Google Ads Account Hacked: What Happens Next & Exactly How to Recover

Show Notes

Your Google Ads account just got hacked, thousands spent in minutes on fraudulent campaigns. Here's exactly what happens next and how to recover. 

In this episode of the Google Ads Unleashed Podcast, host Jeremy walks through a real account hack he helped a friend navigate, covering the full Google rollback process step by step, from fraudulent campaign detection and limited account access to campaign restoration, user reinstatement, and how to chase a refund. 

Learn why you need to take screenshots immediately, why you shouldn't delete fraudulent campaigns prematurely, and what preventative measures, from multi-factor authentication and password managers to cyber crime insurance, should be in place before this ever happens to you. 

Get your free 30 minute strategy session with Jeremy here: https://www.younganddigital.marketing/

Scale your store with 1:1 coaching: https://www.younganddigital.marketing/1-2-1-coaching

Transcript

It is almost every advertisers and agency's worst nightmare. You got hacked and you can't really do anything with your ad account anymore. This happened to a friend of mine and we went through the entire procedure with him together. It seems like I've seen everything in Google Ads over the last 15 years, but this is one I hadn't seen yet. Hence why I wanted to share with you if it happens to you so that you know what to do and you know what needs to be done in order to rectify the situation. Hello and welcome back to Google Ads Unleashed. Hope everyone is doing fabulously this Monday. Um I'm currently actually on holiday which is why this is pre-recorded and this is actually about a quite a serious topic because um I think as the world gets more and more complicated, more internet focused, everything's based on the internet nowadays is um and the more AI is advancing, the more the dangers of AI are becoming obvious as well. And I've warned about this on my LinkedIn a few times and now it actually happened to a friend of mine. The ad account got hacked by hackers and they spent a significant sum on his ad account and it got it shut down everything that was linked with his ad account and all of the sub accounts. So, what do you do with in this situation. And today I wanted to run through kind of a couple of things what to expect when this happens, why do people do it, why do hackers do that, and then also the remedies in the situation. Okay, so let's start with what actually happens. So um what usually happens is that people try and gain access to your login uh into your Google Ads account. Um they usually try to do this via some sort of fishing method, right? So, they send a fishing email of which they uh coax a password out of you or even a 2FA out of you or they sort of just try it and potentially don't even have 2FA enabled. They usually then go into your ad account and then launch fraudulent search campaigns which they direct to other websites which usually have some sort of fishing uh landing page, right? So, they try to capture someone's details and to to scam that person there or they're trying to send it to a website where they're trying to generate sales and just generate a huge amount of traffic. And they do this usually by um two things. So they set the search campaign with a super high budget and b super high CPCs on really bizarre broad match keywords to get the campaigns to spend sometimes thousands within the hour. Okay, so this is something now that I've unfortunately come across twice, which is why I found it necessary to record this podcast. You what usually happens uh as a result, there usually two things that happen. Either Google um shuts your ad account down, you get an email and uh it says that there's been fraudulent activity detected in the ad account or um if you you happen to catch it, you will have to of course try and pause that campaign and of course contact Google support to let them know. In the first case when you your uh account gets shut down or fraudulent activity gets spotted. It does happen sometimes that only one or two sub accounts for instance from your MCC would have been detected. So always make sure that you go through the change history of the entire MCC or or sub account or however your structure is and then make sure that um there hasn't been a fraudulent campaign created somewhere else in an account which you are not aware of. So you will want to pause everything And then the fun happens. Of course, at this stage, you will usually be extremely panicky. My mate was as well. In fact, um I remembered quite well. He r me when I was in Tenneref a few months ago in February and said, "You will not believe that this has happened." And I was on the golf course at the time. Um and we gone through the process together. And basically um what then happens is you of course launch an investigation with Google. They usually send you a link where you have to fill out a form where you have to very exactly describe what happened, which ad accounts are affected, which email addresses and telephone number to contact, etc., etc. You then start uh what Google calls a roll back process. So once they've actually found the ad account or the um sort of activity to be fraudulent, they actually first of all pause um uh your access to your own MCC. So it gets uh limited access. Usually you only have sort of a read only access. What you can do in the meantime though is still make certain changes like pause campaigns or pause or change budgets when you go onto the settings. You can also still use editor which is interesting but you can't actually use anything any features of the interface. Okay. If you are an operator, this is the time where you have to come clean with clients and let them know. In my experience is always best to communicate as transparently as possible in those cases. Um and clients are very often understanding. If it's yourself, then forgive yourself. It's one of them things that happens to anyone and everyone even with all the precautions that you can take. What Google then does is once they've actually determined what has happened and when the breach had happened is they roll back all of the affected uh accounts and all of the affected