And they’re not alone in pointing out the problems. Two years ago, the FBI warned about this type of scam that’s being carried out through purchased ads, but nothing has happened since then. Security vendor Netskope recently reported that, according to its telemetry, phishing click rates tripled in 2024, with SEO poisoning and malvertising part of reason for the alarming rise, as cybercriminal move their operations outside the inbox.
For Strawberry, this has now led to changing the default search engine in Chrome to DuckDuckGo before Christmas, where the ad function has also been turned off as extra protection.
“It’s a bit ironic because we ourselves are dependent on Google ads, so it may seem like we’re shooting ourselves in the foot. But there has to be a balance where they make sure to validate the ads as well and don’t allow ads to be designed so that you enter a URL that isn’t the one you end up on. It’s incredibly strange,” says Belak.