How to Defend Against Black Hat SEO (James Dooley Interviews Brian Kato)

James Dooley (0:00): How to defend against black art SEO. There’s a lot of people in the SEO community talking about black art strategies and a lot of sites being hit hard. Today I’ve got none other than Brian Kato, who’s speaking over in SEO Mastery Summit. He’s got a full talk on this at Mads Singers’ event and I’m looking forward to listening to that. But I want to dig a little bit deeper prior to your talk. First and foremost, for anyone that doesn’t know who Brian Kato is, can you give a quick background on your cybersecurity background and why you know about defending against black art SEO? Brian Kato (0:42): Yeah—so initially when I got into marketing, I was a full stack developer. I was doing a lot of online reputation management—understanding you can move things up, you can also move things down in the SERPs—without realizing that in and of itself is kind of SERP manipulation. But we just called it reputation. Over the years in SEO, I started to get more involved in the intersection between marketing and cyber. Because what I was finding is that you could rank people, but they didn’t have the foundation—so someone could come along and trash their brand or trash their site. It’s great if you’re ranking number one today, but if you’re completely de-indexed and off the grid the next day… how well did that marketing channel really work? That’s kind of how I got into it. James Dooley (1:44): That’s cool. So with defending against blackout strategies—are there any specific blackout strategy you’re seeing at the moment that’s rife, that people might not know about? What do people need to look out for initially—what are the different strategies being used and what to identify before trying to defend? Brian Kato (2:07): The first thing I want to make very clear is this: A lot of negative SEO—most of the attacks I get called in to look at—are self-inflicted. They hired a less-than-desirable link builder. They had a crappy link strategy. Their site isn’t optimized. A lot of it is self-sabotage. The instances where I see true attacks happen tend to come through an entity poisoning vector. Someone undermines who you are and your entire brand. They say it’s something else. It’s that decoupling of your brand. And the big thing a lot of people don’t understand is: anything you can do to move a business up in rankings can also be done to move a business down in rankings. It’s all about the implementation. James Dooley (3:09): Yeah, for sure. Entity recognition is so important nowadays—brand is key. And if someone’s disambiguating against the brand and trying to make out you’re somebody else… I can see why that would bring them down. Because everyone is trying to do the opposite now: repeat who you are, repeat what you do, repeat why you’re great. So if someone’s doing the opposite, your clarity and confidence score drops. But what can people do about it? Let’s say I’ve built a strong brand for 10 years: positive brand SERP, positive reviews, testimonials, case studies—then someone comes after me trying to take me down. How can I defend against that? Brian Kato (4:14): First thing we recommend is: understand what your baseline looks like—what “normal” looks like. A true attack is usually coordinated and calculated. It’s not just throwing a bunch of crappy links at something—Google largely disregards that. But if you’re attacking the entity, the knowledge panel, if you’re disambiguating / ambiguating the entity—those can be attack vectors. Another thing I see: review bombing. People leave false reviews. And then there’s another one that crosses into self-sabotage—canonicals. A lot of sites don’t have proper canonical setup, and that can open you up for attacks. James Dooley (5:21): Yeah—review bombing is nasty. We’ve seen horrible cases where people leave one-star reviews, then contact via the contact form saying: “I’ve left you these reviews. If you want me to change them to five-star, it’s £50 each.” And you’re just like—how are these sticking? A lot of real reviews get taken down, but these fake one-stars stick. What can someone do? Is it just reaching out to Google and hoping they remove it? Should you respond saying “we don’t have your records” and call it a fake review? Brian Kato (6:23): That “we have no record of working with you” response is the most common response I see. But it doesn’t work well because maybe that’s exactly why they’re leaving a one-star. If I went into a coffee shop and an employee in a branded shirt cut me off in line and gave me the finger… that’s a legitimate one-star review. The terms around reviews are loose. A genuine engagement can qualify. The reviews I see stick most often are just a star rating with no text—because Google has nothing to evaluate. So what we recommend is: Respond in a positive frame—something like: “We’d love feedback on what happened or what we could have done better. We take this seriously.” Then report it. James Dooley (7:56): That makes sense. So outside of entity poisoning and reviews—what about links? Google is pretty good at ignoring spam blasts like blog comments, GSA, Money Robot, etc. But what about when attackers use PBNs and exact match anchors to a money page—something that looks “SEO-normal” but is toxic? Does disavow help? Or does it still affect ranking? Brian Kato (8:44): Honestly, I very rarely disavow anything. In my tenure, I’ve disavowed maybe three or four times. Usually, we just build better links. We look at topical relevance, the semantics around the anchor, and we dilute it with higher-quality signals. Sometimes even if a link is de-indexed or ignored, it can still pass a little juice. But there’s one exception: anything related to CSAM / child exploitation notifications—those get disavowed immediately. James Dooley (9:30): Yeah—so anything extreme like that gets handled instantly. What else can we touch on without giving away your full Vietnam talk? Brian Kato (9:55): One thing I’ll mention is: The worst negative SEO I’ve seen comes from within—and comes from within Google. We’ll leave it at that. Some of the worst cases happen when someone weaponizes the system that’s supposed to help you. James Dooley (10:22): Got it. We’ll leave it there. Brian, it’s been an absolute pleasure. Anyone watching—if you want to understand how you might be self-sabotaging without realizing it, or how certain things inside Google could be harming your site—make sure you get over to SEO Mastery Summit. If you’ve got questions about blackout strategies, virality, CTR manipulation, short clicks, Navboost issues—leave a comment. Me and Brian will respond. There are a lot of blackout strategies at the moment, which annoys me because I think people should win on merit—but it’s part of the game nowadays. Brian, from your cybersecurity background, knows how to defend against a lot of this. It’s been a pleasure and I’ll see you again soon. Brian Kato (11:20): Sounds great. Thanks, James.