Hotel Scams via Google Ads: The Anatomy of Malvertising

For the vacation sector in Turkey, Google is the first point of reference. Even when you type the name of a resort that has proven its authority over the years in organic results, the first 2 to 4 links you see will likely carry the "Sponsored" label.

The problem is, the ad listed at the very top isn't always from the "real" hotel.

Google Ads allows brand names to be used as targeting keywords. For example, let's say your hotel's name is "Mavi Koy Resort." A fraudster can bid much higher than you on the keyword "Mavi Koy Resort Prices" by spending a nightly ad budget.

You spend years on SEO for your own site; the fraudster, however, launches an ad for a fake site for a few hundred liras and lures all clicks into their trap in the first hour. This type of attack is called malvertising (malicious advertising), and the hotel sector is among the most targeted industries.

From a user perspective, the situation is even more concerning: even a security-conscious consumer who has been shopping online for years acts with the prerequisite that "Google ads are reliable." This psychological blindness is the fraudsters' greatest weapon.

The fraudster first selects the target hotel. While large, well-known properties with high search volume are primary targets, medium-sized boutique hotels are also frequently targeted. This is because boutique hotels generally have weaker brand protection mechanisms.

Once the target is identified, these steps are followed:

• A typosquatting domain close to the hotel's real domain is purchased (e.g., "mavikoyresort-prices.com" or "mavi-koy-resort.net"). Read our hotel domain security guide for a detailed analysis of typosquatting attacks.
• A fake website is created that copies images, text content, and even customer reviews from the real hotel.
• Contact information, a fake reservation form, and payment infrastructure are set up for the fake site.

When the fake site is ready, the Google Ads campaign is established. The fraudster uses several techniques:

Brand name keyword targeting: The real hotel's name is added to the keyword list with variations like "Mavi Koy Resort reservation," "Mavi Koy Resort early booking," and "Mavi Koy Resort price." Bidding on competitor brand names is not strictly prohibited in Google policy; only direct use in the ad copy is restricted.

Display URL manipulation: Ad systems allow the display URL to be different from the actual redirect URL. The fraudster writes "mavikoyresort.com/special-offer" as the display URL; the real landing page is on a completely different domain.

High quality score optimization: A metric called "quality score" is used to rank higher at a lower cost in Google Ads. Fraudsters prepare the ad copy and landing page to optimize this metric; thus, they can rank higher than the real hotel owner for less money.

This technique is the most sophisticated method for bypassing Google's ad approval process. When creating the ad, the fraudster shows Google's automated approval bots a completely legal, harmless site. Once the ad is approved, a script is activated in the background.

This script analyzes the visitor's IP address, browser fingerprint (user agent), and behavior patterns. Visits from Google's bot IP ranges are redirected to the legal site; a visit from a real user lands on the fake hotel page.

Cloaking violates both Google Ads policy and consumer protection laws in many countries. In Turkey, it constitutes a crime under the relevant articles of the Electronic Commerce Law.

Specific phrases are used in sponsored ad copies: "Last 3 Rooms," "Ends Today: 60% Discount," "Summer Season Almost Full," "Price for This Week Only."

This technique is known as scarcity marketing and is also used by legitimate businesses. The difference for fraudsters is that they create artificial pressure without actual scarcity. The user's rational thinking time is shortened; "fear of missing out" (FOMO) is triggered, leading to an instantaneous decision on the payment page.

A price thirty or forty percent lower than the price on the real hotel's official site is shown. When the user who fills out the reservation form reaches the payment stage, various "additional fees" come into play: "Hotel delivery fee," "Environmental tax," "Early check-in completion fee." These additions bring the price closer to the real price; however, by the time the user reaches this point, they have already entered their credit card information.

To understand whether a Google Ads advertisement is fake, the following checks can be performed:

• Check if the ad URL and the display URL match perfectly. Any difference is a warning sign that needs investigation.
• Examine the actual domain in the browser address bar after clicking. Domains with hyphens, dots, or numbers added to the well-known hotel name should be considered suspicious.
• The presence of the SSL lock icon on the payment page is not enough on its own; fake sites also use HTTPS. Check out our guide explaining how to verify the reliability of SSL certificates.
• Why is the price so different from the price on the hotel's own website? Even in a real campaign, there should be a reasonable explanation for this difference.

Google Ads has a trademark protection policy. You can fill out Google's trademark complaint form with your registration documents for your brand.

If this application is accepted, the following results are obtained:

• Third parties are prevented from using your brand name in ad copies.
• Suspicious campaigns launched with your brand name are taken under manual review by the Google team.
• Thanks to automatic violation detection, newly launched fake campaigns are disabled faster.

However, there is a limitation: Google generally does not prevent third parties from targeting your brand name as a keyword. Only direct use in the ad copy is restricted.

Launching a defensive (protective) ad campaign to rank first in searches for your own brand is an effective measure. The advantages of this approach are:

• When you bid on your own brand name, your quality score will be very high; therefore, your cost per click will be lower.
• To surpass you, the fraudster needs to spend a much higher budget; this makes the fraud unprofitable.
• When you guarantee the first spot, the probability of the user clicking on another ad significantly decreases.

Fake Google Ads campaigns are usually short-lived: they stay active for a few days to a few weeks, then the account is closed and the process repeats with a new account. They can leave serious damage within this cycle.

Therefore, early detection of new campaigns targeting your brand is critical. It is necessary to regularly search for your own name on search engines, check the URLs of "Sponsored" results, and utilize tools that automate these processes. See this guide for all steps to detect fake hotel sites and initiate takedown processes.

When you encounter a fake Google Ads advertisement, follow these steps:

1. Take a screenshot of the advertisement; record the full URL, ad title, and date.
2. Use the in-ad complaint mechanism by clicking the Google Ads "Is this ad wrong?" link.
3. Report the phishing URL to Google Safe Browsing.
4. Communicate with the Google Ads support team as the authorized brand owner and document the trademark violation.
5. If you are in Turkey, make an additional report to BTK.

The process usually results within 24 to 72 hours; however, the process starts over if the fraudster opens a new account.

Is it safe to click on a Google ad? Google ads are not automatically harmful; however, one should be careful. After clicking, check the URL in the address bar. If it doesn't match the original hotel domain exactly, do not enter personal or payment information. When in doubt, close the ad and enter the hotel's official site by typing the URL directly into the bar.

I have been subjected to fraud, what can I do? First, call your bank and request a chargeback. This process for credit card payments usually results within 120 days. Then file a criminal complaint with the prosecutor's office and report the URL to Google Safe Browsing. Read this guide for all the steps you should follow when you fall victim to fake vacation sites.

Why does Google allow these ads? Google Ads policies are designed to prevent overt abuse; however, cloaking techniques make detection difficult during the ad approval stage. Google is constantly working on algorithm development in this regard. Reports directly contribute to the improvement of the system; therefore, it is important to report every fake advertisement.

Can I track fake ads for my hotel myself? Yes, you can manually check "Sponsored" results by searching for your own brand name every few days in private/incognito mode of the browser. Using incognito mode prevents personalized results from being hidden and allows you to see the same page the fraudster shows the real consumer. For more comprehensive and automated monitoring, professional brand protection tools should be consulted.