ROCHESTER, N.Y. – If you want to avoid being hacked, who better to help protect you than a professional hacker? That’s who I consulted to help you avoid scams when you search the internet. Luke Secrist, CEO of BuddoBot, is a professional hacker who now runs a cybersecurity firm. Secrist read my four-month investigation in which I exposed how scammers were able to manipulate Google search results for keto gummies, leading consumers to believe they were clicking on a legitimate site when it was actually a scam.

Secrist warns that the first results are usually ads. “Get away from sponsored ads,” he warned. Try not to click any sponsored ad whatsoever.”

That’s because scammers often buy ads meant to fool consumers. For example, try googling keto gummies. When I did, the first results were sponsored, paid ads. And most of those ads were questionable. For example, when I clicked on one of them, I was directed to this fake article about the efficacy of the gummies written by someone identified as Adam Gold, a Florida-based certified health coach. But an image search of the doctor’s picture reveals that on another site, his name is name Miguel Acebedo, a Chilean cardiologist. And on another site, he’s identified as Jan Drahokoupil, a Czech cardiologist. But he’s actually not a doctor. He just plays one on camera.  He’s a stock photo model known as “Handsome old doctor”, photo number 79702797.

So the first rule when using any search engine is to always skip the ads.

But surprisingly, I found scams among the organic, so-called real results as well. One result appears to be the University of Pittsburgh Department of Psychiatry, but it’s not. One click reveals it’s a bogus ad claiming Shark Tank endorsed keto gummies. That is not true. Keto gummies were never featured on Shark Tank. So how did scammers hijack the university’s website?

“There’s different terms for it”, said Secrist. “Some call it domain squatting. Some call it domain cloning. So, what they’re doing, they’re buying up domains that are very close or very similar to the actual domain.”

And that’s exactly what the keto gummies scammers have done. While the google results say the University of Pittsburgh, the URL tells a different story. The scam addresses start with the university’s real web address, psychiatry.pitt.edu. But the scammer’s address continues with a slash and a jumble of letters following the slash. That’s the new domain the scammers bought.

“They have free will to purchase domains of different varieties,” said Secrist. The scammer then named its new domain, “University of Pittsburgh Department of Psychiatry,” but of course the scammer’s newly created web address has no connection to the University of Pittsburgh.

So, rule number two is the following: Always check the URL before you click. And the third rule is to invest in antivirus software.

 “It doesn’t catch everything, but it’s certainly better than having nothing,” said Secrist.

I reached out to Google about these fake results and spokesman wrote, “Bad actors are constantly evolving their methods to try to evade our protections, requiring close attention from our teams. We’ve reviewed the additional screenshots you shared with us and taken appropriate action.”

Now that we know how easy it is for a scammer to manipulate search results, the onus is on us as consumers to outsmart the crooks.