sfw/fix
GSC: Social engineering critical

Search Console Security Issues - "Social engineering content detected"

Google flagged deceptive or phishing content on your site, triggering the red "Deceptive site" warning in browsers.

What you see

Security issues
Social engineering content detected
"This site may trick visitors into doing something dangerous such as installing software or revealing personal information."

What’s actually happening

Search Console's Security Issues report shows "Social engineering content detected" with a list of sample URLs. Chrome, Safari, and Firefox throw the full-page red "Deceptive site ahead" interstitial because they share Google's Safe Browsing data. Organic traffic falls off a cliff. The flagged pages may be ones you never created - injected by an attacker into a hacked subdirectory.

Common causes

  • The site was hacked and an attacker dropped phishing pages (fake login/bank/parcel-delivery forms) in a hidden directory
  • Injected scripts or deceptive overlays - fake "your computer is infected" prompts, fake software/update download buttons, misleading ads
  • Third-party content you embed (ad network, widget) serving deceptive material to visitors
  • Your own UI uses deceptive patterns: download/play buttons that aren't, forms impersonating another brand, or asking for credentials under a misleading pretext
  • An abused open redirect or user-generated-content page being used to host phishing landing pages

How to fix it

  1. Read the report and pull the sample URLsIn Search Console, open Security Issues and expand the panel. Google lists example flagged URLs - this is the site-owner source of truth behind the browser warning. Visit each (carefully, in an isolated browser) to see exactly what content tripped it.
  2. Find and remove the deceptive contentFor hacked sites, search the document root for unexpected directories and recently modified files, and grep for phishing markup or injected <script>. Scan the database for injected posts/comments. If it's your own content, remove the deceptive button/overlay/form or the misleading brand impersonation.
  3. Close the hole and rotate credentialsPatch the CMS/plugins, delete unknown admin accounts, fix any open redirect or UGC injection point, and rotate CMS/FTP/DB passwords. A re-review that finds the site reinfected resets you to square one and the next review is slower.
  4. Request a review and wait for propagationBack in Security Issues, confirm you've fixed every listed sample, then click Request review and describe what you changed. Clearance commonly takes a few days; when Google clears it, the change propagates to Safe Browsing and the Chrome/Firefox/Safari warnings drop.

Stop it recurring

Keep the CMS patched, enforce 2FA on admin logins, sanitize any user-generated content, and check the Security Issues report after every traffic anomaly.

Related errors

Google Ads disapproved - "Compromised site" / Malicious or unwanted software

critical

Google's ad crawler found malware or sneaky redirects somewhere in your landing-page chain and pulled the ad.

Domain listed on the Spamhaus Domain Blocklist (DBL)

high

Spamhaus listed your domain name for poor reputation, so filters and some browsers block or flag it.

Google Safe Browsing "Deceptive site ahead" warning

critical

Google Safe Browsing flagged the site for phishing or malware, so Chrome shows a full red interstitial before the page loads.

IP listed on Spamhaus blocklist (DNSBL)

high

Your sending IP is on a Spamhaus DNSBL as a spam source or compromised host, so receiving mail servers reject your messages.