Scammers are hiding behind Google's ‘click-to-call’ ads

How scammers passed advertiser identity checks to impersonate mobile network Three UK on Google
Chiara CavaglieriSenior researcher & writer

Chiara is an award-winning investigative reporter who specialises in banking and fraud, joining Which? in 2015 following six years as a personal finance journalist at a national newspaper.  

High street sign for Three UK, the mobile network

Scammers are abusing Google's advertising platform to target customers of telecoms and utility brands and trick them into giving away sensitive information. 

The click-to-call feature instantly starts a phone call with a business when you click an advert on your mobile device. It's theoretically a convenient way to get hold of a company, but scammers continue to create fake adverts that appear at the top of search results. Our advice is to steer clear. 

We've previously warned about a similar scam targeting British Airways customers using the Bing search engine to search for contact details. 

Read on to find out how these scams work and what you can do to avoid them.

Outsmart the fraudsters

free newsletter

Sign up for our free Scam Alerts service.

Our Scam Alerts newsletter delivers scams-related content, along with other information about Which? Group products and services. We won't keep sending you the newsletter if you don't want it – unsubscribe whenever you want. Your data will be processed in accordance with our privacy notice.

Scammers impersonating Three Mobile 

A series of bogus adverts targeting Three UK customers appeared in Google searches such as 'call Three' or 'Three mobile help' in late September 2025. 

Despite these advertisers being verified by Google – meaning they passed at least basic identity checks – they promoted websites that were clearly intended to deceive, as they claimed to offer '24/7 support from Three' and had domain names that referred to 'threemobilephones' and 'threemobiledeals', but had nothing to do with the real company. 

When we tested the phone numbers listed, some were disconnected, but others were answered by call handlers who pretended we had reached the Three customer services call centre. During one phone call, I was asked to share an email address and my Three password, potentially enough information for fraudsters to take over my mobile phone number, known as Sim-swap fraud

Online security firm Marcode spotted many of these fakes as part of its work monitoring adverts for impersonation scams across various search engines and social networks. 

Marcode co-founder Andy Cooney explained: ‘We’ve detected a large number of advertising accounts running fake click-to-call ads, specifically to target customers looking for support from telecoms and utility brands. They use domain names that look like the brand they are targeting, use the trademark of the brand and are free to pay to appear next to brand keywords. 

'Google’s verification only proves the account buying the ads is a real company. It doesn’t prove they are associated with the brand they are pretending to be. We track them operating across multiple brands, often for weeks.’

Three UK Google ad scams

1 / 3

  • Fake Three UK adverts on Google
  • caption
  • caption

A large collection of images displayed on this page are available at https://www.which.co.uk/news/article/scammers-are-hiding-behind-googles-click-to-call-ads-aTnZB9C2aMjh?mi_ecmp=S_SA_EM__20251218&mi_u=224979062

What is Google doing to stop this scam?

Which? reported nine advertisers to Google and we expressed our concerns that it had sold ad space to obvious impersonation scammers. 

Google told us: ‘We have removed the ads shared with us and suspended the associated accounts for violating our policies. We expressly prohibit ads that scam people by misrepresenting information about products or services.’

Improving the vetting processes of advertising giants like Google is only part of the story – scammers are also finding it far too easy to register clearly malicious domain names. 

Brands such as Three UK also rely on registrars (the businesses hosting the domain names) to shut down copycat websites quickly. Most of the dodgy websites we reported were removed, but one is still live months later, despite Three UK reporting it to the registrar for malicious activity.

Three UK told us that it blocks confirmed fraudulent URLs at a network level. It also said it actively monitors for suspicious domains and works with registrars and industry bodies to remove them quickly.

key information

How to avoid click-to-call scams

  1. Caution is your strongest defence We think it's best to simply ignore adverts you spot online, as scammers pay to appear in search engine results and your social media feeds. It may not always be immediately clear that it's an advert, so look for any reference to it being 'sponsored' or an 'ad'. 
  2. Don't use search engines to contact a business Use their official website or app to find their contact details, or check documents such as your bank statements and phone bills.
  3. Check the web address Scammers hope you don’t look too closely at the real web address or email address they are using (which can also be tricky to see on some devices), so always check carefully what you are being directed to. If it doesn't look right, avoid it.
  4. Use a free domain checker ICANN Lookup tells you when any given website was first created – if a website has been created recently, it could be a sign of a scam.

Seen or been affected by a scam? Help us protect others

Sharing details of the scam helps us to protect others as well as inform our scams content, research and policy work. We will collect information relating to your experience of a scam, but we won't be able to identify your responses unless you choose to provide your contact details.

Share scam details

More on this