For the past year or so, I've seen a growing number of complaints about Google Ads accounts being hijacked. It seems to be getting worse, even after we covered the Google Ads account hijacks last November. So how do you reduce the chances of your Google Ads account being hijacked?
To start, having your Google Ads account hijacked can be devastating, and it is just that much worse on the agency level. Your budgets can be spent, your bank accounts can be depleted, and your account history and reputation can be ruined. All of this can also lead to losing advertising clients and maybe worse. We covered some of this in our November story.
So what can you do to protect your account? I should be clear, even if you do this all right, this is not a guarantee that your account won't be hijacked one day. It just helps reduce the chances of this happening.
Google Ads has a help document on how to secure your Google Ads account and it covers:
- HTTPS: Use the HTTPS protocol when using the web
- @Google.com emails, Google will only email you from a @google.com email
- Links, be suspicious of links and right click on the link and see in a note pad where that links goes
- Phone calls from Google should be suspicious
- Set up 2-Step Verification
- Enable the confirm it's you feature
- Set up security policies on MCC level
You can read more details over here.
Scott Clark posted more tips on LinkedIn, which he said should be shared:
- Harden logins: Use unique passwords + 2FA (authenticator app preferred). Text-based 2FA is getting easier to defeat by the day. This includes manager accounts (often used for monthly billing) and regular account access.
- Minimize access - Set the users and their access levels thoughtfully. Use extreme care with "allowed domain" lists. Never, ever add a @gmail.com user or allow @gmail.com as an allowed domain in Google Ads (MCC or acct) - please do not "assume admin credentials" - even if the person is high on the org chart.
- Get a Access invite? Be extremely wary of new or unknown MCC requests. We're hearing some are using very real-looking emails—some people have even confused these with Google Doc access requests. We recomend you forward those to us to review.
- Be cautious with “audits,” dashboards, and "tool demos": Some start as a “quick review” then push for extended access; others originate from third parties with poor security hygiene. If these are required, set a reminder to remove access the second the demo is over.
- Assume unsolicited “Google support” is untrusted: A @google.com email alone isn’t proof enough - sadly. We will verify these users with our Google contacts if needed for our clients, usually in a few hours.
- Layered Security (MCC and Account): If you're using monthly billing, you must maintain hygiene practices on both layers. Attacks are coming in on both simultaneously.
- Google Analytics is a "Reconnaissance" backdoor: This is a social engineering goldmine. Hackers use GA4 access to harvest the exact email addresses of your Admins and Executives. They then use your real campaign names and spend data to craft highly convincing spear-phishing emails.
- Tag Manager (GTM) is the ultimate 2FA bypass: GTM allows users to run code that "clones" your active login session (Cookie Hijacking). Once they have your session "wristband," they can enter the account from their own computer without ever needing your password or 2FA code. They aren't logging in; they are simply impersonating your already-verified browser.
Here is another scam I saw posted recently and Ginny Marvin from Google replied, "Good work checking the email & domain, Jonathan. Thanks for flagging. Unfortunately these types of tactics are not uncommon. While our teams take action to prevent account takeovers, we urge our agency partners and advertisers to implement security best practices. Please see this Help Center article that covers how to check if it's actually Google trying to reach you, protect your account, and report suspicious activity."
This stuff is scary but do what you can to protect your accounts.
Forum discussion at LinkedIn.
