We live in a digital world where Pay-per-click (PPC) advertising has become an integral part of our everyday lives. However, with the convenience of using PPC platforms such as Google Ads comes the risk of having your account compromised by hackers or fraudsters. 

In 2021, the average number of cyberattacks and data breaches increased by 15.1% from the previous year, according to this Forbes study. Also, they found that the main causes of these attacks come from misconfigurations, human error, poor maintenance, and unknown assets.

While there’s not much we can do about stopping these attacks and breaches, we can change our own behavior and maintenance strategies. To help you with that, we will dive deep into the warning signs that your Google Ads account may be compromised and showcase various measures you can take to protect your business from potential security threats. 


#1 Suspicious Login Attempt

You’re watching television, minding your own business when suddenly, your phone buzzes with a notification. It’s a security alert from Google, informing you of a suspicious login attempt to your account – this is probably a scenario most of us have experienced.

Image source: Photo by Brett Jordan on Pexels

In some cases, the suspicious login attempt may turn out to be a false alarm, such as a forgotten device or a curious child. However, it’s always a good idea to stay vigilant and take action to protect your account and your personal information from potential threats. 

After revoking access to the unauthorized attempt, it is best to immediately change your password to prevent the person from accessing your account even if they managed to guess or steal your password.

Pro tip: Create a Strong Password

Password-cracking technology has come a long way and hackers nowadays don’t need much to gain access to your system. Passwords used for online accounts must be strong and unique. 

What this means in practice is that: 

  • all passwords should contain at least 8 characters;
  • they should include a mixture of different character types (e.g. symbols such as @?!%#);
  • they shouldn’t contain any personal information (e.g. your nickname, your date of birth, your pet’s name or any information that is widespread and available);
  • they shouldn’t be used on other online services (e.g. don’t use the same password for your work email and your Instagram account).

In addition to these steps, you should also get a password manager. Password managers can generate strong passwords for you while also storing them in a secure, encrypted environment. You only have to remember one single master password, and the password manager will take care of the rest.


#2 Unusual Activity

Missing data, deleted files, edited information – these can be a sign that you have allowed access or authorization of your account to an unreliable source.

When you connect a device or application to your Google account, you’re giving it access to your personal information and data. This can include your emails, contacts, calendar, and documents. 

While many of these connections may be legitimate and necessary, others may be outdated or even malicious. When installing a third-party application, we strongly recommend that you provide it full access only if you trust it. 

Pro tip: Enable Two-Factor Authentication (2FA) 

Perhaps the most effective way to protect your online accounts is to enable two-factor authentication on as many accounts as possible. This method uses secondary information along with the password which adds another layer of security to your account to help keep intruders out.

The additional verification typically consists of a code sent as an SMS message to a trusted device or a prompt sent to a smartphone. For a low-risk online activity this method can be adequate, but for websites that store your personal information you should be upgrading your security – this is where authenticator apps come into play.

This form of 2FA uses a software-generated time-based, one-time passcode which removes the chance of hacker interception and makes this method the most popular form of two-factor authentication. When the Authenticator app is up and running, it’s time to remove the weakest link in the chain – getting codes via SMS messages. Before making this change, make sure that you have at least one other alternative form of verification – for example, a secure recovery email address – and that you’ve saved backup codes for the account. 

Now, even with an easy-to-guess password, unless an attacker has your mobile phone, they’re unlikely to gain access to an account with this method enabled.

Pro tip: Update Your Antivirus

Antivirus software can detect threats and eliminate dangerous processes on your device by scanning files, web pages, networks and more. When you have an antivirus installed, most viruses are countered way before they harm your system and frequently even without your knowledge. 

Keep in mind that if you forget to update your antivirus regularly, it will not be effective. Most of them have automatic updates enabled by default, but it’s good practice to double-check that they’re happening.


#3 Unfamiliar Emails

Suspicious activity on your Google account can include a sudden increase in spam messages or emails being sent from your account without your knowledge. According to Google, 50% of users who fall victim to hacking, report that they noticed suspicious activity on their account before realizing that it had been hacked.

