Recently, I’ve noticed a sharp rise in phishing attacks targeting Google Ads Manager accounts (MCCs). These sophisticated scams allow attackers to seize control over numerous client accounts, quickly spending massive amounts of money without detection.
Driving the news. Agencies on platforms like LinkedIn, Reddit, and Google’s forums are continuously reporting an increase in MCC takeovers, even affecting teams with two-factor authentication. The attackers excel with nearly flawless phishing emails that impersonate Google’s account-access invitations.
Victims explain how hijackers insert fake admin users, connect their own MCCs, and start fraudulent high-budget campaigns that can go unnoticed for far too long.
In some cases, support requests take too long to process, leading to severe financial loss, with some agencies reporting upwards of tens of thousands of dollars in expenses within just 24 hours.
How it works. These scams expertly mimic standard client-access invites, using similar branding and format. However, the provided link redirects to a fake Google login page on Google Sites, allowing attackers to capture full MCC access once credentials are entered.
Why it’s getting worse. Many advertisers highlight how the phishing emails closely resemble authentic Google messages. Some agencies admitted they nearly clicked through but noticed small discrepancies in the sender domain or login URL just in time.
The impact:
Fraudulent ads run immediately, depleting budgets.
Malware exposure becomes a real risk, as these ads often direct to harmful sites.
Account damage results from invalid activity flags and disapprovals, with trust issues potentially lingering for months.
Operational chaos erupts as agencies lose access to every client account within the MCC.
What Google says. The Google Ads Community team issued a help document instructing advertisers on steps to take if accounts are compromised, especially highlighting risks during the holiday season. However, there hasn’t been acknowledgment regarding the widespread nature of MCC takeovers.
Why we care. These MCC hijacks represent serious financial and operational threats, swiftly wiping out budgets, compromising client accounts, and requiring days for containment by Google’s support. With attackers now bypassing two-factor authentication through nearly perfect phishing techniques, even the most secured teams face risk. Just one mistake by a team member can put an entire portfolio at risk, impacting spend, performance, and client trust.
What experts recommend. Marc Walker, the founder and managing director of Low Digital Ltd, offers several strategies to safeguard your accounts from being hijacked:
Always verify the URL since Google doesn’t use Google Sites for login purposes.
Confirm invites within the MCC itself and avoid relying solely on email.
Remove dormant users and inactive accounts to reduce potential vulnerabilities.
Educate teams to recognize phishing red flags, especially during peak seasons like holidays.
Between the lines. In a large MCC, if even one user falls for the scam, the attacker gains full access to the entire portfolio, enabling them to deplete budgets much faster than Google’s response time.
Bottom line. Google Ads hijacks pose a substantial operational threat for both agencies and in-house teams. Until stronger protections are implemented, vigilance remains our strongest defense.
Inspired by this post on Search Engine Land.
Leave a Reply