Press "Enter" to skip to content
Views: 17
Heads Up! Attackers are at it again – purchasing Google Ads targeting keywords related to SEMrush (they also did this back in march). When users search for “SEMrush” or similar terms, a malicious ad appears at the top of the results, leading to a fake SEMrush login page.
These pages are well-crafted, closely mimicking the actual SEMrush interface. Unsuspecting users who enter their credentials are handing them directly to the attackers.
Why It Matters to SEOs and Advertisers
- This scam abuses Google’s AdWords system to target search terms for trusted SAS tools. If they can do this to SEMrush, they can do it to any brand!
- Very Real Looking Ads: These ads appear above the organic results, making them more likely to be clicked. Especially since SemRush is known to purchase ads for their own brands.
- SEOs rely on SEMrush for keyword research, competitor insights, and reporting. An account breach could expose campaign data, billing info, and client-sensitive content.
What You Should Do
For Search Users:
- Obviously, never click the first ad blindly – especially when visiting known tools. Lets go a step further and say to never use Google for navigation of your sites that should be bookmarked in the first place. Google ads are so tricky and gimmicky today, that you really have to move past them.
- Bookmark login pages for all services you frequently use.
- And of course take a look in the address bar from time-to-time: SEMrush’s official site is
https://www.semrush.com. Fake sites may use variations or non-standard domains (like.info,.top, or typos).
For Advertisers:
- Monitor your brand keywords: Run branded keyword ads to block competitors or scammers.
- Educate your team – for sure: Ensure your staff and clients are trained to recognize phishing and spoofed URLs.
Bigger Concerns
This is not an isolated case. It reflects a systemic flaw in Google Ads approval and oversight. Remember, it was just a couple months ago, that Google deleted something like 40 Million fake ad accounts. So um ya, Google has some problems here.
If attackers can:
- create Google Ads accounts,
- get past ad review,
- spoof a trusted tool’s login page…
Then no brand is really safe, and no ad click should be trusted blindly.
SEO Takeaway
The tools you rely on daily could become phishing traps overnight – delivered by the very ad platform you trust for business. This incident is a reminder that Google’s top results are not automatically trustworthy, and SEOs/advertisers must remain vigilant.
For continued updates, consider monitoring:
- Kaspersky blog
- Phishing Protection Status from Google
- Community alerts in forums like WebmasterWorld or r/SEO on Reddit
Let your team and clients know. Awareness is protection.
Let your team and clients know. Awareness is protection.
As the CEO and founder of Pubcon Inc., Brett Tabke has been instrumental in shaping the landscape of online marketing and search engine optimization. His journey in the computer industry has spanned over three decades and has made him a pioneering force behind digital evolution. Full Bio
Visit Pubcon.com