Sophisticated tech support scammers are now embedding fake phone numbers directly into legitimate websites like Apple, PayPal, and Netflix, tricking users who diligently check for authentic URLs before seeking help.
Key Takeaways
- Scammers are injecting fraudulent support numbers into legitimate company websites through sponsored ads and search parameter manipulation
- This technique bypasses common security advice to check browser address bars, as victims are actually on the authentic company website
- When calling these fake numbers, scammers attempt to extract personal information, credit card details, or gain remote access to victims’ computers
- To protect yourself, verify support numbers directly through official company websites (not search results) and consider using ad blockers
A New Generation of Tech Support Scams
Cybercriminals have developed an alarming new method to trick even cautious internet users. By exploiting how search engines display sponsored results, scammers are managing to insert fake support phone numbers directly onto legitimate websites of major companies like Apple, Microsoft, Netflix, PayPal, and Bank of America. This sophisticated technique works across most popular browsers and bypasses the traditional security advice of checking the website’s URL for authenticity, as victims are actually visiting the genuine company website they intended to reach.
“Malwarebytes Senior Director of Research, Jérôme Segura, has identified a widespread scam where fake phone numbers for customer support are being inserted directly onto the legitimate help pages of well-known brands,” said Jérôme Segura, Senior Director of Research at Malwarebytes.
Malwarebytes Labs has identified a tech support scam that uses malicious URLs to embed fake phone numbers within legitimate site searches. Here's how to identify and avoid falling victim to this attack.
Link:https://t.co/ngFE9N3tkG pic.twitter.com/xKLaAWh5MZ— Lifehacker (@lifehacker) June 24, 2025
How the Scam Works
The technique, known as “search parameter injection,” exploits vulnerabilities in websites’ search functions. When users click on sponsored ads in search results, scammers add invisible parameters to the URL that insert fake support numbers into the legitimate website’s search results. These parameters aren’t visible to users, who believe they’re seeing official company information. Netflix’s site is particularly vulnerable because its search function “blindly reflects whatever users put in the search query parameter without proper sanitization or validation,” creating a weakness that scammers exploit.
“If you click on a real website link in an ad, say ‘Netflix’ or ‘Microsoft’, the process of sending you to the real site allows people who bought the ad to add invisible characters that then add a fake phone number when you finally get to the real website. And you ‘see’ the real website link all the time this is going on,” said an unknown.
Once victims call these fraudulent numbers, scammers posing as legitimate support staff attempt to extract personal information, credit card details, or gain remote access to computers. They often create false emergencies about account suspensions or security breaches to pressure victims into taking immediate action without careful consideration of the consequences. The scammers’ ultimate goal is either financial theft or gaining persistent access to victims’ devices for more extensive fraud.
Protecting Yourself from These Scams
Several effective strategies can help protect you from these sophisticated tech support scams. First, avoid clicking on ads to reach websites – instead, type the company’s URL directly into your browser or use bookmarks for sites you frequently visit. Consider using alternative search engines like Startpage or DuckDuckGo, which place greater emphasis on privacy and may offer better protection against malicious advertising. Both the CIA and NSA recommend using ad blockers like U-Block Origin for safer web browsing.
“The moral of the story is don’t click on ads if you want to go to a particular website,” said an unknown.
When seeking technical support, be alert for red flags like phone numbers appearing in web address bars, strange characters in URLs, and urgent language like “Account suspended.” Always verify support numbers through trusted sources and be extremely cautious of any requests for personal or banking information during support calls. Legitimate companies rarely request sensitive information over the phone or ask for remote access to your devices without clear justification and proper security protocols.
What Companies Are Doing to Fight Back
Some companies are taking active measures against these attacks. Malwarebytes, for example, has filtered out the malicious parameters from its website and developed Browser Guard software that can detect these scams by warning users about unauthorized changes. Their research team continues to monitor and report on these evolving threats, having identified similar attacks targeting Netflix, PayPal, Apple, Microsoft, Facebook, Bank of America, and HP, among others.
“Malwarebytes Labs has identified a tech support scam that uses malicious URLs to embed fake phone numbers within legitimate site searches,” said Malwarebytes Labs.
However, the burden of protection still largely falls on users. The most effective defense is to find company contact information directly from official websites by typing the URL manually, or from past legitimate communications, rather than through search results. Remember that reputable companies will never pressure you to provide sensitive information without proper verification, and they typically offer multiple secure support channels beyond just phone numbers, including authenticated chat services and support tickets that don’t require giving out personal information.