sub accounts to the date of which the breach was detected. So let's say this happened last Monday. uh it'll be the 8th of uh June when this comes out and they detected a breach on the 1st of uh June which is also Monday. Then they will reset all ad accounts to how it was then. So all campaigns and all the changes made afterwards will be deleted. All of the users invited after that date to the ad account will be deleted. Any new ad accounts linked to your MCC will actually be disconnected. What they also do is they choose one champion account, usually one email address that is usually you um as kind of the master email address which within a very short time period after this roll back has started will be able to restore two things. So first of all the accesses from all of the sub accounts and the accounts that you're in. So what will happen is that they will um uh actually set every single account on that roll back date to read only. So um uh it'll be then in the state as it was on the day the breach was detected. All uh users will be read only first. The second thing that will happen is that they will pause all campaigns. So what I would urge you to do when this has affected you to take screenshots of all of the users and all of the campaigns or where this has happened uh and as soon as as soon as you you know that this has happened and just keep that in a folder somewhere because you will have then a couple of hours once the roll back has started to restore all of the admin accesses and to restore all of the uh campaigns. Usually APIs will start failing them as well. For instance, Clavio connections or other connections because of course all the users connected to those ad accounts don't actually have admin access anymore. So you'll be able to restore all of the accesses and and the campaign settings. Then what Google will usually do then is to remove all the fraudulent campaigns manually too, right? So, you don't actually have to do this. I would even recommend keeping them on pause and to not delete them prematurely because you will want to have that data and will want to have Google do this. What happens then can sometimes take days, maybe weeks, is that they will start a refund process. So, usually one of three things happens. Either if the uh transaction hasn't actually been build yet, they will cancel the transaction. That's the best case scenario. The second thing that they may do is to refund it at some point. So to give you a refund onto your credit card, onto your bank, whatever um however much the accumulated money was. Or the third thing that may happen is that they give you a credit onto the ad account it happened. Okay? It's then up to you to choose which one you want. And it's then also up to you to take consequences from such a data breach. So typically what I recommend uh to anyone is to of course have a strong password uh tool such as one password not uh advertising anything here but that's what we use and it's worked really well for us to have multiffactor authentication with um the Google authenticator so you actually need the device and um you need the log to authenticator and you need of course the password so that is usually extremely strong um I would also recommend to regularly change passwords right so at least once a quarter of maybe even once a month change passwords across your entire organization. I would also highly recommend that you um put in some form of uh notifier in your in your account when you know it it is creating weird weird activity, right? So for instance, if um campaigns are created um with ridiculous budgets, then send uh notifications straight in email so that you catch these sort of uh people early and can actually log them out by changing the password quite fast. Um, I would also recommend that you get insurance for this kind of stuff, right? So, professional indemnity insurance or some form of business insurance or uh some sort of cyber crime insurance is usually something that would be really helpful. Typically, they'll help you in starting a forensic investigation of how the breach happened. They will also potentially uh assist you with any PR because what will happen with the fraudulent campaigns, they will of course carry your advertisers name. So if you're an e-commerce business and advertising a fraudulent link and people fall for it, then you're obviously in deep troubles. Um although it's not your fault. So this is something that you will want to consider. Um I think what's also a strong takeaway is um to just in uh to ensure that you just sensitize your entire staff to any kind of fraud, any kind of situation that may happen and this helps you prevent this in future. What also helps is to un link all accounts which you generally have nothing to do with so that they are not affected by any fallout when you have an MCC that is linked to to several accounts just get rid of them um then they are obviously protected from that in future as well and um I think what really helps as well is to just try and keep a cool head I know it's easier said than done in those situations I've had um a credit card fraud happen to me before where people somehow obtained my information and booked holidays in uh Brazil. Um uh but all you can do is try and keep a cool head and uh resolve the situation and also um do some due diligence to prep for this. So this is how the Google roll back process works when you actually have been hacked. If this has been interesting or if you've been affected and just need help or someone to talk to and to calm you down, uh just obviously um get in touch with me, Jeremy on Google Ads. Um, also Jeremy at youngandigital.mmarketing uh uh via email or youngigital.marketing on the website. You can always book a meeting with me. And usually what happens then is that things will go back to normal. Don't forget to also always put in a data exclusion if there's been an outage because otherwise that'll distort your performance and your data. On that note, stay safe guys. Um, my mate is fine now again. Um, I mean this is now 3 4 months go. Um, but I'm hearing more and more of these cases online and I want you to be safe. So, which is why I've recorded this one and I hope you stay safe out there and I'll see you in the next episode.