Google Maps Can Be Deceived: What You Need to Know

This past week, Gawker Media properties Gizmodo and Valleywag reported a number of exploits in Google Maps that scammers and spammers could use to ruin Google Local search results for small-to-medium businesses. As this is very relevant to your interests, this article will serve as a quick write-up of the issue. For more detailed information, I encourage you to click through to the articles themselves and read more.

(Note: Gawker Media properties are irreverent by design. As such, please be aware that there may be objectionable language in the reporting as well as the comments. Despite this, the actual coverage is often top-notch.)

[image removed due to copyright]

Gizmodo reports how one intrepid hacker — Brian Seely, who has been linked by Mike Blumenthal in the past — managed to not only falsify a number of businesses, but also change locations’ phone numbers, pictures, names, and other NAP information through loopholes in Google Maps’s verification process.

So say I’m a locksmith and I want a little more business. My ranking is too low when you search “locksmith near [my neighborhood]” on Google Maps; no one ever clicks on me. If I find the right scammer, I can boost my presence with a couple more (non-existent) locations. Or even better, I can have a scammer change my competitors’ numbers so that the calls forward to me instead. All I have to do is pay a scammer $50 or so per call. But hey, that’s just the cost of doing (shady) business.

Gizmodo also notes that a significant incentive for these spam listings is that they’re lucrative — and ridiculously easy:

Seely wouldn’t explain exactly how he manipulates Google’s maps with fake listings, but he assured us the process is very simple and hinges on Google’s shoddy verification process. He says he can create hundreds of these things without breaking a sweat, and while Google’s slowly coming up to speed on closing the holes that let sneaky, fake stuff like this through, it’s not doing it quite fast enough.

An example of one of Seely’s fake listings is pictured below:

If a multi-billion, well-documented, storied company like Apple — whose business address is listed in nearly every source of repute (and some less-than-trusted sites) consistently, structured and unstructured — what hope does a rule-abiding mom-and-pop shop have against a legion of spammers determined to mine every loophole open to exploitation?

While Gizmodo sources at Google have confirmed that a number of the exploits have been patched, there’s evidence that Google has known about many of these security flaws for years. While some experts note that these are common issues in any crowdsourced project such as Google Maps (which is largely volunteer and only partially automated) that’s cold comfort for a legitimate business suffering in search rankings because of these spammy listings.

[image removed due to copyright]

Valleywag published a piece about a potentially damaging security flaw in Google Maps, whereby Bryan Seely intercepted phone calls meant for government agencies and recorded them via a call relay.

The portion that is relevant to YCPs is later in the article:

Seely says the fake federal listings, which were both ranked second every time I checked Google Maps, were up for four days. He took them down himself when the Secret Service asked. (I took the screenshots above early Wednesday morning.) He picked that particular FBI office because, he says, he had recently watched The Rock, in which Nicolas Cage’s character worked for the FBI in San Francisco.

The piece speaks at length about how Seely managed the interception using minimally invasive technologies. If government agencies are susceptible to such social engineering exploits, given that the underlying Google Maps verification process features flawed logic.

To build his sham government locations, Seely started with Google’s Map Maker tool (for roads and such) and then switched to Google Places, which is purely for businesses and just updated its “quality guidelines,” to tweak the listings in the final stage. He began with a brand new IP addresses and new Gmail accounts. Then, Google gives you two options, Seely explained:

…type in this code and you can get verified to prove you’re human so that it doesn’t look like an automated machine. I just opt out of that and go directly to phone verification because the way that these people build these computer systems is assuming that no one wants to do more work—assuming everyone wants the easy way out. So if you choose the easy way then we don’t trust you, if you choose the harder way and verify by phone immediately, ‘Oh you must be a person and you must be legit.’

While locksmiths are notoriously known for these kinds of spammy listings, they aren’t the only ones. Blumenthal has reported on this phenomenon in legal services last month, and a number of other SEO experts in the space have discussed this issue at length — even Valleywag reported on this as recently as three weeks ago.

This paragraph is perhaps the most concerning for a geomarketing services provider:

Why not fix the problem? Austin says there’s a cottage industry around flooding Google Maps with fake listings for businesses like locksmiths, the most notoriously abused sector, and then forwarding the calls from unsuspecting Google users to call centers. The centers either dispatch workers who only accept cash and charge more or, in some cases, they sell the leads back to the actual local businesses being squeezed out. “[Spammers] make way too much money on AdWords to [care at all] about small businesses,” said Seely, noting one spammer who made $10 million a year.

The Takeaway

Ultimately, there’s two major takeaways from this situation.

1. Local Data is an Uphill Battle

A multi-billion dollar company like Google, with all of its near-infinite resources and massive staff both in the US as well as abroad, is still vulnerable to deliberate misuse of its citations services. That’s the primary message here, and it’s absolutely worth noting. Even with as much manpower and computing power as it has, it’s massively difficult to compile and aggregate thousands (if not millions) of data sources in a meaningful and consistent way.

It’s the same challenge that a small business faces regularly when they submit their business information manually — they’re fighting the rising compilation tide, and that’s exhausting and can cause problems for them. That’s where you, the SEO come in; your service offering is to improve your clients’ discoverability, and thus improve their search relevance. This means cleaning up their citations, creating single-location landing pages, and offering a variety of other solutions to your clients.

2. Citations Have Friction

This situation has also pulled back the curtain on how easy it is to deceive even the most trusted data providers with false information. Moreover, this situation demonstrates how easily that information perpetuates regardless of efforts to suppress and overwrite.

To that end, citations have friction: there are barriers to entry (pricing, lost passwords, or a lack of a claims system, and so on) as well as an opacity to the process (how many sources, which sources are weighted highest, does recency carry weight, etc.) that makes strategizing difficult. Your role as an SEO is to reduce that friction for your client. Yext helps with that. Yext makes the process simpler, overrides the March Madness-style tournament that powers local data for most publishers, and gives you total control.

The safety and security that comes with feeling in control cannot be overvalued. While Yext is not a solution for hijacked and corrupted data, it is a solution that offers control. With better control, you and your clients have more freedom to work towards locally-relevant web solutions that boost their business without putting their enterprise at risk. With Yext, it is less likely that bad or corrupt data about your clients’ business will persist. When you control the conversation, you have one less thing to worry about.

In my opinion, this situation has shown what problems continue to exist in the local data space. While Yext is not a perfect solution, it is certainly less susceptible to this kind of social engineering than no solution at all. Your clients deserve to feel empowered — Yext can provide that.