Few things annoy SEO marketers like an unexpected drop in organic rankings.
Usually when this happens, it’s due to a Google search algorithm update. For example, some businesses noticed fluctuations after the Helpful Content Update in August 2022.
But there is another, albeit much less common, explanation for a sudden drop in rankings. Namely, your domain may have been the victim of a negative SEO attack.
Negative SEO attacks were far more prevalent and successful in the early 2000s, when the Google search algorithm was more rudimentary. In the intervening years, advances in technology and machine learning have largely eliminated the threat posed by deliberate negative SEO attacks (more on that shortly).
But there are still some persistent black hats out there trying to cause damage to the organic rankings of their competitors. Whether they’re successful or not depends on how sophisticated their tactics are. So while a few might succeed, most won’t.
For the most part, it’s not something to be overly concerned about. But it’s still worth understanding what negative SEO is, what an attack looks like, and how to defend your site and organic rankings from 6 of the most common black hat strategies.
What is negative SEO?
Negative SEO is when a company uses black hat tactics to intentionally damage the organic rankings of a competitor’s website. These tactics may include:
- Building unnatural backlinks
- Duplicating site content
- Hacking a site and modifying content
- Adding links to a competitor site pointing back to their domain
It’s unethical. But not illegal. And although it sounds threatening, Google has a zero-tolerance policy towards it, meaning there are robust safeguards in place to protect businesses.
Who’s most at risk from negative SEO?
Negative SEO attacks are more common in very competitive niches with a relatively high degree of black hat activity, such as gambling and crypto. Theoretically speaking, anyway. The reality is that successful negative SEO attacks, even in those industries, are still relatively uncommon.
In the video below, Matt Cutts, ex-Google employee and former Administrator of the United States Digital Service explains why you shouldn’t worry too much about them.
TL;DR
If you’re short on time, here’s a written summary of key points from the video:
- Google fully understands the possibility that competitors might use underhand tactics, such as negative SEO, to hurt each other. So the search algorithm has been deliberately engineered to protect against back hat activity. (Note: this video was originally released 9 years ago. So the current level of protection is even more robust than that described by Matt).
- Most black hat activity takes place within very competitive niches such as gambling or crypto, and shady legal grey areas such as the “designer drug” market.
- Google released ‘Disavow Links’, a tool that allows users to take care of unnatural link building if they’re worried about it. It might be a little annoying to have to report bad links to Google, but it’s a small inconvenience compared with the potential consequences of negative SEO.
Link spam has the biggest potential impact when it comes to damaging organic rankings. But it isn't the only kind of negative SEO.
6 types of negative SEO attacks and how to defend against them
Let’s have a look at the most common forms of negative SEO attacks in more detail and the steps you can take to protect yourself against them.
1. Spammy link building
This is the most common type of negative SEO because of how easy it is to do. There are plenty of shady grey hat SEO services out there offering to point thousands, if not millions, of dubious backlinks to a given website, with the promise of boosting organic rankings and domain authority.
In almost all cases, businesses who purchase such links end up being heavily penalised by Google's search algorithm. A sudden massive influx of backlinks from low-quality websites raises a red flag and triggers further investigation of the domain in question. If the algorithm detects foul play, organic rankings will drop and won't recover until the spam has been removed from the domain's link profile.
Black hat actors can use this system, which was designed to prevent companies from buying backlinks, to try and carry out a negative SEO attack. Rather than pointing the links to their own site to game the system, they simply point them towards a competitor in the hope it'll cause them to be penalised by Google.
What you can do
There are a few tools you can use to keep an eye on your backlink profile. Ahrefs or Monitor Backlinks are two that are particularly useful. If you spot a bad link, you can simply use Google “Disavow Links” tool to prevent that link from influencing your rankings.
By submitting a disavow list, you’re effectively telling Google to exclude the bad links when indexing your site. You can do this through Search Console Tools.
One telltale sign your site is getting a sudden influx of backlinks is a noticeable dropoff in how long it takes to load. If that’s the case, it’s worth using the tools above to check that spammy links aren’t the cause.
2. Fake link removal requests
Another tactic competitors may use is masquerading as you and sending emails to sites where your best backlinks live asking for them to be removed.
These emails are often fairly simple and direct, such as the example below:
Dear Webmaster,
We have received a request from our client to remove the links between their site and yours. Recent changes to Google’s algorithm mean they’re no longer needed.
Please remove the link to [YOUR DOMAIN], from this page: [LINK TO RELEVANT PAGE]
Thank you,
John Smith
(random SEO business name)
What you can do
You can’t stop these fake removal requests at source. It’s more a case of looking out for the signs that it’s happening. Then fixing it. Keep an eye on your backlink profile using Ahrefs or another similar tool. Pay special attention to your most valuable backlink from high authority domains. These are the links attackers will try to target for removal.
If you notice you've lost one of your top links get in touch with the sites that have removed your link, inquire why it was removed, and if it was done so on a request unbeknownst to you, ask them to reinstate it.
3. Duplicate content / content scraping
This is the bane of content writers everywhere. Content scraping is where someone copies your well-crafted words and posts them on another site.
Usually, the content thief just wants free stuff. They’re not interested in hurting your site. At least not deliberately, anyway, but that’s not to say it can’t happen.
If Google notices your content is duplicated in various locations around the web, it forces the search engine to choose which of the identical pages it should rank in the top results. Regardless of who produced the content, there is a high possibility that the original page will not be the one chosen for the top search results. That means someone else can steal traffic away from your site, and reap the rewards of your hard work.
