Alarming: How Easy It Is to Hack a Google Ads Account


or many years, the focus of technology companies was to keep pushing to improve products and services. We were wringing the technology sponge as much as we could, and this has meant great improvements for individuals, families, and businesses. We have mobile devices in our pockets that can do more than early laptops, and we have voice assistant devices that can search the web and answer our questions within seconds. For businesses, there are opportunities to advertise and reach out to niche audiences on the internet. 

The problem? You guessed it, security. Now, the security side of the industry is fighting to catch up with all the amazing technological advancements. Unfortunately, this has led to gaps, and many hackers and scammers are taking advantage of this. In particular, much of the attention in recent times has been on Google Ads. 

$5,000 Hack - A Worsening Reality

Sadly, it only takes one search on Google to find stories of small businesses that have had their Ads account hacked. In one case, a small business owner logged into their account to find a charge of over $5,000. Previously, spending wouldn’t exceed a few hundred across a month. How could this have happened? 

Within 24 hours, hackers had gained access to the account and duplicated a campaign. In a short period, the campaign had received a healthy chunk of clicks and the owner was left with a hefty charge. After doing some research online (and contacting Google, of course), they learned that they weren’t the first to get hacked - or even the first that day. 

Eventually, they reached out to the Google live help desk and were assured that the company wouldn’t have to pay for the charges generated without their permission. Although this came as a great relief, the damage had already been caused. Google performed a full investigation and the company couldn’t advertise while this took place. As a result, exposure decreased, and revenue followed. Ultimately, they lost money from the hacking and this affected their bottom line for the month and year. 

The alarming reality of this story is that thousands of people have and still will experience the exact same thing in 2020. In what has already been an incredibly difficult year, a Google Ads hacking has the potential to drown a small business. 

Interestingly enough, this isn’t a new problem. A little over five years ago, an article was uploaded to the internet called ‘Hackers hit Google AdWords and AdSense Networks’. Earlier this year, Google revealed that potentially billions of passwords and usernames had been hacked. Soon after, they released a guide on how to protect a Google account. 

We said that there were gaps in security in the technology world, but there is also a knowledge gap for internet users. It’s alarming how easy it is to hack a Google Ads account, but we can make it harder for hackers. 

Has My Account Been Hacked? 

This is a great question, and there are some things you can do to check. 

Look for Unexpected Activity 

A hacker will normally gain access to an account with a specific goal in mind. Rather than checking analytics or reviewing the performance of your ads to offer advice, this goal is to create ad campaigns without your knowledge. With this in mind, it’s important to keep an eye on all account activity. 

After logging into your Google account, head over to the Security section, and click on ‘Recent Security Events’. From here, you should see an option to review security events. As you assess activity, you’ll have an option to make Google aware of any activity not sanctioned by yourself or the advertising team. 

Check All Device Access 

Go back to the Security section of your account and choose ‘Manage Devices’ inside the Your Devices panel. Although we appreciate the difficulties that large businesses will encounter, we recommend checking all the devices listed on this page. If necessary, get the marketing manager together with other managers to review the different devices currently accessing the account. At this point, many people sadly notice a device that isn’t recognized by the company. Once again, it’s up to you to report this unauthorized device for Google to take action. 

As you can imagine, both of these steps are more difficult for businesses that allow access to dozens of employees. You won’t believe the mess that some businesses get their Ads accounts into with regards to permissions and access. Not understanding the consequences, they allow 50 people access to the Ads account and this includes people who haven’t worked at the company for many months (or years!). 

If you want to limit hacking and secure your account, controlling access is a tip that all experts recommend. 

How to Deal with a Hacking 

If you follow the advice stated above, you’re much more likely to spot the activity of a hacker and shut them down before they have a chance to do serious damage. As the statistics suggest, not everybody takes a proactive approach and not everybody catches a hacker early. Regardless of when you notice a possible attack, the good thing is that Google takes hacking seriously and therefore has measures in place to help business accounts. 

Before anything else, go onto Google and use the account recovery process. Essentially, this will aim to secure your account and prevent access to all those with no permission. At this point, know that there is a special form for users to complete in the Help Center.

If Google has suspected a compromise, the account has likely already been suspended. If this isn’t the case, Google will ask the status of the account and take the appropriate measures from here. When an account is temporarily suspended, all campaigns will pause and nobody in the business will have access to Gmail, Ads, or any other Google product. 

After filling the compromised account form, those with a dedicated account manager should reach out to them. Either way, the investigation begins, and Google will keep you updated on the progress. 

Protecting a Google Ads Account Against Hackers 

In the previous section, you learned how to deal with hacking, and this is important. However, the damage we saw in the example story earlier is something we want to prevent altogether. Therefore, it’s critical to protect your Google Ads account and suffocate the hackers away from the market. With limited access to accounts, they have no job and we can breathe easily again. Here are some tips that will protect your account: 

Take a Proactive Approach

After reading this guide, you know how to check your device history and activity history. If ever you spot unauthorized activity, communicate with others in the business, and report whenever necessary. The more you understand about your account and how it works, the easier it becomes to spot the activity of a hacker. 

Keep Control of Permissions

We know, this is getting harder and harder with employees working from home in 2020. However, keeping a tight ship with the Google Ads access and permissions will help. For starters, remove access for individuals who no longer need it. Whether this is ex-employees or employees in a different department, take access away. When looking through a list of people who have access, you should be able to justify each name. 

While doing this, make a list of the devices that access the account. This list will continuously evolve and change, but it makes the task of checking device activity much easier. 

Talk with Your Bank

Why? Because, often, hackers will send instructions to the bank while acting as somebody from the business. With an open line of communication, it’s possible to prevent hackers from setting up alternative instructions, transferring money, etc. 

Get into Positive Security Habits

Finally, get your security hat on and think about your account from this perspective. For example, this includes setting up two-factor authentication. According to the Verizon 2017 Data Breach Investigations Report, around four in five data breaches on the internet are caused by either stolen or weak passwords. With two-step verification, the idea is to use something you know and something you have. For instance, this could be a password and a mobile phone. After typing the password, Google will also ask you to enter a code sent to the mobile device. 

As well as this verification, it’s also wise to use Chrome since this is a Google product. Google Chrome has advanced security features like Password Alert, where users are notified when on an imitation website. 

Over the years, it seems that anti-virus software has fallen by the wayside. In reality, they’re more important than ever because of the security concerns mentioned in this guide. With the right tool, it will help to keep you safer online. 

Hacking a Google Ads account is scarily easy, but you now know how to react and then protect your account should the worst happen!