Agencies targeted by fake client leads

A fake sales lead is now one of the easiest ways to get inside a Google Ads agency. On April 10, 2026, paid media consultant Pauline Jakober said a supposed enterprise prospect nearly used her own onboarding process to get access to her agency’s Google Ads manager account. (ppc.land) The trick was simple enough to look normal. The sender used a look-alike domain in the format `marketing@companyname-group.com`, and that domain redirected visitors to the real company website, which made a quick browser check look clean. (ppc.land) Jakober found the first crack when she searched for the supposed contact on LinkedIn and found no profile. She found the second crack in public domain records, which showed the impersonating domain had been registered on April 7, 2026, just three days before the inquiry arrived. (ppc.land) She then contacted the real marketing director of the company being copied, and he told her the inquiry was “100% spam.” That one direct message turned a promising new-business lead into a confirmed account-takeover attempt. (ppc.land) The target was not one ad account. A Google Ads manager account is an umbrella account that lets an agency manage multiple client accounts from one dashboard, so one bad approval can expose an entire client roster at once. (support.google.com) Google’s own help pages spell out why that matters. Administrative access on a manager account can manage any part of the account, including hierarchy management, which is the control layer for linked accounts and users. (support.google.com) That is why this scam starts before anyone talks about ads, budgets, or creative. The weak point is the agency’s intake flow, where a stranger can still look like a future client and ask for the kind of permissions a real client would eventually need to grant. (ppc.land) This did not appear out of nowhere in April 2026. By January 2025, Malwarebytes had already documented criminals impersonating Google Ads itself with fake sponsored results and fake login pages to steal advertiser credentials at scale. (malwarebytes.com) By November 2025, Search Engine Land reported that stolen manager-account access was being used to add fake administrators, link attacker-controlled manager accounts, and run fraudulent high-budget campaigns, with one agency reporting “tens of thousands” of dollars in spend within 24 hours. (searchengineland.com) Google’s standing advice is blunt: the company says it will never send an unsolicited message asking for your password or other sensitive information by email or through a link, and it tells users to inspect sender addresses, return paths, and copied URLs before clicking. (support.google.com) The uncomfortable part is that none of this requires breaking Google Ads itself. It only requires one agency employee to treat a polished stranger like a real client a few steps too early. (ppc.land)