Google Ad Buyers Are (Still) Being Duped By Sophisticated Account Takeover Scams | AdExchanger
image/svg+xml:
Topics
Latest
Marketers
Agencies
Publishers
Technology
Platforms
Identity
Measurement
Data Privacy
Artificial Intelligence
CTV
Commerce
AdExplainer
Exclusive Report
Daily News Roundup
Opinion
All Columns
Data-Driven Thinking
On TV & Video
The Sell Sider
Content Studio
Comic
Contributor Guidelines
About Us
Advertise
Newsletter
AdExchanger Advisory Board
About Us
Contact Us
Events
Programmatic I/O New York
AdExchanger Awards
Webinars
All Events
Network Events
Podcasts
AdExchanger Talks
The Big Story
Inside the Stack
Programmatic I/O New York
Become an AdHero
Subscribe
Sign In
Sign In
Topics
Latest
Marketers
Agencies
Publishers
Technology
Platforms
Identity
Measurement
Data Privacy
Artificial Intelligence
CTV
Commerce
AdExplainer
Exclusive Report
Daily News Roundup
Opinion
All Columns
Data-Driven Thinking
On TV & Video
The Sell Sider
Content Studio
Comic
Contributor Guidelines
Events & Awards
Programmatic I/O New York
AdExchanger Awards
Webinars
All Events
Network Events
Podcasts
AdExchanger Talks
The Big Story
Inside the Stack
Subscribe Free
Sign Up
About Us
Advertise
Newsletter
AdExchanger Advisory Board
About Us
Contact Us
CONNECT
Home Agencies Google Ad Buyers Are (Still) Being Duped By Sophisticated Account Takeover Scams
Agencies
Google Ad Buyers Are (Still) Being Duped By Sophisticated Account Takeover Scams By James Hercher
Wednesday, December 3rd, 2025 – 7:25 am
SHARE:
Agency buyers who manage portfolios of Google Ads and Merchant Center accounts are being targeted by sophisticated scam artists who hijack those accounts, drain client funds and sometimes lock out admins for weeks or even months.
That’s according to three ad buyers who spoke with AdExchanger anonymously for fear of potential reprisals by Google.
This problem isn’t exactly new, though.
The three agency execs who spoke with AdExchanger each had their accounts taken over between August and October. But similar fraudsters have been active since at least late last year, when cybersecurity business Malwarebytes first documented the issue and when an entirely different set of advertisers told AdExchanger they had suffered from account lockout attacks.
Last year, the attack vector came via fraudulent Google Search links. It’s a common practice – albeit a bad one – that people will type snippets like “Google Merchant Center” or “google account login” into a search bar and then click the first result on the page.
Usually, that’s a sponsored or organic link that leads to the real login page. But scammers would create convincing fake Google sign-in pages and make the sponsored link text appear as “ads.google.com” to capture traffic. When buyers inputted their username and password, they’d encounter what looked like the usual two-factor authentication request, but it would actually be coming from out of the US, most often Brazil. Buyers often didn’t notice and approved the two-factor login.
Oops.
Once the scammers get access, they lock everyone else out of the account and funnel the money back to themselves as well as spend it on phishing ads, while covering their tracks by erasing all campaign and reporting data.
Phase two
But the newer takeover scams reported to AdExchanger didn’t come via Google Search.
Two of the agency buyers said they’re confident that Gmail is the root of the problem in this case. One buyer said they believe their account was likely hacked using a Gmail ad, while the other said the attack stemmed from a phishing attempt disguised as a Google Merchant Center customer service request.
Subscribe
AdExchanger Daily
Get our editors’ roundup delivered to your inbox every weekday.
Daily Roundup
Daily News Roundup
Nowhere To Go But Up; Rolling Out The (Code) Red Carpet
Another theory is that the attacker seized accounts via a Salesforce integration.
Google itself warned advertisers about another attack vehicle for a similar fraud strategy. An October blog post documents a cluster of “threat actors” in Vietnam that were taking over Google advertiser and merchant accounts through fake job listings and ads. Those fraudsters targeted part-time, freelance or contract ad buying pros who had access to account systems on their laptop or phone.