What you can do
Google a chunk of the article you’ve written and see if it appears in any results. There’s also Copyscape, a free plagiarism detector, which can tell you if your content has been lifted and placed somewhere else.
If you find that it has, get in touch with the site owner. Depending on the response you get, you might need to take it further and seek legal advice. Before it gets to that point, though, make sure your business terms reflect your position on republishing content.
Also, adding canonical tags to your content tell Google that your URL was the original one the content was attached to. It essentially tells the algorithm that yours is the master version, so to speak. And everyone else’s is a copy. This should help you control duplicated content.
4. Fake reviews
This is where competitors attack a site with dozens or even hundreds of fake reviews on Google.
In today’s ‘TripAdvisor’ age, where reviews can make or break a business overnight, fake negative reviews can be similarly detrimental to your business. So if you’re the victim of an attack, what are your options?
What you can do
Sounds obvious, but you should already be actively be monitoring your reviews. Not all negative reviews will be fabricated and you can use them to see what you’re doing well and what you could do better.
But you think one is fake, Google has a simple reporting process which you can access through your Business Profile. Here are a few criteria to consider when you're trying to weight up whether a review is fake:
- Watch out for generic user names and photo-less profiles
- What other reviews has the profile left? Are they all negative?
- Was there a spike in your number of negative reviews all of a sudden?
- Check for poor grammar, spelling and odd language phrasing
- Look for the expression of extreme negative emotion, with no mention of anything positive
- Does the reviewer mention a competing product or service?
- Did the reviewer make a verified purchase?
If the review in question meets several of these criteria, it's worth reaching out directly to them before you report the review to Google. Most fake reviewers will not respond, but real reviewers often look forward to opportunities to be more helpful.
5. Hacking your website
Hacking your website as a negative SEO tactic involves altering code in the backend of webapges on your site (so you don’t know about it) or editing your robots.txt file - the file responsible for telling web robots (like search engines) how to crawl your site. Hackers can alter this to instruct the search engine to ignore your best-performing pages or even the whole site.
What you can do
There are a few things. Firstly, set up two-factor authentication. So every time you login to your site, you need to input a code that you get from Google Authenticator.
Make sure you’re set up with alert messages from Search Console Tools which will let you know when something bad is happening. Also ensure you regularly create backup files and keep your antivirus up to date.
Finally, it should go without saying, but using something like PASSWORD123 is asking for trouble. Try to make life a bit more difficult for prospective hackers by making your passwords as strong as possible. If you're worried you won't remember the various password you're using for different platforms, just use a password manager like Dashlane.
6. Creating fake social profiles
What’s that old saying? Imitation is the greatest form of flattery. Well, not in this instance anyway.
Some competitors resort to creating fake social media profiles in your name and then post all sorts of stuff to undermine your reputation and spread disinformation. Usually this is done via bot activity, as it would be far to tedious and time-consuming for the black hat actor to manually create and manage multiple fake accounts.
What you can do
Google yourself and your business to check for social media profiles pretending to be you (don't worry, it's not vanity when done for pragmatic purposes). Keeping an eye on where your own name and brand is crops up on socials is becoming increasingly important.
Rather than doing this manually (which would take forever), just use a social listening tool such as Hootsuite or Brandwatch to alert you of any relevant brand mentions. If you do come across fake profiles, report them as spam to whichever platform you see them on. Again, here are some telltale signs to help you spot bot-driven fake social profiles:
- Account description – No photo, bio, or description. Or a username with lots of numbers.
- Rapid activity frequency – Posting faster than any human possibly could.
- Automation – When an account posts generic replies that appear automated.
- Account creation – Bots tend to have fairly recent account creation dates.
- Follower to Following Ratio – Bots usually follow lots, but have very few followers.
Also - track your ‘mentions’ on all platforms. Sometimes, loyal followers will tag you in suspicious posts to let you know about it or to check if it’s you or not.
Protect your paid search traffic too
Fake users aren't just a problem on socials. They can harm your paid search results too.
Click fraud is an exponentially bigger problem for most businesses than negative SEO.
In the context of PPC campaigns, click fraud involves humans or bots posing as real users and clicking on ads with zero intent to buy. And frustratingly, Google doesn’t take as much action in combatting click fraud as they do with negative SEO. Fake clicks still generate revenue for Google, so there’s no pressing incentive for them to completely eliminate them.
$771bn is spent on online traffic acquisition each year. And the size of the market is growing by more than 10% YoY. But current estimate show that 11% of this total spend is wasted on fake users and invalid traffic.
As long as ad campaigns deliver an ROI, most businesses chalk this recurring loss up to “the cost of doing business”. But that shouldn't be the case. And this is exactly where Lunio can help. Our software eliminates click fraud across all of your paid channels.
Our proactive exclusion functionality allows you to analyse traffic on the channel you’re spending the most on, and apply the insights gained to all other channels.
For example, if you’re using Lunio to protect your Google Search Ads from invalid clicks and traffic (i.e. bots, spammers, and fraudsters), we’ll generate extensive data and lists of bad IP addresses detailing exactly who you don’t want to see your ads.
We then use that data to build custom invalid audiences and apply them to any other paid marketing channel. This not only guarantees that all your clicks are genuine, but it also helps ensure your new campaigns are targeted correctly from the get go.
If you'd like to see it in action, you can get started today with a free trial. You’ll receive a comprehensive traffic audit showing you exactly how much of your ad spend is currently being wasted - with no obligation to purchase.
Say goodbye to wasted ad spend
Discover how Lunio can help you eliminate invalid ad clicks and maximize paid media performance