Thank you for your enquiry

Please check your email and junk folder as we will automatically respond to this.

Close

Cloud Services, 1st June 2026

All Insights

What is Malvertising? 

When most people think about malware, they think about a piece of malicious software that is installed on their computer, ransomware attacks, or even suspicious emails, dodgy attachments, or fake text messages from “PayPal”, “Amazon”, or even their mobile network.  

Malvertising is different. It uses online advertising across a wide range of platforms as the delivery method.  

This means a user can be exposed to a cyber threat through an advert on a website or social media platform, a sponsored search result, or a malicious redirect to something that appears to come from a legitimate platform or trusted brand.  

The UK’s National Cyber Security Centre defines malvertising as the use of online advertising as a delivery method for malware or other malicious activity (such as fake item/service sales).  

For businesses, malvertising matters for two reasons;  

First, the people within your business can become victims by clicking a malicious advert, downloading fake software, entering credentials or uploading data into an impersonated website.  

Second, your own brand can be copied by cyber criminals and used in fake adverts to trick customers, suppliers, job applicants, or staff. This creates financial risk, operational disruption, and reputational damage.  

At TwentyFour IT Services, we see malvertising as part of the wider cyber security challenges that businesses are now facing. It sits at the intersection of phishing, brand impersonation, malicious software, compromised websites, and weak identity security, and as such it is essential that businesses have the tools, processes and security in place to protect themselves and their clients from these new methods of attack.  

Malvertising isn’t just a consumer problem. It is a business risk. 

 

What does malvertising mean? 

Malvertising is short for malicious advertising. 

In short, it is when criminals use fake online adverts, ad networks (such as Google Ads or Facebook/Meta Ads) , sponsored search listings, or malicious redirects within the advertising ecosystem to impersonate a real business, deliver a scam, steal data and other credentials, distribute malware, or launch larger attacks. 

Sometimes the advert itself is the trap. It may pretend to be a software download, a login page, a browser update, a helpdesk tool, a job opportunity, or a sale on a “must have” item. In many cases the advert leads to a legitimate-looking website that hosts the real attack. The user thinks they are clicking a normal sponsored result or banner. However, in reality, they are being redirected into a fraud or malware chain.  

 

How does a malvertising attack work? 

A typical malvertising attack usually follows a familiar pattern. 

A cyber criminal creates a fake advert or malicious redirect from a real advert which designed to look trustworthy. That advert may impersonate a well-known brand, a software company, a cloud platform, or even an internal business function such as IT support or HR.  

The victim then sees the advert in search results, on a website, social media, or through an ad placement on a platform they already trust.  

Once clicked, they are sent to a fake landing page, where they could be;  

  • Prompted to Sign In  
  • Asked to download software  
  • Tricked into running a command (See ClickFix) 
  • Purchase an Item 
  • Upload some Data 
  • And much more besides.  

The impact depends on the attacker’s goal. It could lead to stolen usernames and passwords, browser cookies, money or financial data, grant remote access to a device, ransomware, or follow-on attacks which could target your wider business and/or clients.  

In December 2024, Microsoft reported a large-scale malvertising campaign that impacted nearly one million devices globally, with users redirected from illegal streaming sites through a series of legitimate looking pages to malware-hosting infrastructure on platforms including GitHub.  

 

Why is malvertising effective? 

Malvertising works because it abuses user trust. 

People trust search engines, mainstream websites, social media, familiar logos, and sponsored listings that appear at the top of search results.  

Criminals know that many users do not look closely at the destination URL before clicking. They also know that fake adverts, login portals, and business-branded campaigns can look convincing enough to bypass even a common-sense cursory glance, especially when the message feels routine or urgent.  

It also works because attackers no longer need to rely only on phishing emails which people/businesses are attempting to put the tools, processes and teachings in place to protect themselves from. Search ads, fake landing pages, browser prompts, compromised advertiser accounts, and AI-generated content have made online deception faster and easier to scale, whilst using platforms that have traditionally hosted trusted content. 

Would you expect that a Google Search result or an advert on Facebook could instead be sending you to a malicious website? 

