Inside Google Ads podcast: Episode 108 - Hacked
Imagine waking up at 3:00 a.m. to one the worst phone calls you'll ever receive.
Your Google Ads MCC has been hacked.
That's exactly what happened to Adina Z at Napkin Marketing, whose agency had been a Google Partner for over a decade. She had two factor authentication. She had allowed domains enabled. She was doing all the right things. And yet the hackers got in.
Alex Melen, Co-founder at SmartSites said it only took three minutes for hackers to remove all of his employees and all of his clients from thousands of Google Ads accounts.
So if you think your Google Ads manager account is hack proof because of a password, think again.
Today, we are breaking down the sophisticated tactics that hackers are using right now to seize Google Ads accounts and Google manager accounts. So that together, we might be able to build the playbook that Google hasn't provided yet on how to prevent hacks and what to do if they happen.
I'm your host, Jyll Saskin Gales. I spent six years working for big brands at Google, and now I work for you.
This is Inside Google Ads: Episode 108, Hacked.
Now, before we get into how these hacks are happening, how to prevent them, and what to do if you get hacked, I have a very important disclaimer. Please do not reach out to me personally if you have been hacked.
Even if I wanted to, there is nothing I could do to help. Like if my own manager account were hacked, for example, and I reached out to my friends at Google, for security reasons, they couldn't even help me because they are not assigned to my account.
I have no way to personally escalate anything for you. There is nothing I can do to help you beyond what's in this episode, which is exactly why I'm creating this episode.
If you have additional information or perspective to add, please drop a comment if you're watching or listening on YouTube or Spotify.
I'm also creating a blog post on my website with this information, and I will keep updating that blog post as I learn more from folks in the industry who are willing to share. You can find that link in the episode description.
Alright, so let's start with what is actually going on here because Google Ads account hacking has been around a long time, unfortunately, but there's a new kind of sophisticated hack that is taking down agencies and sophisticated Google Ads experts.
I’m not trying to knock the small business owners out there, but it was pretty easy in the past if someone wanted to convince someone who doesn't log into Google Ads every day to grant account access or click a link in an email. And while those are still dangers, what's happening now is so much worse.
The most common story I'm hearing is the phishing attempt through an audit or a demo.
For example, Marc Walker, Founder at Low Digital, shared how it started with a genuine looking email conversation, someone reaching out saying they want to hire your agency, you agree to do an audit, and then they send what looks like a standard Google Ads access invitation with perfect branding.
But here's what happens. When you click accept, it redirects to another page that looks exactly like the Google Ads login, but isn't.
And this is where the hackers are really smart because as you type in your password on the fake page, the hackers then go type in that exact same password on the real page.
And then when the real Google Ads login throws up the thing where you have to choose a number on your phone or verify via two factor authentication, they send that to the fake site. So you receive the message from Google, you tap the real number and then low and behold, they take that from that shell website and put it in on the real website and boom. They're in.
What this means is that two factor authentication or only allowing certain domains does not protect you anymore.
Terrifying, I know.
And of course, because a lot of agencies pay their Google Ads bills on invoicing rather than credit cards, you can't just call up your bank and cancel your credit cards. You are on monthly invoicing with Google. You cannot stop the charges. You will just have to get them refunded later. We'll get to that.
Now, there are a few other kinds of hacks going around that I want to mention as well. One that we see a lot of is these malicious Search ads where you'll search for “Google Ads” or “Google Ads login,” and then you'll see an ad that says sign into Google Ads or log into Google Ads, except it's not from Google.
Sometimes it's really obvious, but sometimes the hackers will set up that fake site on a Google site, so the domain will still be google.com. I don't know why Google allows anyone to run Search ads with this kind of stuff, but this is a really common attempt as well that gets both small business owners and agencies and freelancers alike.
Finally, something Scott Clark highlighted on LinkedIn is a really great tip. Your forgotten Google Analytics access is a social engineering goldmine because hackers can use that to harvest admin email addresses and your exact campaign names and spend data to craft highly convincing phishing emails that look like they're from Google and they're not.
These are just some of the ways that hackers are gaining access to Google Ads accounts right now, racking up hundreds of thousands of dollars and wreaking havoc across the industry.
So let's focus now on what you can do to protect yourself. Because I've actually figured out a way, feel free to correct me if I'm wrong, but if you do what I'm going to tell you right now, it will not be possible for hackers to trick you.
After I share my tips, I'm going to share a lot of other tips from other folks in the industry who've been through this recently so that you know everything you can possibly know to protect yourself.
So first things first, when you want to log into Google Ads, do not go to Google and search for it. Do not start typing ads.google.com into your search bar. Do not click a link in an email, even if it's from a Google rep or Google recommendations or whatever.
Here is the only way to access Google Ads:
When you are already logged into Gmail or Google Calendar, you're going to click that icon in the top right with the nine dots that brings up all the Google apps and then just scroll down and choose Google Ads. That is the only way to make absolutely sure once you are already logged in somewhere, like your Gmail or your Google Workspace email or your calendar that you know is the proper Google login, go straight from there to Google Ads.
Then if you are granting someone access to your account, the only way you're going to do so is you're going to log into Google Ads. On the left-hand side, go to Admin, Access and Security. And then when you're already in your Google Ads account, grant the access.
If you want to grant access to a user, do it from that page. Only grant admin access if absolutely necessary. If someone's just auditing your account, for example, they only need view access. They don't need anything more than that.
