Select Language:
Managing hundreds of clients within your Google Ads Manager Accounts (MCC) can become a nightmare when accounts get hijacked. Imagine your entire MCC or individual Google Accounts being taken over—it’s a scenario that can cause significant disruption and stress.
Craig Skalko shared on LinkedIn that his company’s entire Google Ads MCC was compromised at 12:30 a.m. despite having two-factor authentication enabled. He expressed confusion about how such an incident could occur, stating that neither he nor his team could access their accounts. They received emails notifying them of an unknown administrative user being added, who then linked their MCC to many of their accounts—an alarming development.
This type of breach has been observed repeatedly over the past year, often despite accounts having two-factor authentication enabled, suggesting that scammers may be exploiting phishing emails. These malicious emails often appear to originate from Google but are fake, crafted to deceive account owners into granting access.
One warning sign involves emails that look like legitimate Google communications but contain different URLs. When users click accept, they are directed to a fake login page mimicking Google’s, where they are prompted to enter their credentials. Sharing examples of such phishing attempts, industry experts highlight how convincing these fake emails have become, making it easy for scammers to harvest login details even from users with two-factor authentication.
The consequences of a successful hijack can be severe. Hackers often run malicious ads leading to malware or phishing sites, draining your ad budgets and putting your entire account at risk. Recent discussions across various online forums reveal numerous cases of MCC breaches, with some scammers racking up extensive ad spend in just a few hours, often without the account owner realizing it.
Support resources from Google suggest reporting compromised accounts and following steps to recover access. However, in cases of MCC account hijacking, these measures might not fully prevent ongoing ad spend or malicious activity. For example, some businesses have had their credit cards deactivated and bank accounts delinked, yet charges continue to accrue due to the hackers’ persistent access.
Google has provided guidelines emphasizing best practices to safeguard accounts. These include recognizing phishing attempts, deleting inactive or dormant accounts, and routinely auditing user access. Specifically, they advise being cautious about unfamiliar login activity, the addition of new users or accounts to MCCs, and recognizing common phishing tactics.
To bolster security, enabling Two-Factor Authentication (2FA) is strongly recommended. This adds an extra layer of verification to prevent unauthorized access, though it can still be bypassed if account credentials are compromised through phishing.
While the exact methods scammers use to gain entry remain unclear, the consensus is that falling for phishing schemes grants hackers access to all linked accounts under a manager MCC. Vigilance, regular audits, and strong security protocols are essential to protect your advertising investments and your client accounts from these increasingly sophisticated threats.
ChatGPT
Perplexity
Gemini AI
Grok AI