Microsoft has warned that AI-powered deception is making fraud campaigns far more convincing, while Google says it continues to update its misrepresentation policies and suspend accounts that break those rules. However, more fraudulent advertiser accounts are being created for every one that is suspended. 

 

Malvertising Examples in the News 

Recent reporting shows that malvertising is not just a theoretical issue, but one that people and businesses are facing every day. 

In March 2025, Microsoft disclosed a large malvertising campaign from December 2024 that led to information/data stealing repositories being hosted on GitHub and other platforms. Microsoft said the attack chain affected nearly one million devices worldwide and began with malicious redirect activity linked to illegal streaming sites.  

In January 2025, Malwarebytes reported a campaign in which criminals used fake Google Ads to compromise advertiser accounts. The attackers impersonated Google Ads itself, creating convincing landing pages, and aimed to steal Google Account credentials that could then be used to fuel further malvertising activity through legitimate business accounts.  

Malvertising is also a growing issue on social media. In June 2025, Malwarebytes highlighted fake bank adverts on Instagram that impersonated trusted financial services and, in some cases, used deepfake videos or domain impersonation to trick victims into handing over personal and financial information. 

Similarly, Facebook has been used as a delivery route for malvertising campaigns. In February 2026, it was reported that cyber criminals were running paid Facebook adverts made to look like official Microsoft ads, these then redirected users to near-perfect fake Windows 11 download pages that delivered password and session cookie-stealing malware instead of legitimate software. 

In 2025 our very own Marketing Manager A.J. Redfern uncovered a malvertising campaign of a brand impersonating Smyths Toys where attackers were trying to trick users into handing over personal information and money as part of a sophisticated brand impersonation malvertising attack. 

In March of 2026, Meta stated that it removed more than 159 million scam ads in 2025 and took down 10.9 million accounts on Facebook and Instagram associated with criminal scam centres. However, this has left many online questioning how this many adverts made it past Meta’s advert verification process. Especially when Meta had already acknowledged in late 2024 that so-called “celeb-bait” scam adverts and broader impersonation-based scams were serious enough to justify testing new protective measures.  

On X, the risk often appears through user or brand impersonation through the use of deceptive profiles and malicious links in comments and direct messages that use the trust of public brands or individuals to drive users into scams. X’s own authenticity rules prohibit impersonation intended to deceive, which underlines how real the threat has become across social platforms, even where specific campaigns vary in form.  

These examples all point to the same result. The route into a business is no longer limited to just phishing emails. A sponsored search result, a fake advert, or a social media ad impersonating a trusted brand can all be enough to start an attack. 

 

How can people and businesses protect themselves from malvertising? 

Protecting against malvertising takes more than user awareness alone. People should be cautious about any links they click on, including sponsored search results, social media adverts, and promoted posts, especially when downloading software, logging in, or entering payment details. Visiting the official website directly, rather than clicking an advert, is often the safer option. If you do click, always double check the URL you are being sent to and make sure it is genuine. 

For businesses, one of the most effective controls for protecting users is Web Gateway Security. This helps block users from reaching known malicious or fake websites, even if they click a harmful advert. If a user is redirected to a spoofed login page, fake software download, or malware-hosting site, a secure web gateway can stop that connection before any damage is done. Beyond this it is possible to host the browsing session inside a secure environment known as Remote Browser Isolation (RBI), insulating users (and networks they connect to) from malicious sites that aim to distribute malware, even monitoring for websites that as you to enter/upload data that could put you or your business at risk. 

This should be supported by DNS filtering, Advanced Endpoint Detection and Response (EDR), and Multi-Factor Authentication (MFA) & Single Sign-On (SSO) across all sites and accounts that support this. Together, these tools help block dangerous websites, detect malicious activity on devices, and reduce the risk of stolen credentials being used to access business systems. 

Businesses can strengthen this further with a Zero Trust approach to application and network access. Rather than giving users broad access to internal systems, this limits access only to the specific applications and services they need. That means even if credentials are compromised through a fake advert or malicious website, an attacker has far less opportunity to move through the network or reach critical systems. With the addition of Zero Trust Network Access (ZTNA) you can ensure that critical cloud services can only be accessed via authorised IP addresses. 

