Google Ads accounts have been hijacked for as long as I’ve been managing them (23+ years!), and cybercriminals use a lot of different ways to do it. But lately, we’ve been hearing about some hijackings that are easily preventable. And that’s the way in which Google Ads account admin users have access to their accounts. It’s an easy fix, and we want to help more of you prevent that from happening!
How they do this is that they first hack an admin’s Gmail email account. If two-factor authentication isn’t enabled, they are able to log in to the Google Ads account. Once in the account, they invite and approve a new Gmail address as an administrator. They can do this because in order for a Gmail address to be used at all, it has to be on the Allowed Domain list in the account settings. Then the hacker revokes the original admin’s user access, locking them out of the account.
They do this all in a matter of minutes, almost too fast for you to be able to get the email notifications that it is happening and then prevent it from happening. A recent hijacking that happened to one of our clients occurred in less than seven minutes from the first notification that an email invitation was sent to when the client was kicked out of their account!
What the cybercriminals hope to gain from hijacking your account is that they can run their own ad campaigns using your billing information, meaning you’ll be paying for their ad activity.
To protect your Google Ads account, follow these four critical steps:
- Enable Two-Factor Authentication (2FA):
Activating 2FA on your Google Ads account adds an extra layer of security. While it may slightly slow down your login process, it significantly reduces the chances of unauthorized access if your email account is compromised. - Avoid Using Gmail Addresses for Access:
Restrict access to your Google Ads account to email addresses associated with your domain. This applies to both you and your team members. Google requires accounts to be Google-enabled, but it’s easy to convert your domain email to a Google-enabled account (see below). - Remove Gmail from the Allowed Domains:
Once completed, remove gmail.com from the list of the Allowed Domains in “Access and Security” settings. That means no Gmail addresses can be invited to the account in the future.
- Regularly Review and Audit User Access:
Periodically review the list of users with access to your Google and Google Ads accounts. Remove any accounts that no longer need access, particularly Gmail addresses or accounts you don’t recognize.
Follow these instructions to make your company domain email Google-enabled:
- Go to the Google Account Sign in page,
- Click Create account to the left of the blue next button,
- Enter your name,
- Click Use my current email address instead.
- Enter your current email address.
- Click next.
- Verify your email address with the code sent to your existing email.
- Click verify in that email.
Taking these precautions will greatly reduce the risk of your account being hijacked and your bank account or credit card being used to fund someone else’s ads!
For even more ways to protect your ad accounts from being hijacked, read our previous blog 4 Security Tips to Keep Your Accounts from Going Jurassic.