Millions of fake Googlebots are being used around the world in distributed denial of service (DDoS) attacks, hacking and spam, according to security firm Incapsula.
Imposters are said to disguise themselves as the search engine's indexing spiders to gain privileged access to websites, accounting for 4% of those who appear to belong to Google.
Igal Zeifman, product evangelist at Incapsula, said: "Most website operators know that to block Googlebot is to disappear from Google."
"Consequently, to preserve their SEO rankings, these website owners will go out of their way to ensure unhindered Googlebot access to their site, at all times."
A third of more than 50 million fake Googlebot sessions monitored by the company were identified as malicious, and almost a quarter were involved in DDoS attacks.
Imposters can be identified by checking IP addresses or the autonomous system numbers that ISPs use.
"The actual type of these impostors may vary, but all of them should be deemed suspicious by default, due to their attempt to assume a false identity," Zeifman added.
Incapsula reported that a quarter of botnets that supply fake Googlebots come from the US, with China, Turkey and Brazil accounting for around 15% each.
Google has been contacted for comment.