This Is How Scammers Were Able to Game Google Maps
It’s now easier than ever to find a plumber to fix your leaky toilet by simply searching Google Maps for nearby journeymen. However, there’s a chance that the plumbers you may contact could be scammers who got their bogus listings displayed on Google’s online map service.
The search giant and the University of California, San Diego released a research paper based on an analysis of over 100,000 scam listings to discover some of the most common ways fraudsters trick people on Google Maps. Additionally, the research paper said that some of the scamming methods it discovered could also “apply to other map services, such as Yelp and Bing Maps.”
Get Data Sheet, Fortune’s technology newsletter.
The majority of Google Maps scams come from criminals pretending to be locksmiths, plumbers, electricians, and other professionals who people typically contact when they immediately need their services.
These bogus contractors fooled Google Maps by saying their business is located at a specific address, but containing a fake suite number that the U.S. Postal Service verified, the paper explained. The criminals could then register hundreds of fraud listings using fake suite numbers attached to an actual address.
Bogus locksmiths can then set up fake phone numbers on their Google Maps business listings using online calling services like Ring Central or Twilio, the paper showed. When people call the number, a fraud representative gives them a cheap price quote and sends a trickster locksmith to fix their problems.
However, these fake locksmiths then manipulate the customer to pay more money upon arrival. If a person needs to get into their house because they’ve been locked out, it’s likely they’ll just pay up.
As for scams involving businesses with physical locations, like hotels or restaurants, criminals spoof both real companies and consumers. In these cases, fraudsters may pretend to be a real restaurant or hotel and sign up to be listed on Google Maps.
When these troublemakers claim a real business listing, Google (GOOG) automatically sends a physical postcard with a verification PIN number to the address for the real owner to maintain. However, the criminals then call the business and trick the owners to reveal to them the PIN number, which the scammers then use to control their Google business account.
Once the tricksters have access to the real Google account, they then swap the real business listing with their own dummy version that can send people to a fake reservation or booking service. Although the fake booking service could let people make real reservations at a restaurant, the scoundrels “charge a commission per transaction,” the paper explained.
Since studying the scam listings, Google said it’s debuted several ways to reduce them. For example, Google said that it no longer sends numerous verification postcards to the same address based on many different suite numbers.
For more about finance and technology, watch:
Although the research paper primarily focused on how criminals were able to game Google Maps and not remedies, the company said in a separate blog post that it’s applying some of its anti-spam technology to “detect data discrepancies common to fake or deceptive listings.” Presumably, this means that Google has discovered common words used in fake business listings and is weeding them out based on their prevalence.
Overall, while the idea of scam business listing may seem frightening, Google said that less than a half percent of all local business searches spool fake listings. Since Google has addressed the problem, it said it has “reduced the number of fake listings by 70% from its all-time peak back in June 2015.”