Two months ago, I had an alarming experience that highlights just how easy it is to fall victim to cybercriminals. I logged into my American Express account and noticed a $500 charge for Google Ads. My first thought? “I must have forgotten to turn my ads off.”
But then, confusion set in. I don’t even use my American Express card for Google Ads. To double-check, I logged into my Google Ads account—only to find no active campaigns.
I called American Express to contest the charge, and their response shocked me. Before I could even explain, they said, “We know these are fraudulent charges.” Clearly, this wasn’t the first time they’d seen this scam.
So, what happened? I recently found an article from Malwarebytes that shed light on the situation. Their blog post, “The Great Google Ads Heist”, explains how cybercriminals are targeting Google Ads users through phishing schemes. Here’s what I learned:
How the Scam Works
Hackers impersonate Google Ads through fake login pages hosted on Google Sites. These phishing pages trick users into entering their credentials, which the criminals then use to hijack accounts. Once inside, the scammers:
Add themselves as administrators to lock out the real account owner.
Use stolen ad budgets to run their own campaigns.
Resell compromised accounts on blackhat forums.
Key Findings from Malwarebytes’ Investigation
Deceptive Tactics: Fake Google Ads redirect victims to phishing pages that look legitimate, leveraging Google Sites to bypass detection.
Global Reach: Scams were traced to groups in Brazil, Asia, and possibly Eastern Europe.
Victim Impact: Notifications of suspicious logins often arrive too late, leaving victims locked out of their accounts.
Scope of Damage: Thousands of accounts globally have been compromised, costing businesses significant losses.
How to Protect Yourself
The Malwarebytes article provides actionable advice for staying safe:
Use Ad Blockers: Reduce your exposure to malicious ads.
Verify URLs: Always double-check the website’s URL before entering your credentials.
Enable Two-Factor Authentication (2FA): Add an extra layer of security to your accounts.
Monitor Your Accounts: Regularly check for unauthorized activity.
Why This Matters
Google Ads is a critical tool for many businesses, and these scams exploit that trust. Unfortunately, even though Google has policies in place, scammers continue to find ways to bypass them. As users, it’s up to us to stay vigilant and take steps to secure our accounts.
If you’re running Google Ads or any other online advertising campaigns, make sure you’re aware of these threats. Being proactive can save you time, money, and a lot of frustration.
Have you experienced something similar? Share your story in the comments and let’s raise awareness about these scams!
Credit: This post is inspired by the article “The Great Google Ads Heist” from Malwarebytes.
