Fake Google Ads Are Stealing Login Credentials

By Panajota Gushkova

Quick Summary – While this isn’t a new scam (it was particularly prevalent early in 2025), it keeps rearing its ugly head, with recent reports showing Google hasn’t quite figured out how to stop it. Cybercriminals are hijacking Google Ads accounts via fake Google Ads for login and support pages, as well as through phishing schemes, to gain full access and take over advertiser accounts. Once inside, attackers run fraudulent campaigns, drain budgets overnight, and lock out the real account owners.

How Are Attackers Hijacking Ads Accounts?

Hackers are using a few key tactics to gain account access, including:

  • Impersonating Google Ads and redirecting people who click on the ads to fake login pages where their login credentials are stolen
  • Phishing emails mimicking Google support emails (they’re getting scarily realistic)
  • Trick redirects that harvest MFA (multi-factor authentication) tokens

What Happens After Hackers Get Into Your Google Ads Account?

After gaining account access, cybercriminals quickly set up high-budget scam campaigns, spending as much as possible as quickly as possible to target new victims. They also lock account owners out by changing recovery emails. Once they have your username, passwords, and potentially your billing information, they can sell it to other criminals for further misuse.

Why You Should Care

This malvertising operation can affect every business running Google Ads – including tree care companies and agencies managing client accounts.

Here’s what makes this threat serious:

  • Attackers target advertisers of all sizes – from small local businesses to large brands.
  • Budgets (and your credit card) can be drained in hours if attackers gain access.
  • Company reputation can be damaged, especially if malicious ads run under your brand.
  • Your Google Ads account will eventually be suspended, so you will not be able to run future ad campaigns.
  • Google’s recovery teams are overwhelmed – we’re finding it can easily take a month or more to restore your account.

If your tree care company relies on Google Ads to generate leads, this is a serious financial and security risk.

What You Should Do

You don’t need to panic, but you do need to harden your defenses. Take these steps immediately:

1. Secure Your Google Ads Login

  • Ensure anyone with access to your account uses a strong, unique password (consider using a password manager to help). Even better, change all passwords immediately.
  • Audit who has access to your account. Remove old employees, inactive email logins, and any emails you don’t recognize, especially those with Admin access.
  • Use 2-Step Verification (2FA) on Google accounts to add an extra layer of security. Yes, it can be a pain in the neck sometimes, but that’s better than having your Google Ads account run up tens of thousands of dollars in fraudulent ads.

2. Bookmark the REAL Google Ads URL

Never click Google Ads claiming to be for Google Ads (yeah, kind of ironic, isn’t it?). Avoid inadvertently ending up on a fake Google Ads login page by only accessing your Ads account through the direct link: https://ads.google.com.

3. Ignore “Google Support” That Reaches Out to You First

Google will never call or email you randomly asking for:

  • Your password
  • Verification codes
  • Billing access
  • Screen-sharing to see into your account

Don’t reply. Don’t click anything in those emails. If in doubt, contact Google through your Ads interface only.

4. Monitor Your Account Daily

Be especially vigilant about budget changes and new campaigns, as these could be signs of a hacked account. Here’s what to do:

  • Look for unknown campaigns, ad groups, ads, or keywords
  • Inspect your billing setup for any changes
  • Enable spend alerts so you’ll know if the budget is being used at a faster pace than normal
  • Check for unauthorized changes to your recovery email

5. Train Your Team

90% of account takeovers start with an innocent click on something that looks legitimate. Make sure your team knows to:

  • Never click Google Ads login links from sponsored results (ads)
  • Never approve unknown MFA (2FA) requests
  • Report suspicious emails or login prompts immediately
  • Never accept requests for Admin access without directly confirming with that person first

6. Have a Recovery Plan

If you think your Google Ads account has been compromised – and if you still have access to it – take these steps immediately:

  • Check for and remove access for all unknown users (you may want to remove everyone except yourself, at least temporarily)
  • Stop all campaigns (also consider setting the budget to $0)
  • Contact Google Ads support via account-only access
  • Pause billing until you’ve confirmed that your account is safe to use
  • Document the incident and submit it to Google for a reimbursement review (Google sometimes refunds fraud)