.
2) Check the Safety of a Specific Website
Use Google's Safe Browsing Transparency Report: Visit the Safe Browsing Transparency Report page> Enter the website URL you want to check> Review the safety status provided
3) Verifying website URLs, ensure they use “https” and not “http”