Malvertising: The Fake Ads Hiding in Plain Sight on Google

Your practice manager searches Google for a software tool the team uses. She clicks the top result - it looks exactly right, same logo, same layout - and enters her work login. Two days later, someone is inside your systems using those credentials. This is not a hypothetical. It is how malvertising works, and it is becoming more common.

Malvertising is the use of paid online ads to deceive people into handing over login credentials, downloading malware, or revealing personal information. These ads appear in Google search results, on social media feeds, and across well-known websites. They look identical to legitimate advertising. The URL might be one letter off. The landing page might be a perfect copy of the real thing. Hackers can have these ads running for hours or days before Google catches them - plenty of time to do real damage.

The risk for a professional services business is not just a compromised personal account. A stolen login can give an attacker access to client records, financial data, and internal systems. Under the NZ Privacy Act 2020, a breach involving client information carries real legal and reputational consequences. If you are not sure what that looks like for your practice, the Office of the Privacy Commissioner at privacy.org.nz is the right starting point. For reporting a cyber incident, CERT NZ at cert.govt.nz is where to go.

The practical answer is not to train your whole team to scrutinise every URL - though that helps. It is to have the right technical layers in place so that even an accidental click does not become a disaster. DNS filtering is one of the most effective tools here. It sits between your team and the internet, and redirects any browser that tries to reach a known malicious site to a warning page instead. The person may have clicked the ad, but the filter catches it before any harm is done. Pair that with kept-current security patching and a good anti-malware solution, and your risk drops substantially.

Good habits still matter. The simplest rule: do not click ads to reach a website you already know. Type the address directly, or use a bookmark. If an ad promises a download - a free tool, a PC cleaner, a popular application - ignore it entirely. Legitimate software is not distributed through Google ads. And if anyone in your team spots a suspicious ad, tell them to flag it to whoever manages your IT support rather than investigate it themselves. Understanding the unexpected ways hackers get into business accounts can help your team stay alert to threats beyond malvertising.

Handling this well means having someone who keeps the protective layers up to date, monitors for threats, and can respond quickly when something does slip through. That is exactly what managed IT support for professional services businesses is designed to do - not just fix things when they break, but stop the easy wins that attackers rely on. See how this approach has worked in practice through our professional services IT support case study.

If you are not sure whether your current setup would catch something like this, ITstuffed offers a 15-minute IT Fit Check at itstuffed.co.nz/booking - a quick, honest conversation about where your gaps are.