Serious warning: I see a lot of messages about Google Ads manager accounts being hacked/hijacked lately.
The hackers get into the manager account, remove you from it, and then remove/change permissions on all users from all client accounts.
Here’s one example from LinkedIn today:
And here’s another:
Source: https://support.google.com/google-ads/thread/388653509
This is extremely scary sh!t if you ask me; I wouldn’t sleep at all if this happened to my manager account (with multi-millions ad spend in it).
It looks like phishing scams are getting more intense. Here’s an example:
Notice the sender email address (yellow highlight).
When you click “accept,” you get forwarded to the “continue page” that looks exactly like Google’s, but has a different URL.
If you enter your credentials there… you are F@#Ked!
Here’s the thing: You have to be very, very, VERY protective of who gets access to your Google Ads manager account.
Here’s how to fix:
1. Enforce 2FA, see https://support.google.com/google-ads/answer/12865295?hl=en
2. Set up Passkey for your Google account, see https://www.google.com/account/about/passkeys/
3. Restrict manager account access to your own domain so that other domains (including Gmail) can’t get access. See https://support.google.com/google-ads/answer/12865295?hl=en
4. Never accept invites to access a Google Ads account. Always send the invite yourself to the client to accept. (I always send link requests from my manager account.)
5. Be SUPER vigilant when asked to provide credentials/log in to Google Ads.
Forward this message to your colleagues if you share my concerns. This is a real issue.
Be safe!
– Nils