In order to have their websites appear at the top of relevant searches, Google allows businesses to pay for verified advertisements. However, to do this, the businesses must first complete an advertiser identity verification process designed to filter out dodgy pages.
However, according to the consumer champion, a scammer mimicking Lyca Mobile has been able to get past the authentication process, which gives them the ability to place a "persuasive" advertisement at the top of search results in an effort to trick users into visiting a fake website and taking credit card information.
The rogue advertiser got itself verified by Google as "Vodafone Finance Management", says Which?, claiming to be a subsidiary of Vodafone on Companies House, despite having nothing to do with it.
"Over the course of three days in late January, this verified advertiser was paying Google to appear at the top of results when the public searched for phone network Lyca Mobile," Which? said.
"You would have had little reason to suspect these adverts at first glance.
"They appeared to link to the genuine web address for Lyca Mobile (lycamobile.co.uk), although the keenest-eyed may have questioned the use of 'Lyc Mob' in the blurb.
"Although Vodafone and Lyca Mobile are two separate companies, if you had checked the details of this advertiser, you may have been reassured that it was created by what appeared to be a genuine mobile network."
This isn't the first time Which? has highlighted scams taking advantage of Google's advertiser options.
At the end of 2023, it warned of phoney search engine ads impersonating legitimate parking apps like JustPark and PayByPhone, which it said remained live even after they were reported.
Fake sites are nothing new, but scammers having the ability to bypass Google's vetting process makes them look more trustworthy, as they come up as being "sponsored" at the top of search pages and users have to click the ellipses next to the link to learn more about the company behind it.
In response to the latest scam report, Google said: "Protecting users is our top priority and we have strict ads policies that govern the types of ads and advertisers we allow on our platforms.
"We enforce our policies vigorously, and if we find ads that are in violation we remove them. We continue to invest significant resources to stop bad actors and we are constantly evaluating and updating our policies and improving our technology to keep our users safe."
A spokesperson for Vodafone told Which?: "Criminals are always looking for new ways to trick companies and consumers, and our ecommerce security teams work hard to stay ahead of them.
"We take fraud extremely seriously and have reported the issue to Google for immediate resolution and to stop this happening again. We also want to clarify that Vodafone UK has no affiliation with Lyca Mobile."
A spokesperson for Lyca Mobile said: "Unfortunately, this type of scam is all too common. We regularly get website impersonations of our brand closed down, and in this case the scam site in question was taken offline almost as quickly as it appeared.
"But we also have to rely on the platforms we operate on to prevent them occurring in the first place. We welcome moves by Google and others to crack down on this type of activity to protect both consumers and brands from malicious actors."