Malwarebytes Labs, suppliers of antivirus software, have warned of a simple way that scammers try to trick unwary visitors of genuine websites into calling fake support lines for those businesses. The method works as follows:
- The scammer places a sponsored advert with a search engine like Google. One reason the advert is not identified as deceptive is that it points to the actual website of the business that the scammers want to impersonate.
- The URL of the website is correct, although a bogus phone number has been appended to the URL.
- The URL, including the bogus number, is visible in the browser of anyone who clicked through from the advert. Having searched for a contact number for a genuine business, there is a risk that the visitor will read and dial the number from the URL without properly reading the contents of the actual webpage.
Malwarebytes Labs claims to have seen this deception used to promulgate scam helpline numbers for a series of well-known businesses. They listed the following examples:
- Apple
- Bank of America
- HP
- Microsoft
- Netflix
- PayPal
The deception is called a search parameter injection. It is pretty common for websites to provide search functions that generate webpages whose URLs end with a series of characters like:
- “/search?keyword=search-term-here”, or
- “/search?q=search-term-here”.
The search term can hence be abused by including a series of digits, such as a phone number. So instead of only seeing the URL for a business like Netflix, the visitor to Netflix’s website from the fraudulent web advert sees Netflix’s URL followed by a series of characters like “Call-205-123-456”.
To make matters worse, the same series of characters may also be reproduced inside the search field of the business’ actual search page. So a visitor to the website could see “For-support-call-205-123-456” in the space where they would normally type their own search query. That trick will not fool everybody but it is easy to see how an unwary or naive visitor might simply dial the number without thinking about how it has been presented on the webpage.
The trick works because the search functionality of websites will typically not be designed to weed out suspicious queries. The search query passed from the bogus advert is reproduced in full. Whether this will fool a visitor partly depends on the design of the business’ search page. It is the opinion of Malwarebytes Labs that Apple’s website is especially unsuited to identifying this deception.
Interestingly, Apple is the one where we found the scammer’s number was the hardest to identify as false.
[It] looks as if the web page tells the visitor they have no matches for their search, so they’d better call the number on display. That would drive them straight in the arms of scammers.
Malwarebytes Lab’s warning about this trick can be found here.