However, even with tools like these in place, businesses should also train staff to recognise suspicious adverts and fake websites, not just phishing emails. At the same time, they should monitor for fake domains, spoofed adverts, and misuse of their brand online, so impersonation attempts can be identified, reported and removed quickly. 

At TwentyFour IT Services, we help businesses take a layered approach to protection, combining user awareness, web gateway security, endpoint protection, identity security, Zero Trust access controls, and proactive monitoring through our Cyber Security Operations Centre (CSOC) to reduce the risk of malvertising turning into a wider cyber security incident. 

 

How can businesses stop their brand being used in a malvertising campaign? 

This is where cyber security and brand protection need to work together. 

The NCSC recommends that brands work with advertising partners that take security seriously and have clear controls for preventing malicious advertising. It also advises organisations to have a takedown process for malicious content that abuses their brand, including phishing sites and fraudulent domains.  

In practice, that means monitoring for the use of fake domains, suspicious ad placements, impersonation attempts, fraudulent landing pages, and unauthorised use of your brand in search and social campaigns to report these as soon as they are noticed. It also means securing your own advertising accounts by verifying official domains, lock down access to ad platforms through the use of MFA on marketing and admin accounts, review change logs, restrict privileged access, and keep a clear incident response path for takedowns and customer communications.  

It is also recommended that businesses register common domain variations (such as 24it.co.uk for ourselves), securing brand presence through regular communications which include official contact and URL details, and monitoring for fake social media profiles or fraudulent ads to reduce impersonation risk.  

 

What should you do if you think you have clicked a malicious advert? 

Act quickly. 

Report the incident with your IT & cyber team. For our clients, active monitoring through our Cyber Security Operations Centre will identify and block any malicious activity, working with clients to reset any account passwords that may have been compromised, monitor and block any unusual activity and revoke active sessions where possible. Behind the scenes we also run real time endpoint scans, monitor for suspicious browser extensions, remote access tools, or any software install requests to check for legitimacy and what the software does and requires access to. If business systems are involved, we investigate for any signs of lateral movement across your system and network infrastructure, monitor in real time for inbox rule changes (such forwarding automations), and unusual sign-in activity such as impossible location access.  

If you find that your brand is being impersonated, it is essential that you begin takedown action immediately, preserve evidence, notify relevant advertising platforms, and consider warning customers and staff through your official channels.  

Why does this matter for businesses? 

Malvertising is not just an advertising problem. It is a cyber security, trust, and reputation problem. 

Cyber criminals exploit the fact that people live online, in browsers, search engines, social platforms, and cloud applications. They know that a fake advert, served through a trusted platform (like Google or Facebook) can feel more believable than a suspicious email, particularly when it copies a recognisable brand or appears at the top of a search page. That makes malvertising especially dangerous for businesses that rely on digital channels, remote working, cloud software, or their own paid campaigns to reach customers.  

How can TwentyFour IT Services help to protect your businesses?

At TwentyFour IT Services, we help businesses defend against cyber threats from every angle. This includes strengthening identity security with Multi-Factor Authentication (MFA) and Single Sign-On (SSO), conditional and privileged access controls and more. It also includes protecting devices and users with a modern layered approach to zero trust endpoint and network security, with monitoring, and threat detection. It includes improving resilience with immutable backups and disaster recovery strategies.  But beyond cyber security tool and controls, it includes practical guidance for businesses and their team members, so they know how to spot malicious ads, fake software downloads, impersonation attempts, and suspicious activity before they become incidents. 

If your company’s name, website, software, or leadership team could be copied in a fake advert, brand protection needs to become part of your cyber security strategy too. 

Contact a member of our team to find out how we can protect your business from the increasing threat of Malvertising. 

Enquire Here

Recent Insights

What is Malvertising? 

1 June 2026

What is the Difference Between Cyber Security and Cyber Resilience? 

26 May 2026

What is ClickFix Phishing?

18 May 2026

How easy is it for a Cyber Criminal to impersonate you or your business? 

11 May 2026

View All

0%

Live Satisfaction Score (90 Day Average)

Sources by simplesat

Book a meeting Contact us