Google Ads Agencies Are Getting Phished Through Their Own Contact Forms
The best phishing attack is the one you're trained to respond to immediately. For Google Ads agencies, that's a new client lead.
Multiple agencies reported this week that scammers are submitting polished inquiry forms, setting up discovery calls, and then requesting Manager Account (MCC) access during onboarding. The pitch looks real. Company names check out. The domains redirect to legitimate corporate websites. And if you're running an agency, your entire qualification process is probably designed to say yes to exactly this kind of lead.
Pauline Jakober, founder of the B2B agency Group Twenty Seven, caught one of these attempts on April 10 after noticing the sending domain was registered three days earlier. She verified through Whois records and LinkedIn searches. The contact had no LinkedIn profile. The domain, a near-perfect lookalike of a legitimate corporation, had been set up to redirect to the real company's website.
Ginny Marvin, Google's Ads Product Liaison, confirmed the pattern publicly, noting that "phishing schemes are a common method" for account infiltration. Which, to be fair, is a politely corporate way of saying the problem is widespread enough that Google felt the need to acknowledge it directly.
The attack works because agencies are built to respond to it
This is the part that actually bothers me about the whole thing. Every agency I know has some version of a sales process that starts with "inbound lead comes in, we respond quickly." Speed is a competitive advantage. You don't want prospects sitting in your inbox for 48 hours.
Scammers know this. The fake inquiries arrive through the agency's own contact form, use professional language, reference real companies, and in some cases include enough insider detail to pass a casual sniff test. One agency owner reported receiving three of these in a single week. The pitch quality was, by several accounts, better than what most real prospects send.
The scam pitch was more polished than most genuine RFPs. Let that sit for a second.
The endgame is MCC access. If an agency grants account access during onboarding (which is standard operating procedure for most shops), the attacker gains operational control across the entire portfolio of client accounts connected to that MCC. Billing information, campaign data, audience lists, conversion tracking setups. Everything underneath the manager account is exposed. Sophisticated account takeover scams have been escalating for over a year, and this fake-client vector is probably the most effective variant so far.
Three checks that take less time than reading this section
I don't think this requires overhauling your entire sales process. It just requires adding a few steps before you grant any account access.
Check the domain registration date. Jakober caught hers because the sending domain was registered April 7, three days before the inquiry arrived. Any domain registered in the past 30 days should trigger a pause. Run it through a Whois lookup. Takes about 90 seconds.
Verify the person on LinkedIn. Not whether a profile exists generally, but whether they're connected to the company they claim to represent. Scammers build professional-sounding personas, but they rarely build out a full LinkedIn history with connections at the target company. If a "VP of Marketing at [Fortune 500]" has 12 connections and no work history, that's not your next client.
Cross-reference with the company directly. If someone claims to represent a brand with a marketing team, that company has a switchboard or a general marketing inbox listed on their website. Send a separate email. Call the number on their About page. This feels paranoid until you remember what's at stake: your entire MCC and every client account inside it.
39.2 million suspended accounts and the pattern underneath
This isn't an isolated tactic. Google suspended 39.2 million advertiser accounts in 2024, more than triple the 12.7 million from the previous year. A lot of that enforcement is catching the aftermath: compromised accounts being used to run fraudulent ads, stolen billing information, identity fraud. The fake-client-lead approach is just a newer entry point into the same ecosystem.
Based on that trajectory, the 2025 ads safety report will probably land somewhere north of 50 million suspended accounts. The attack surface is growing faster than enforcement can keep up.
And it's part of a broader trend where the tools agencies rely on are becoming attack surfaces themselves. We've seen Google Ads Editor bugs silently rewriting extensions across accounts. We've seen credential theft through fake Google Ads login pages, documented by Malwarebytes, where criminals impersonate Google itself to harvest agency credentials. The progression makes sense if you think about it from the attacker's side: why try to crack the lock when you can walk through the front door with a handshake?
The MCC is the single point of failure most agencies ignore
If you manage 20 or more client accounts under one MCC (and most agencies managing Google Ads at any scale do), your exposure from a single compromised access point is significant. The attacker doesn't need to hack 20 accounts individually. They need one onboarding slip.
From what I've seen, the agencies handling this well aren't the ones with the most sophisticated security infrastructure. They're the ones who added a verification step between "qualified lead" and "granted MCC access." That gap, even if it's just 24 hours and a domain check, is enough to catch most of these.
A few things I'd do this week if I ran an agency:
Add a Whois check to your onboarding checklist. Before any account access is granted. Non-negotiable. Google's own help documentation recommends verifying identity through official channels before granting any account permissions. It's good advice. It's also buried deep enough in their support pages that almost nobody actually reads it.
Review who currently has access to your MCC. Right now. Open it up and look at the list. If there's anyone you don't recognize, or any pending invitation you didn't send, revoke it today.
Turn on two-factor authentication on your MCC if you somehow haven't already. I know this sounds basic, and honestly it is. But based on the volume of account takeovers Google is reporting, a lot of agencies still haven't done it.
When the scam is better than your real pipeline
Here's what sticks with me about this particular attack vector. The reason it works isn't because the technology is clever or the phishing page is convincing. It works because the scammer's fake RFP is, in many cases, more professional and better structured than the real inquiries agencies receive. They've studied what a legitimate sales inquiry looks like and reverse-engineered it.
That's not a security problem you solve with better firewalls. It's a process problem you solve by being slightly more suspicious of the leads that seem too polished. Which is, admittedly, an uncomfortable thing to tell your business development team.
Nobody wants to be the person who slowed down the pipeline. But a Whois lookup takes less time than making a second cup of coffee, and the alternative is explaining to 20 clients why someone else has access to their ad accounts.
Notice Me Senpai Editorial
