Scammers are increasingly leveraging search engine optimization (SEO) poisoning, a method that uses traditional SEO techniques to push fraudulent content, such as phony customer support numbers, to the top of search results, making them appear as legitimate resources. This tactic even manipulates AI-generated search summaries, causing them to suggest these fraudulent contact methods above genuine results. We identified one such instance where an AI-generated summary incorrectly promoted an inauthentic support number (1-855-518-8609) that solicited sensitive account information from Apple Pay users. This activity is a core component of a broader campaign we’re tracking that targets this and other peer-to-peer (P2P) payment services, such as Venmo and Cash App.

Key Takeaways

  • SEO Manipulation: Fraudsters are using SEO tactics to promote inauthentic support numbers for Apple Pay, Venmo, and Cash App.
  • AI Overview Risks: We identified instances in which search engine AI features incorrectly listed scam numbers as legitimate contact methods for reporting fraud.
  • Compromised Infrastructure: Scammers are planting malicious PDF documents on compromised WordPress subdomains, including government and educational sites, to gain search authority.
  • Customer Redirection: This activity targets users at their most vulnerable moment: when they are already seeking help to report an existing fraud incident.

Financial institutions and P2P payment providers face an evolving threat where fraudsters hijack the customer support journey itself. By influencing search engine results to favor inauthentic PDF "support guides," scammers are successfully redirecting customers toward fraudulent call centers. We monitored this activity to understand how these actors manipulate search rankings and what it means for financial risk teams.

 

How Scammers Poison the Search Environment

We observed fraudsters planting PDF documents on the subdomains of 14 likely compromised websites. These sites, often built on WordPress, include domains that are incongruous, such as local government portals and university pages. By hosting content on these high-authority "trusted" domains, scammers increase the likelihood that their fraudulent PDFs will rank prominently in search results.

These documents often repeat inauthentic phone numbers and common search terms, such as "how to add money to Apple Pay without a debit card." The use of identical favicons that do not match their domains suggests a coordinated attempt at SEO injection. We've tracked the phone number 1-855-518-8609 in near-identical scams since at least November 2016, indicating a persistent tactical playbook.

 

Does AI Amplification Increase Fraud Risk?

The integration of generative AI into search engines has introduced a new friction point for fraud prevention. In the case we analyzed, the search engine's AI Overview synthesized information from these malicious PDFs and presented a scammer's phone number alongside legitimate guidance. By featuring the inauthentic number as a primary contact method, the AI Overview bypasses traditional user skepticism by blending scam content with legitimate advice. When an AI summary presents a scam number as a "key contact," users may be less likely to notice they have left an official brand environment.

 

Targeting the "Fraud-Within-Fraud" Loop

A more concerning aspect of this campaign is its timing within the victim’s lifecycle. The scammers are specifically targeting individuals who seek contact details to report fraud. This "recovery scam" model relies on the user’s urgency, making them more likely to provide credentials to a fraudulent support agent.

We found these phone numbers appearing in searches for Apple Pay, Venmo, and Cash App support. The actors frequently use keywords related to "bypassing" security measures or "adding money without a card" to attract users. For banks, this means customers may inadvertently compromise their accounts while attempting to secure them.

 

Strategies for Financial Risk Teams

Financial institutions can mitigate the impact of SEO poisoning by focusing on customer education and proactive monitoring of search results.

Understanding the infrastructure behind these lures is also critical. We've observed that these campaigns often use identical favicons across different compromised subdomains, suggesting a coordinated operation. By tracking the signals such as the phone numbers 1-855-518-8609, 1-866-707-0587, and 1-844-924-1477, banks can better flag suspicious activity.

Protect Your Brand from Search-Based Fraud

As search engine AI increasingly synthesizes fraudulent “support” numbers, the window to protect your customers is shrinking. If you'd like to see how our platform identifies these coordinated SEO poisoning attempts before they reach your users, book a demo.