Once the malware was delivered, those accounts would be hijacked in much the same way.
But, according to Google, these things happen and when they do, it deals with them.
“Just like consumers, our Ads customers can face threats from bad actors looking to gain access to their accounts, which is why we use advanced techniques to stay ahead of these evolving tactics,” a Google spokesperson told AdExchanger. “If an account is compromised, our dedicated teams work to secure it, restore advertiser access and issue credits as necessary.”
What exactly is going on now?
The newest iteration of Google account takeover fraud via Gmail and/or other integrations is more difficult to pin down compared to the attacks from late last year and early this year. Those were immediately and accurately diagnosed by agencies.
The advertisers involved in these recent attacks were uncertain about the origin of the malware they were attacked with.
As one advertiser put it to AdExchanger, the tactics used by the scammers’ are “black-boxed,” because there is very little support or documentation forthcoming from Google about how the attackers got in or what they did in the accounts afterwards.
All three execs who spoke with AdExchanger said they were the ones who first alerted Google to the problem and not the other way around. Each still has client accounts their agency can’t access, so they can’t set up or run any new campaigns, even though the fraudsters have already been banished from those accounts.
In terms of where the money went, none have been updated by Google or found evidence in their accounts.
“They must know on the back end exactly where that fraudulent money was spent,” one agency exec told AdExchanger. But, there’s no doubt that some portion of the spend goes toward perpetuating the fraud. The next victim’s malware is delivered via Google Search ads or Gmail ads, and these ads are paid for by the current victims.
But all three execs have their own different theories about what else the money might have been spent on. For example, one agency buyer said an affected account had spent at least part of the client’s budget on click-based ads leading to other sites, which he suspects are scammy sites where the fraudster is collecting ad spend as a publisher.
None of the others have seen campaign reports or anything that documents the illicit spend.
The losses
It also remains unclear how many legit advertisers remain locked out of accounts.
One exec whose agency was affected said they’ve kept the matter hush-hush so as not to cause a stir and because “we spend a considerable amount of money with Google, so we need to walk a fine line in terms of how we deal with them.”
Given how much these agencies spend with Google each year – and how much they’ve lost to fraudsters – you’d think they’d be entitled to at least basic customer service as a matter of course. But, actually they have to work for it.
The main priority for agency buyers is to protect and maintain the human customer support contacts they’ve managed to make at Google through blood, sweat and tears. They’re concerned that publicly complaining about the issues they’re experiencing on Google’s platform could leave them stuck with a cold shoulder or a chatbot that’s incapable of completing a ticket.
For a sense of scale, two of the agency execs claim they lost millions to fraud within their Merchant Center accounts, none of which has been refunded. Another said that because their daily budgets were relatively low, in the tens of thousands of dollars, total losses were below $1 million.
However, recouping ad credits is “actually secondary to getting account access back,” said one exec. He added that he’s confident his agency will someday recoup at least part of those fraudulently misappropriated millions in the form of ad credits once the primary issue is dealt with.
Another agency leader who saw takeover scammers spend millions of dollars in client budgets said his agency spends a nine-figure sum on Google media per year. Being such a big spender has helped the agency get some human support, they said, but “there really is no way to escalate above a low-level human.”
Some advertisers, meanwhile, have no hope of recouping ad credits.
After all, one acknowledged, these unfortunate situations do come down to user error. Someone trusted a Google Search ad or a Gmail ad and actively approved of a two-factor authentication request coming from a different country or continent.
“Google didn’t let them in,” one agency buyer said of the scammers. “Someone over here effed up.”
On the other hand, Google profits handsomely from the situation. Not only are scammers using Google’s platform tools to buy Google media, brands refill their accounts with more ad budget. In fact, all three agency execs said that they’ve mostly already covered their clients’ losses. If Google does refund an agency or advertiser, it does so only in part and only in the form of Google ad credits.
Which is related to what one agency exec said is the most frustrating aspect of account takeover fraud.