Phishing has been the most common attack technique for cybercriminals for a number of years, but due to the increasing sophistication of phishing scams, learning how to spot a phishing attack is becoming more important than ever.

According to the APWG’s Phishing Activity Trends Report, in the second quarter of 2022, phishing attacks hit an all-time high with a total of 1,097,811 recorded attacks. This new record makes this quarter the worst one that APWG has ever observed when it comes to phishing.

Most phishing attacks are sent via email and due to their sophistication, they often evade detection by email filters. However, learning about some common features of phishing emails can help prevent attacks and network infiltration by the attacker.

Pro tip: Ways to Recognize a Phishing Email

  1. Demanding urgent action – Commonly used tactic amongst cybercriminals is to ask you to act fast and provide personal details. Often, they’ll urge you to act now to claim a reward or to avoid getting your account suspended. Keep in mind that most organizations and financial institutions will not ask for personal information via email or suspend your account if you do not update your personal details within a certain period of time.
  2. Poorly written emails – Another way to spot phishing is bad spelling and the incorrect use of grammar. Most companies have the spell check feature on their email client turned on for outbound emails, therefore your emails originating from a professional source are expected to be free of grammatical and spelling errors.
  3. Inconsistencies in email addresses, links and domain names – Always look for discrepancies in these. If the email contains embedded links, hover the pointer over the link to check if the domain names match. It could be completely different or it could be a popular website with a misspelling, so look carefully.
  4. Suspicious attachments – If you didn’t request or expect to receive a file from the email sender, the attachment should always be approached with a healthy dose of suspicion. Especially if they have an unfamiliar extension or one commonly associated with malware (.zip, .exe, .scr, etc.).

If you spot any of these common signs of phishing emails, don’t interact with any links or attachments. You can forward the email to the government’s Anti-Phishing Working Group and delete the email immediately after.


#4 Unexpected Changes to Your Account Settings

When it comes to managing your Google Ads account, granting the right access level to the people is essential. But you have to be careful – by granting the wrong access level, you open yourself up to potential disasters such as unexpected spending, unauthorized changes to your account, or even account suspension.

Google Ads offer three main access levels and each level has its own set of roles and responsibilities, and it’s important to understand them to ensure that you’re granting the right level of access to the right person and how it can affect the management of your account.

  • Admin level – gives the user full control over your account, including the ability to add or remove other users, view performance data, and make changes to your billing information. It is typically reserved for account managers and other high-level employees who need to make important decisions about the account.
  • Standard level – gives the user the ability to create and manage campaigns, view performance data, and receive alerts. This level of access is typically granted to employees such as marketing managers and agency members who need to create and optimize campaigns.
  • Read-only level – gives the user the ability to view performance data and receive alerts, but they don’t have the ability to make changes to the account. In most cases, this level is reserved for employees who need to view performance data but don’t need to make changes to the account.

You can easily review and remove access in the top navigation menu of your Google Ads account – by clicking on the Tools and settings icon, selecting Access and security under the Setup section.

Give Access Only to Trustworthy Agencies and Professionals

At Will Marlow Agency, we understand that PPC management itself can be a complex and time-consuming task. That’s why we make it our mission to take the burden off your shoulders while providing maximum security and following industry best practices to keep your account and data safe.


To Sum It Up

There is no silver bullet that will solve or defend against cyberattacks. Nevertheless, a lot of the potential issues can be managed with a multilayered approach and an early risk detection. Knowing what data you have, how it’s managed, and how to protect it is the key in this proactive approach.

With the right systems and strategies in place, you will never be taken by surprise when a breach occurs. And remember – the cost of investing in a proper cybersecurity infrastructure is always lower than covering the costs of the damage later. 


You may also be interested in these:

Ana Spasić is an Office manager at Will Marlow. She has a proven track record of effectively managing and organizing office operations. She is committed to staying up to date with the latest cybersecurity trends and implementing cybersecurity protocols to ensure the company’s sensitive information is safe and secure.

Marketing Certification Badges


Data-Driven Training

We created Royku to train marketers in data-driven marketing.

Lesson Templates