20.01.2026 - Many people think of search engines as reliable guides to the internet. The displayed results give the impression that the content has been verified and is relevant. Scammers exploit this trust. They deliberately manipulate search results to redirect users to fraudulent websites, often without the operators of the affected legitimate websites or their visitors noticing straight away.
Over the past few weeks, the NCSC has received multiple reports of manipulated Google search results. In each case, the starting point was suspicious search results linked to legitimate, fairly well-known websites. While the correct website titles were displayed in the search results, the descriptions shown underneath contained cryptic text, incoherent character strings or misleading statements. These descriptions bore no obvious relation to the actual content of the websites. Clicking on the search result led to a scam website. However, when the same web address was entered directly into the browser rather than accessed via a Google search result, the expected legitimate content was displayed.
The content delivered by a website therefore depends on how, and from where, the site is accessed. Each time a page is loaded, the browser sends technical information to the web server. This includes the 'user agent', which contains details about the browser, operating system, and device type being used. The HTTP referrer is also transmitted, indicating which website the visitor came from.
Under normal circumstances, this information is used to optimise websites from a technical perspective, for example, to adapt content to different screen sizes. However, in the cases reported to us, it is used for fraudulent purposes. The affected websites deliver manipulated content, or trigger redirects when accessed via Google, while regular visitors opening the website directly are shown the legitimate, unmanipulated content.
As the website appears to work correctly when accessed directly, the manipulation often goes undetected for a long time. The scammers' aim is that website operators initially dismiss reports from concerned visitors, because they usually access their own site directly rather than via Google, so they have no reason to suspect that it has been compromised.
The same technique is also used to manipulate how Google’s search engine perceives a website. Google continuously scans the web for new or updated websites. To do this, the search engine uses its own crawler, which identifies itself as the Googlebot browser. Malicious code injected into a website analyses the user agent for the term 'Googlebot' and, if detected, deliberately delivers manipulated content. This content is then adopted in the preview shown in the search results. The website's relevance, and therefore its ranking, initially remains unchanged. For a period of time, therefore, the scammers are able to benefit from the legitimate website's reputation and visibility. For this reason, hackers primarily target websites with the highest possible ranking.
Psychological aspects of the manipulation
The success of this approach depends not only on technical methods, but also on human factors. People place a high level of trust in search engines and generally assume that the displayed results are relevant and reliable. This trust can lead to a kind of 'cognitive shortcut', where you click on search results without closely examining each one in detail. Scammers exploit this automatic behaviour by making their websites appear legitimate, displaying correct titles and only redirecting you to fraudulent content once you have clicked on the link.
The authority effect also plays an important role: when a website appears high up in search results, it tends to be perceived as more credible and trustworthy. This increases the likelihood that you will click on a fraudulent link. By combining technical manipulation with these psychological tricks, scammers can significantly increase their chances of success without you – or even the operators of the compromised websites – noticing.
Recommendations
- Attacks on content management systems (CMS) can be significantly reduced by promptly installing all available updates.
- In addition to standard username and password authentication for access to the administration area, we recommend using two-factor authentication (2FA).
- Access to the administration area should also be restricted to the IP addresses used by administrators.
Further information
Current statistics
Last week's reports by category:
Last modification 20.01.2026