Months after the account takeovers were first reported to Google and the fraudsters were booted out with all new passwords, logins and two-factor credentials, one of the agency execs that AdExchanger spoke to said their business remains “frozen” with some of its most important clients.
“The lack of urgency on [Google’s] part has been pretty crazy,” they added.
Agency buyers who manage portfolios of Google Ads and Merchant Center accounts are being targeted by sophisticated scam artists who hijack those accounts, drain client funds and sometimes lock out admins for weeks or even months.
That’s according to three ad buyers who spoke with AdExchanger anonymously for fear of potential reprisals by Google.
This problem isn’t exactly new, though.
The three agency execs who spoke with AdExchanger each had their accounts taken over between August and October. But similar fraudsters have been active since at least late last year, when cybersecurity business Malwarebytes first documented the issue and when an entirely different set of advertisers told AdExchanger they had suffered from account lockout attacks.
Last year, the attack vector came via fraudulent Google Search links. It’s a common practice – albeit a bad one – that people will type snippets like “Google Merchant Center” or “google account login” into a search bar and then click the first result on the page.
Usually, that’s a sponsored or organic link that leads to the real login page. But scammers would create convincing fake Google sign-in pages and make the sponsored link text appear as “ads.google.com” to capture traffic. When buyers inputted their username and password, they’d encounter what looked like the usual two-factor authentication request, but it would actually be coming from out of the US, most often Brazil. Buyers often didn’t notice and approved the two-factor login.
Oops.
Once the scammers get access, they lock everyone else out of the account and funnel the money back to themselves as well as spend it on phishing ads, while covering their tracks by erasing all campaign and reporting data.
Phase two
But the newer takeover scams reported to AdExchanger didn’t come via Google Search.
Two of the agency buyers said they’re confident that Gmail is the root of the problem in this case. One buyer said they believe their account was likely hacked using a Gmail ad, while the other said the attack stemmed from a phishing attempt disguised as a Google Merchant Center customer service request.
Another theory is that the attacker seized accounts via a Salesforce integration.
Google itself warned advertisers about another attack vehicle for a similar fraud strategy. An October blog post documents a cluster of “threat actors” in Vietnam that were taking over Google advertiser and merchant accounts through fake job listings and ads. Those fraudsters targeted part-time, freelance or contract ad buying pros who had access to account systems on their laptop or phone.
Once the malware was delivered, those accounts would be hijacked in much the same way.
But, according to Google, these things happen and when they do, it deals with them.
“Just like consumers, our Ads customers can face threats from bad actors looking to gain access to their accounts, which is why we use advanced techniques to stay ahead of these evolving tactics,” a Google spokesperson told AdExchanger. “If an account is compromised, our dedicated teams work to secure it, restore advertiser access and issue credits as necessary.”
What exactly is going on now?
The newest iteration of Google account takeover fraud via Gmail and/or other integrations is more difficult to pin down compared to the attacks from late last year and early this year. Those were immediately and accurately diagnosed by agencies.
The advertisers involved in these recent attacks were uncertain about the origin of the malware they were attacked with.
As one advertiser put it to AdExchanger, the tactics used by the scammers’ are “black-boxed,” because there is very little support or documentation forthcoming from Google about how the attackers got in or what they did in the accounts afterwards.
All three execs who spoke with AdExchanger said they were the ones who first alerted Google to the problem and not the other way around. Each still has client accounts their agency can’t access, so they can’t set up or run any new campaigns, even though the fraudsters have already been banished from those accounts.
In terms of where the money went, none have been updated by Google or found evidence in their accounts.
“They must know on the back end exactly where that fraudulent money was spent,” one agency exec told AdExchanger. But, there’s no doubt that some portion of the spend goes toward perpetuating the fraud. The next victim’s malware is delivered via Google Search ads or Gmail ads, and these ads are paid for by the current victims.
But all three execs have their own different theories about what else the money might have been spent on. For example, one agency buyer said an affected account had spent at least part of the client’s budget on click-based ads leading to other sites, which he suspects are scammy sites where the fraudster is collecting ad spend as a publisher.
None of the others have seen campaign reports or anything that documents the illicit spend.
