Agencies Targeted by Scammers

A fake lead offering a big Google Ads budget can now be more dangerous to an agency than a fake invoice. On April 10, 2026, paid media consultant Pauline Jakober said a scammer posed as a prospective client and tried to use the sales process to get access to her agency’s Google Ads manager account. (ppc.land) The target was not one ad account. It was the agency’s Google Ads manager account, which Google describes as a single control panel that can view and manage multiple client accounts at once. (support.google.com) Google used to call that control panel My Client Center, which is why agency staff still call it an “MCC.” If someone gets the wrong kind of access there, they are standing in the lobby of every linked client account instead of outside one office door. (support.google.com) The scam worked by imitating a normal new-business conversation. Jakober said the supposed client looked credible at first, but a Whois check showed the company domain had been created just three days earlier. (mediapost.com) That detail matters because agencies are trained to move fast on large leads. A fake prospect does not need to steal a password if they can talk an employee into sending an account invitation or approving a link request. (ppc.land) Google’s own help pages show how powerful those permissions can be. In Google Ads, admins can manage users, and when a manager account has ownership of a client account, admin users on the manager side can also edit user access, managers, and product links inside that client account. (support.google.com) Google also says a manager account can link to existing Google Ads accounts or create new ones that are automatically linked. That makes the manager account useful for agencies, and it also makes it a high-value target for anyone trying to move across many accounts from one foothold. (support.google.com) The access problem is not just “did someone get in.” Google lists multiple user levels inside manager accounts, including admin, standard, and read only, and the damage changes sharply depending on which level an employee grants or accepts. (support.google.com) Google Ads Product Liaison Ginny Marvin responded publicly after the case surfaced, which helped push the incident beyond one agency’s near miss and into a platform-wide warning for agencies that sell media buying services. (ppc.land) The practical fix starts before any proposal call. Agencies now need the same checks on inbound leads that finance teams use on wire requests: verify the company domain age, confirm the person works there on an independent channel, and keep manager-account permissions limited to the fewest possible admins. (mediapost.com)