Google Ads MCC takeover attacks are rising – here’s how the phishing scams work

A surge of sophisticated phishing attacks is letting scammers take over full Google Ads Manager accounts (MCCs), giving them instant access to hundreds of client accounts and the power to burn through tens of thousands of dollars in hours without being noticed.

Driving the news. Agencies across LinkedIn, Reddit, and Google’s own forums are reporting a rise in MCC takeovers, even among teams using two-factor authentication. The attackers’ preferred weapon is a near-perfect phishing email that mimics Google’s account-access invitations.

• Victims say hijackers add fake admin users, link their own MCCs, and begin launching fraudulent, high-budget campaigns.
• In some cases, support tickets take days to escalate while money continues to drain.
• One agency reported “tens of thousands” in ad spend racked up within 24 hours.

How it works. The scams look like standard client-access invites – same branding, format, and copy – but the link sends users to a Google Sites page posing as a Google login screen. Once credentials are entered, the attackers get full MCC access.

Why it’s getting worse. Advertisers say the phishing attempts are now almost indistinguishable from real Google messages. Several agencies admitted they would have clicked if not for small discrepancies in the sender domain or login URL.

The impact:

• Budgets drained: fraudulent ads run immediately.
• Malware exposure: ads often lead to harmful sites.
• Account damage: invalid activity flags, disapprovals, and trust issues ripple for months.
• Operational chaos: agencies lose access to every client account under the MCC.

What Google says. The Google Ads Community team posted a What to do if your account is compromised help doc, warning advertisers about rising credential theft during the holiday season, but hasn’t acknowledged the scale of the MCC takeover surge.

Why we care. These MCC hijacks aren’t just isolated security issues – they’re direct financial and operational threats that can wipe out budgets, compromise every client account, and take days for Google to contain. With attackers now bypassing 2FA through near-perfect phishing, even well-secured teams are suddenly vulnerable. If just one team member slips, an entire portfolio of accounts – spend, performance, and client trust – is instantly at risk.

What experts recommend. Marc Walker, founder and managing director of Low Digital Ltd, shared these recommendations to keep your accounts from being hijacked:

• Always verify the URL: Google never uses Google Sites for login.
• Confirm invites inside the MCC, not just via email.
• Purge dormant users and inactive accounts to reduce attack surfaces.
• Educate teams on phishing red flags, especially during high-volume holiday outreach.

Between the lines. If even one user in a large MCC falls for the scam, the attacker effectively acquires keys to an entire portfolio – and can drain budgets faster than Google’s support system can respond.

Bottom line. Google Ads hijacks are a serious operational threat for agencies and in-house teams. Until Google ships stronger MCC-level protections, vigilance remains the only real defense.