If it's a manager account requesting access to your account, then from Access and Security, you just tap over to Managers, and you will see a pending manager request right there. So don't click a link in an email just in case. Go into Google Ads the safe way. Go over to Access and Security and approve the manager linking request from within Google Ads.
And if from a manager account you need to link a new client or prospective client's account to yours, ask them for their 10-digit account number, then safely go into your manager account, request access, and then they can grant you access from within their Google Ads account. So everyone stays safe.
If you do these things, then you should be able to avoid all of the hacking scams we discussed, but vigilance is key. So here are a lot of other tips that folks in the industry have been sharing that I think are great advice as well.
Reva Minkoff, Founder at Digital4Startups Inc. suggests that clients should always have admin access to their own accounts. And I agree. This is what gave her team a loophole to be able to kick a hacked manager account out of many accounts before they were compromised.
And this is just good business. Your clients, if you're a freelancer or agency, should always own their own Google Ads accounts and should always have admin access as well. Great tip there. But then no one else should be an admin.
Reva also recommends logging everyone at your company out of everything and forcing password resets periodically. That way, if hackers do gain access and are just lurking in open sessions, which they can do for months, you'll be kicking them out. So perhaps you want to set a monthly or even quarterly “annoying, but must do it for security reasons” at your company where everyone gets logged out, everyone gets the password reset, no ifs, ands or buts.
Scott Clark says you should never add a gmail.com email address to your allowed domains. And I do think this is a good tip, too. Basically, if you want to grant someone access to your Google Ads account, but they have a different domain than yours. So if your company is at companyabc.com and they are at gmail.com, you have to add gmail.com as an allowed domain before you can grant them access.
So in general, if you're working with a professional, they should have an email address that's not a Gmail address and only add those allowed domains if it's someone you're directly giving access to.
Next, remember that the official address you're looking for in the domain bar or in the preview of the URL is ads.google.com or accounts.google.com, not Google Sites. However, these hackers can be really tricky. I've had instances where instead of the “L” in Google, it's a capital “I.” Or instead of an M in .com, it's an R and then an N, which looks like an M - so this one's not foolproof, but again, always good to take a look.
While these are all great tips, I will still say that the absolute best prevention is to only access Google Ads from your email or calendar that you're already logged into, and only grant access when you are already safely logged into your own Google Ads account.
Now, finally, this is the part of the episode that I hope you never need: what to do if you get hacked. Again, please do not reach out to me directly. There is nothing I can personally do to help you. Consider this a starting point.
The first thing you should do is fill out the Google Ads compromised account form.
A lot of folks have said that when you do this, you might get initial replies saying there's no abnormal activity. Don't stop there.
Josh Day, Head of PPC, says persistence is 100% necessary, and that's absolutely true. You want to be loud. You want to be persistent. That is the way to get attention and get your account back.
You should be contacting support daily, multiple threads, multiple contacts. Never let a day go by without reaching out and pushing Google support. They have thousands and thousands of things to deal with and you want to be so annoying that they just want to deal with you so you'll stop bothering them. This is a good thing. It is their job. Be loud.
Next, if you do pay via credit card or your clients pay via credit card, cancel credit cards immediately.
However, this isn't foolproof as Craig Skalko, Founder at Lost & Found Marketing discovered, if you use monthly invoicing, you can't just disconnect an invoice. You'll be responsible for hundreds of thousands of dollars in fraudulent spend that you're going to have to fight Google directly to get refunded.
I'll repeat what Reva noted earlier, notify your clients immediately. I know that this is absolutely terrifying, but there are so many people who I've quoted in this episode who have publicly shared their experiences. I know at least half of the people I'm quoting personally. I can tell you they are excellent Google Ads practitioners, excellent agency owners, highly responsible. This could happen to anyone.
So tell your clients immediately because they may be able to go in, remove access from that manager account right away and avoid a whole lot of pain for them and for you. Do not try to keep this a secret; it could take weeks or even months to fully resolve and your clients need to know.
If you do have some kind of dedicated rep at Google, that will be very helpful for you. Again, keep reaching out, keep bugging them, be polite, but firm. You need help. This cannot get escalated as quickly relying on generic support. If you're a Google partner, reach out to any assigned reps you might have immediately.
Next, document everything as much as you can if you still have visibility into the accounts while this is happening. Every charge, every email, every timestamp, because you're going to need that later to clean up all the billing mess, even when the hackers have been kicked out of your account.
And then finally, Adina Z says that even when Google says everything is in perfect order at the end, your original MCC owner might still be missing, your partner benefits might be inaccessible, things may not be completely fine. So focus on the immediate, the fraudulent charges, the fraudulent access first. Once you regain access and kick the hackers out, go through everything with a fine-tooth comb. Change history can be your friend here.
And lastly, as my friend Craig Skalko says, it is happening to good, competent teams all the time. So don't second guess yourself. Don't blame yourself. Just keep pushing forward. Get it solved.
And if you're willing, share your story publicly so that others can benefit just like you've benefited from what folks have shared in this episode.
Again, you can follow the link in the episode description to an article that I will continue to update as I learn more tips of more scams going on, things you need to know to keep your Google Ads account safe.
I'm sorry that this was a more serious and not as fun episode as we usually have here.
But when I saw what was happening in the industry, I knew I needed to use this platform to reach as many Google Ads practitioners as possible to let you know what's happening and how to prevent it.
Stay safe out there. Keep your Google Ads account locked down.
And next week, we'll return to our regularly scheduled program around here.
I'm Jyll Saskin Gales, and I'll see you next time Inside Google Ads.