Search-engine cloaking, explained

Cloaking is the technique that lets a brand-impersonation or phishing site rank in search while looking harmless to anyone who checks it. It serves two different pages for the same URL: a decoy to ordinary browsers, and the real abusive page to search-engine crawlers.

What cloaking is

Cloaking is the practice of showing search engines different content from what a human visitor sees, in order to manipulate rankings. In the brand-abuse world it is the engine behind a familiar pattern: a search for a brand returns a result that looks like the brand, but the page a reviewer opens in a browser shows something else — an empty page, a generic notice, or a redirect — so the abuse survives manual review while continuing to rank.

How it works, technically

The server decides which page to return by inspecting the incoming request and classifying the visitor as "crawler" or "human". Common signals:

• User-Agent string — the crudest method: if the header contains Googlebot, serve the abusive page; otherwise serve the decoy.
• Reverse-DNS / IP verification — more robust: the server confirms the request actually originates from a search engine's published IP ranges before revealing the real page, defeating a simple User-Agent spoof.
• Referrer and behaviour — some kits only reveal the page to visitors arriving from a search result, or gate it behind a cookie or challenge.

The two responses are otherwise served from the same URL on the same host, frequently behind a CDN that hides the origin. A related tactic uses the rel="canonical" tag to point at an unrelated, reputable third-party site, laundering that site's authority onto the impersonation.

Why it harms brands

Cloaking turns search itself into the distribution channel. A user searching for a brand is shown — and trusts — a result that impersonates it, then lands on a gambling, phishing or fraud page. Because reviewers and automated checks see only the decoy, the impersonation can rank under the brand for weeks. The damage is threefold:

• Users are defrauded while believing they are dealing with the brand.
• The brand's search real-estate is captured by an impostor.
• Standard "open it and look" abuse checks return clean, so reports get rejected.

How to detect it

Detection means requesting the same URL the way a crawler would and comparing it to a normal browser fetch. At minimum, vary the User-Agent:

# What a normal visitor sees (the decoy)
curl -A "Mozilla/5.0" https://example/

# What a crawler is served (often the abusive page)
curl -A "Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)" https://example/

If the two responses differ in size and content — a short "nothing here" page for the browser, a full branded page for the crawler — you are almost certainly looking at cloaking.

How to prove it

A provider can only act on evidence they can reproduce. We capture both responses for the same URL — the decoy and the crawler variant — with their request metadata, and include a single command the reviewer can run. Showing the divergence side by side converts "this looks suspicious" into "this URL provably cloaks", which is what moves a case.

How to get it removed

Cloaking is a direct violation of every search engine's webmaster policies and of most registrars' and hosts' acceptable-use terms, so it gives you multiple levers at once:

1. Search engines — report the cloaking / spam so the impersonation loses the ranking it was built to steal.
2. Registrar — request suspension for the impersonation and AUP breach.
3. Host / CDN — request removal at the origin and a phishing interstitial.
4. Browser blocklists — submit the URL so users get a warning quickly.

Filing all of these in parallel — each with the reproducible both-variants evidence — is how a cloaked site comes down fast instead of lingering.

See how this fits our wider workflow in How a takedown works and Evidence & methodology.