Cybercriminals are increasingly hijacking Google Ads accounts, using sophisticated phishing tactics to steal login credentials and run fraudulent, high-budget campaigns. This surge in account takeovers has left businesses and advertising agencies facing significant financial losses, with some reporting tens of thousands of dollars drained in just hours. These attacks often bypass standard security measures, including two-factor authentication, posing a serious threat to advertisers globally.
Phishing Tactics Evolve
Attackers employ highly convincing phishing emails that mimic official Google Ads account invitations. These emails direct unsuspecting users to fake login pages, often hosted on Google Sites, which appear almost identical to legitimate Google login screens. Once a user enters their credentials, the scammers capture their login information, including usernames, passwords, and even two-factor authentication codes. This allows them to gain full administrative access to the Google Ads account.
After gaining access, hackers quickly add new administrator users, frequently using generic Gmail addresses, and then revoke the original owner's access. This locks out the legitimate account holder, giving the criminals free rein to launch their own ad campaigns using the victim's linked billing information. One agency reported a client losing access in under seven minutes after an email invitation was sent. Another incident saw a performance advertising agency with $50 million in annual spend discover an overnight spike, leading to $180,000 in overspend due to compromised automated scripts.
Financial and Operational Impact
The financial repercussions for businesses are immediate and severe. Fraudulent ads run by hijackers can quickly deplete advertising budgets, leading to substantial, unauthorized charges. An agency noted "tens of thousands" in ad spend racked up within 24 hours during an MCC takeover. Beyond direct monetary losses, compromised accounts can lead to malware exposure through malicious ads, invalid activity flags, ad disapprovals, and long-term damage to a brand's reputation. For agencies managing multiple client accounts under a single Google Ads Manager Account (MCC), a single breach can result in widespread operational chaos, affecting hundreds of client accounts simultaneously.
Google acknowledges the rising threat of credential theft, especially during busy periods like the holiday season. They advise users to be extremely cautious and to follow established security practices.
Protecting Your Google Ads Account
Experts and Google recommend several critical steps to protect Google Ads accounts from hijacking. Enabling two-factor authentication (2FA) is paramount, adding an essential layer of security beyond just a password. While sophisticated phishing can sometimes bypass SMS-based 2FA, using a trusted authenticator app offers stronger protection.
Advertisers should also use strong, unique passwords and update them regularly. It is crucial to restrict Google Ads account access to email addresses associated with your company's domain, rather than personal Gmail accounts. After configuring this, remove gmail.com from the list of allowed domains in your account settings to prevent unauthorized Gmail addresses from being invited as administrators.
Regularly reviewing user access levels is another vital security measure. Grant "Admin" access only to key personnel and assign "Standard" or "Read-only" access as needed for other team members. Promptly remove any inactive users or those who no longer require access.
Vigilance and Proactive Monitoring
Staying vigilant against phishing attempts is crucial. Google will never send unsolicited messages asking for your password or other sensitive information via email or through a link. Always verify the URL before logging in; legitimate Google login pages will not be hosted on sites.google.com. Confirm any account invitations directly within your Google Ads Manager Account rather than relying solely on email notifications.
Monitoring account activity for unusual changes in budget, bids, ad groups, or
In a related incident, a Google corporate Salesforce instance experienced a data breach in June 2025. This breach exposed approximately 2.5 million records of Google Ads customer data, including business names, contact details, and related notes. Attackers gained access through sophisticated voice phishing and social engineering, not a vulnerability in Salesforce's platform. This highlights the broader landscape of threats targeting sensitive business information.
Google continues to invest in advanced threat detection and prevention technologies. However, the evolving nature of these attacks requires advertisers to maintain strong security practices and educate their teams about potential threats. Proactive security measures, combined with quick response to suspicious activity, are essential to safeguard valuable advertising investments and maintain brand integrity in the digital landscape.
