Threat Intelligence

Google Ads Scam: Attackers are Stealing Accounts

Key Insights

Cyber criminals are running a scam targeting Google Ads users. They create fake Google Ads login pages. When businesses click on these fake login pages and enter their credentials, attackers take over their accounts. These stolen accounts are then sold to criminals or used for more scams.

Who should read this?

  • Businesses and advertisers with Google Ads account – If you run ads on Google, you could be a target.
  • Anyone using Google Search Engine – If you use Google’s search engine for work or personal use, you need to stay alert.

How does this scam work?

For businesses and advertisers

Attackers create fake Google Ads with URLs that look legitimate. When you click on the link, you are taken to a fake login page and asked to enter your Google Ads account credentials. Once attackers gain access to your account, they can misuse it to spread fake ads, malware, or scams.

For individual users

While browsing on Google, you might come across a fake Google ad that appears to be from a legitimate business. Clicking on the ad redirects you to a phishing page that looks real but is actually designed to steal your information instead of taking you to the actual website.

What’s the risk?

For businesses and advertisers

  • Loss of account control – Hackers can take over your Google Ads account, change ad settings, and run scams using your budget.
  • Financial loss – Attackers might drain your ad budget by running fake ads or redirecting traffic to their own sites.
  • Reputation damage – If scammers use your account for fraud, your business could lose customer trust.
  • Data exposure – If your Google Ads account is linked to other business accounts, sensitive data may also be at risk.

For individual users

  • Stolen login information – If you enter your details on a fake website, hackers can take over your user account.
  • Identity theft – Stolen credentials can be used for fraud, including accessing your emails, bank accounts, or social media.
  • More cyber attacks – Once hackers have your data, they might try to break into other accounts or sell your information to other criminals.

How to stay safe?

For businesses and advertisers

  • Bookmark the official Google Ads login page so you don’t have to search for it whenever you need to log in.
  • Enable Multi-Factor Authentication (MFA) so that even if attackers steal your credentials, they can’t access your account without verification.
  • Monitor your Google Ads account activity for unusual logins or unauthorized ad changes.
  • Enable login alerts and set up recovery options to receive notifications about suspicious activity.

For individual users

  • When viewing sponsored ads on Google, click on the three-dot menu to see more information about the advertiser and verify its authenticity.
  • Use Multi-Factor Authentication (MFA) so that even if attackers steal your credentials, they can’t access your account without verification.
  • If an ad looks suspicious or offers unrealistic deals, go directly to the official website instead of clicking on the ad.

References

  1. The great Google Ads heist: criminals ransack advertiser accounts via fake Google ads
  2. Attackers Hijack Google Advertiser Accounts to Spread Malware

Resources

Google Ads scam_Tips for end users

Free infographic

Google Ads scam: Tips for end users

Download this infographic for practical tips to protect yourself from fake Google ads that mimic real businesses.

Google Ads scam_Tips for Google Ads account users

Free infographic

Google Ads scam: Tips for Google Ads account users

Download this infographic for practical tips to protect your Google Ads account.

Related Videos

How to stay safe from web-based phishing?