How AI is increasing the threat from ad hijacking & impersonation fraud – And how to fight back

AI makes it increasingly easy to fool people. It can manipulate truth, create convincing fakes, and erode trust. And nowhere is this more dangerous than in digital marketing, where ads, brands, and budgets are on the line.

In this article, I’ll explore three major ways fraudsters exploit paid advertising – impersonation fraud, brand bidding, and phishing ads – and how marketers can fight back.

The Rise of Impersonation Fraud

Recently, my 16-year-old son texted me about a suspicious message he’d received.

It claimed to be from Royal Mail, saying his parcel couldn’t be delivered because of “missing or damaged address information.” It even included a link to “fix the problem.”

Even my 16-year-old knew not to click it. It was obviously a scam.

But fraud has evolved far beyond suspicious text messages. Scammers are now using Google Ads to impersonate legitimate brands, creating ads that look completely authentic — but are actually malicious.

Take this example:
A Google ad appeared to promote a Chase credit card, with perfect branding and copy. Everything looked legitimate. But when we dug deeper, we discovered it wasn’t Chase at all. The advertiser behind the ad was Yangun Digital Technology, a company based in Hong Kong.

This is impersonation fraud: a fraudulent advertiser creates an ad that mimics a real brand to deceive users.

Why Fraudsters Do It

The motive is simple: money.

Many of these scammers are affiliate marketers who insert their affiliate links into the ads. When a customer clicks and converts, they get a payout. Some fraudsters are making $20,000 a month or more targeting a single brand — and many target multiple brands simultaneously.It’s lucrative, but it’s also illegal. Affiliate programs explicitly prohibit this behavior.

How to Detect Fake Ads

So how can brands spot impersonation fraud? Like a poker player spotting a bluff, there are “tells” you can watch for:

1. Grammar and spelling errors
   Fraudsters often slip up with copywriting.
   Example: In one fraudulent ad for “Get Your Guide,” the brand name appeared in lowercase letters — a detail inconsistent with the official brand.
   
2. Google Ads Transparency Center
   By clicking the three dots on an ad, you can see details about the advertiser.
   
   • If the advertiser’s legal name and location don’t match the brand’s, it’s a red flag.
     
   • Example: A fake “Get Your Guide” ad traced back to Hong Kong Lucky Star, not the official company.
     
3. Suspicious user journeys
   Scammers often hide behind multiple redirect domains.
   
   • You might briefly see URLs flicker as you click through.

These redirects mask the fraudster’s true destination, making it harder to trace.

How to Respond to Impersonation Fraud

Once you identify impersonation fraud, there are three ways to take action:

1. Stop or suspend the affiliate
   Remove them from your program. This is the most effective step — when they stop getting paid, they stop bidding.
   
2. Report the ads to Google
   This is worth doing, but in my experience, it’s far less effective.
   
3. File a report with the affiliate network
   Networks like Awin or CJ Affiliate have systems for flagging abuse.
   
4. The bottom line? Cut off the money supply first. That’s how you disrupt the fraud.

Brand Bidding and Trademark Infringement

The second major problem is brand bidding — when competitors bid on your brand’s keywords to capture your traffic.

We’ve all done it. It’s perfectly legal and part of a free market. But when it’s combined with trademark infringement, it becomes a serious issue.

For instance, imagine you work for Emirates and manage their PPC campaigns. You search for “Emirates Flights,” expecting to see your ads on top. Instead, you see this:

“Emirates Promo Code 2025 – Flat 10% Off!”

Sounds great, right? The problem? The discount doesn’t exist.

When a user clicks, they land on a fake coupon page — complete with an affiliate link. The fraudster gets paid, Emirates’ brand reputation suffers, and their ad budget takes a hit.

Why Brand CPCs Are Rising

Over the past year, many advertisers have noticed skyrocketing brand CPCs.

One UK advertiser I spoke with saw an 89% increase in just nine months.

There are a few reasons for this:

• More competitors in the auction
  Analysis of one US client showed that the number of advertisers bidding on their top brand terms more than doubled leading up to Christmas.
  
• Less organic real estate
  Google keeps adding more ad placements while reducing organic results.

Broad match and Performance Max campaigns
Brands are accidentally bidding on competitor terms they never targeted before.

How to Fight Back

There are three main tactics for combating trademark infringement:

1. Legal action
   Send cease-and-desist letters or pursue other legal avenues.
   
2. Mutual agreements
   Some brands form agreements not to bid on each other’s terms.
   
3. Report to Google
   Since June 2024, Google no longer proactively monitors trademarks. Brands must now do this themselves.

One of our clients reduced their brand CPC by 20% in three months by aggressively monitoring and reporting trademark violations.

Phishing Ads: The Most Dangerous Threat

The third and most damaging form of ad fraud is phishing ads — where fraudsters use ads to steal data or money.

A recent case involved Shopify.
We discovered a Google ad for “Shopify Phone Support.”
Here’s the thing: Shopify doesn’t have phone support.

When we clicked, the ad took us to what looked like Shopify’s legitimate domain. But a query injection had inserted a fake support phone number.

When we called, a scammer posing as “Eric from Shopify” answered.
He asked for an email address, then sent a real Shopify password reset email — but instructed us to reset our password using one they provided: secure@1234.

If we had complied, they would have hijacked the account and stolen sensitive business and customer data.

This scam was terrifying because it exploited two trusted systems:

1. Google Ads
2. Shopify’s own domain

And it’s not limited to retail. In December, scammers ran phishing ads targeting marketing agencies, tricking PPC managers into entering their Google Ads login details on fake Google domains. Some agencies lost control of their accounts and saw massive amounts of money spent by hackers.

How to Protect Your Brand

Digital ad fraud is a growing threat, but brands can fight back. Here’s a three-step plan:

1. Audit regularly
   
   • Search for your brand keywords manually.
   • Use Google’s Ad Transparency Center to verify advertisers.
     
2. Automate monitoring
   
   • Manual checks are fine for small brands, but at scale, you need an ad fraud monitoring tool.
   • Specialized tools can detect fraud in real time.
     
3. Enforce rigorously
   
   • Report violations.
   • Remove bad affiliates.
   • Protect your trademarks.

The Future of Digital Marketing

In the future, the brands that win won’t just have the best ads — they’ll be the ones who protect their ad budgets.

Fraudsters are smart, persistent, and well-funded. But with vigilance, technology, and a proactive approach, marketers can take back control.

Ad fraud sucks. Phishing sucks. Trademark infringement sucks.
Don’t let fraudsters steal your budget — or your brand.

Jonny Giddens is a fraud expert at Impersonally.io.

This article is based on a talk given by Jonny at Hero Conf UK in April 2025. You can watch a recording of the talk below.