The losses
It also remains unclear how many legit advertisers remain locked out of accounts.
One exec whose agency was affected said they’ve kept the matter hush-hush so as not to cause a stir and because “we spend a considerable amount of money with Google, so we need to walk a fine line in terms of how we deal with them.”
Given how much these agencies spend with Google each year – and how much they’ve lost to fraudsters – you’d think they’d be entitled to at least basic customer service as a matter of course. But, actually they have to work for it.
The main priority for agency buyers is to protect and maintain the human customer support contacts they’ve managed to make at Google through blood, sweat and tears. They’re concerned that publicly complaining about the issues they’re experiencing on Google’s platform could leave them stuck with a cold shoulder or a chatbot that’s incapable of completing a ticket.
For a sense of scale, two of the agency execs claim they lost millions to fraud within their Merchant Center accounts, none of which has been refunded. Another said that because their daily budgets were relatively low, in the tens of thousands of dollars, total losses were below $1 million.
However, recouping ad credits is “actually secondary to getting account access back,” said one exec. He added that he’s confident his agency will someday recoup at least part of those fraudulently misappropriated millions in the form of ad credits once the primary issue is dealt with.
Another agency leader who saw takeover scammers spend millions of dollars in client budgets said his agency spends a nine-figure sum on Google media per year. Being such a big spender has helped the agency get some human support, they said, but “there really is no way to escalate above a low-level human.”
Some advertisers, meanwhile, have no hope of recouping ad credits.
After all, one acknowledged, these unfortunate situations do come down to user error. Someone trusted a Google Search ad or a Gmail ad and actively approved of a two-factor authentication request coming from a different country or continent.
“Google didn’t let them in,” one agency buyer said of the scammers. “Someone over here effed up.”
On the other hand, Google profits handsomely from the situation. Not only are scammers using Google’s platform tools to buy Google media, brands refill their accounts with more ad budget. In fact, all three agency execs said that they’ve mostly already covered their clients’ losses. If Google does refund an agency or advertiser, it does so only in part and only in the form of Google ad credits.
Which is related to what one agency exec said is the most frustrating aspect of account takeover fraud.
Months after the account takeovers were first reported to Google and the fraudsters were booted out with all new passwords, logins and two-factor credentials, one of the agency execs that AdExchanger spoke to said their business remains “frozen” with some of its most important clients.
“The lack of urgency on [Google’s] part has been pretty crazy,” they added.
Next In Agencies
Digital Agency Incubeta Acquires AI Consultancy RocketSource
Related Stories
google
A Google Ads Glitch Likely Triggered A Data Breach Within Google Merchant Center
Must Read
Platforms
The Trade Desk Loses Jud Spencer, Its Longtime Engineering Lead
Longtime engineering lead Jud Spencer has exited The Trade Desk after 12 years, marking another major leadership change amid friction with ad tech trade groups and intensifying competition across the DSP landscape.
Commerce
How America’s Biggest Retailers Are Rethinking Their Businesses And Their Stores
America’s biggest department stores are changing, and changing fast.
Technology
How AudienceMix Is Mixing Up The Data Sales Business
AudienceMix, a new curation startup, aims to make it more cost effective to mix and match different audience segments using only the data brands need to execute their campaigns.
Digital Out-Of-Home
Broadsign Acquires Place Exchange As The DOOH Category Hits Its Stride
On Tuesday, digital out-of-home (DOOH) ad tech startup Place Exchange was acquired by Broadsign, another out-of-home SSP.
Social Media
Meta’s Ad Platform Is Going Haywire In Time For The Holidays (Again)
For the uninitiated, “Glitchmas” is our name for what’s become an annual tradition when, from between roughly late October through November, Meta’s ad platform just seems to go bonkers.
antitrust
Closing Arguments Are Done In The US v. Google Ad Tech Case
The publisher-focused DOJ v. Google ad tech antitrust trial is finished. A judge will now decide the fate of Google’s sell-side ad tech business.
