Hacking a Business Phone Number on a Google Listing Is (Still) Easy

Last year airline phone numbers were hijacked and redirected to scammers. At the time, a "Google spokesperson said in an emailed statement [to NBC] that the company does ’not tolerate this misleading activity’ and that it had fixed the issue." Google also told the Washington Post that "it’s 'extremely rare' for airline customer service searches to show you scam phone numbers."

Recently we discovered just how surprisingly easy it still is to change a Google listing's business phone number. How do I know? I tried it.

The Experiment

I was curious what it would take to change a listing's phone number. I purchased a virtual forwarding number for the experiment last year and I enlisted Local SEOs Amy Toman, Kevin Pauls & Kurt Impens, Local Guides of varying rankings, to change the phone number of my infamous Illusory Laptop listing in Bradford, Pa., asking each to "suggest an edit" to the new phone number.

The third attempt at suggesting an edit was successful and the number on the listing was changed almost instantly.

While the number changed on the public profile within a few minutes, there was no obvious notification in the GBP dashboard. While Google did send an email to a listing manager within a few minutes, the primary owner of the listing (me) received no email or alert of the changed phone number.

Buried in the "Edit profile" area there was a small notice of the change.

How Hard Was It?

While I purchased the number a year ago, the actual "work" took 22 minutes from start to finish.

2:32 PM Posted to Local Slack Group

I asked my friends there to change the number

2:35 Amy Toman suggests an edit

The new number is instantly rejected

2:43 Kevin Pauls suggests the same edit

It immediately goes to a pending status

2:54 Kurt suggests the same edit

It is immediately published and shows publicly on search

That's it. Three suggested edits and the dirty work was done. I had anticipated a much rockier road and if I knew I was on the clock I probably could have accomplished the task in less time. Who knew it would be so easy?

Given the lightweight communication from Google about the number change, it's very likely most businesses would not have noticed the email, and the hijacked number would have persisted for some time.

What Actually Triggered the Change?

Each of the three "editors" are Local Guides. Amy is a Level 5, Kevin a Level 2 and Kurt is a Level 10. While it seems likely that it was the three edits that did the trick, it is conceivable that there was some extra value to Kurt's Level 10 status, which requires a crazy amount of Google contributions. I suppose that the "aged" phone number with a local area code might have contributed as might the size and visibility of the business.

I will leave it to others to determine the nuance of this hack and whether Local Guide Level (etc.) played a role.

It Shouldn't Be This Easy

Google and the public at large both want accurate and reliable business data. It's understandable that Google wants to gather information from multiple sources. Some potential changes, like a minor business hours alteration, could be harmful to the business but would not lead to criminality and probably would have a limited or minimal impact on consumers.

However a change to a phone number allows bad actors to step between a business and their customers to the detriment of both, potentially causing significant harm. In the case of the airline phone number hijacking the bad actors attempted to charge consumers credit cards for flight changes.

On critical data like a phone number it shouldn't be so easy to make a change. More verification should be required and a business should be alerted that a change is pending. There should also not be so little communication or notification after the change is made.

While we don’t know for sure whether this can still happen in the airline industry, we do know that it could happen in any number of other industries.

How Google Handles the Media

If you look at major reports of consumer harm from bad actors on Google Maps over the years, you'll see the same Google PR playbook every time. Whether it's fake drug rehab listings or bait and switch locksmith tactics from fake listings or bogus appliance repair listings, Google temporarily tightens things up and says the same thing they said about the airline scam in 2023:

Sometimes for good measure they will remind us of the many bad actors out there and how Google is equally a victim, having to play whack a mole with spammers. To Google claiming victim status I say bollocks.

As mentioned, during the airline number hijackings, Google told the Washington Post it's “extremely rare” for this to happen. By Google's calculation, rare means the number of hacked airlines that show in search/divided by the number of locations in Google. By Google's math that is something less than 5000/2,300,000 or .2%, the total number of worldwide airlines divided by the total number of business in Google’s local database. It is rare – for them.

If it happens to you or your airline, it is painful, deeply disturbing and potentially costly.

But I also call bollocks on their oft-repeated playbook for these situations. Unfortunately, in every case, it would seem their fix is temporary and six months later the exact same thing happens again. This playbook has been around since the first reports of widespread locksmith spam in 2009 and similar reports ten years later, where Google said (are you ready?):

In late 2020, I worked with the CBC in Canada on fake appliance repair listings in the Toronto area where Google's response was similar:

For the past several months I have been tracking the exact same problem, fake appliance repair listings in the exact same Toronto market.

The bigger crime here is not the scammers and spammers who deceived the public but that a large, public corporation glad hands the press and allows these scams and harmful deceptions to continue year after year.