Popular
OPINION: Data-Driven Thinking
CTV Is Less Transparent Than YouTube. That Should Alarm Everyone
CTV spending is flattening, performance is plateauing and buyers are hesitant to push budgets further. The reason is not complicated. When buyers cannot see what they are buying, they cannot commit their spend with conviction.
PODCAST: AdExchanger Talks
Making Your Brand Matter To The Models
You can’t buy your way to the top of a large-language model. At least not yet. But there are things that brands can do to influence how – and if – they get mentioned, says Tracy Morrissey, SVP of media and performance at full-service agency Innocean USA.
Commerce
How America’s Biggest Retailers Are Rethinking Their Businesses And Their Stores
America’s biggest department stores are changing, and changing fast.
Data
Media Intelligence Startup Guideline.ai Aims To Take The Guesswork Out Of Media Planning
Meet Guideline, a marketing intelligence platform that aggregates anonymized agency billing data to generate data-driven insights on media spend, pricing and market trends.
Marketers
Here's How Manscaped Groomed Its Brand For Long-Term Growth
Manscaped’s CMO Marcelo Kertész on flipping its strategy from quick-win performance marketing to building a lasting brand with smarter, long-term growth.
Join the AdExchanger Community
Join Now
Your trusted source for in-depth programmatic news, views, education and events.
AdExchanger is where marketers, agencies, publishers and tech companies go for the latest information on the trends that are transforming digital media and marketing, from data, privacy, identity and AI to commerce, CTV, measurement and mobile.
NEXT EVENT
Most Powerful Women
December 4, 2025CurrentNew York, NY
Learn More
ABOUT ADEXCHANGER
About Us
Advertise
Contact Us
Events
Subscribe
RSS
Cookie Settings
Privacy & Terms
Accessibility
Diversity, Equity, Inclusion & Belonging
CONNECT
© 2025 Access Intelligence, LLC - All Rights Reserved |
Google Ad Buyers Are (Still) Being Duped By Sophisticated Account Takeover Scams
Agency buyers who manage portfolios of Google Ads and Merchant Center accounts are facing a persistent and evolving threat: sophisticated account takeover scams. Three anonymous agency execs, speaking to AdExchanger, have detailed a series of attacks that have spanned from August to October 2025, mirroring earlier incidents documented by Malwarebytes and other advertisers. The core issue revolves around fraudsters gaining unauthorized access to accounts, draining client funds, erasing campaign data, and using the compromised accounts for phishing ads and fraudulent spend.
Initially, the attacks leveraged fraudulent Google Search links – a common, albeit unwise, practice where users search for terms like “Google Merchant Center” to reach the legitimate login page. However, the latest scams have shifted focus, with two of the agency buyers identifying Gmail as the primary vector for the attacks. One executive believes their account was hacked through a Gmail ad, while another suggests a phishing attempt disguised as a Google Merchant Center customer service request. The attackers may also be utilizing Salesforce integrations, as suggested by another report.
The tactics employed by the scammers are “black-boxed,” meaning there is a limited amount of documentation or support available from Google. This makes it difficult for agencies to understand the precise mechanism of the attacks and implement effective preventative measures. Once gain access to an account, the scammers swiftly lock out the original admins and funnel the stolen funds – commonly spent on click-based ads leading to questionable sites – while covering their tracks.
While the exact scale of the losses hasn’t been fully determined, agencies estimate that significant amounts – potentially millions of dollars – have been compromised. One agency reported losses totaling over $1 million, though recouping ad credits is secondary to regaining access to their compromised accounts. Multiple agencies are struggling to access their accounts, hindering their ability to run campaigns or provide crucial reporting to clients.
The lack of urgency from Google has exacerbated the situation, with executives describing their experiences as “frozen” due to the limited support they’ve received. Agencies are prioritizing maintaining contact with human Google support staff, wary of being hampered by chatbots. Furthermore, Google’s profits are bolstered by the situation, as scammers continue to purchase Google media and brands refill accounts with increased spend, creating a damaging feedback loop. The ongoing nature of this threat underscores the need for heightened vigilance and proactive security measures within the digital advertising ecosystem, but as of yet, these measures are falling short. |