If you’re running Google Ads, especially if you’re managing a multi-client account (MCC), listen up. What I’m about to share could save you from losing hundreds of thousands, or even millions of dollars.
Over the past year, I’ve witnessed something deeply concerning in our industry. Merchants and agencies are getting hacked left and right, and the consequences are devastating. I’m talking about cases where hackers have spent $1.2 million, $2 million, even $3-4 million on compromised agency accounts. And here’s the kicker: getting that money back is extremely difficult, if not impossible.
But there’s good news. Google has finally listened to the community and introduced a security feature that I’ve been advocating for. This is a big win for all of us, and I want to make sure you know how to implement it immediately.
The New Dual-Admin Approval System
Google has rolled out a feature that requires a second admin to approve any new user additions to your Google Ads account. This was first highlighted by Hana Kopzova, and it’s exactly what many of us have been requesting in the Google Ads community for months.
Here’s how it works:
When someone attempts to add a new admin user (or makes other high-risk changes) to your Google Ads account, the second admin must approve that action before it goes through. If the secondary admin doesn’t approve the change within 20 days, the request is automatically rejected.
This simple but powerful feature adds a critical layer of security that can prevent unauthorized access to your account.
Reference: https://support.google.com/google-ads/answer/16891189
How to Secure Your Google Ads Account Properly
Let me walk you through the exact steps you need to take to protect yourself:
Step 1: Ensure You Have Two Admins
Go to Admin > Access and Security in your Google Ads account. Check that you have at least two users with admin access. If you don’t, you need to add one immediately.
Step 2: Use the Right Email Addresses (This is Critical!)
Here’s where most people make a huge mistake. Never, ever use a @gmail.com, @yahoo.com, @hotmail.com, or any other generic email address for admin access.
Why? Because anyone can create these email addresses. If your domain is bluewidget.com, then only @bluewidget.com email addresses should have admin access to your account.
Step 3: Add a Second Admin from a DIFFERENT Domain
This is the part that really adds security. Don’t just add two admins from the same domain (like two @bluewidget.com addresses). If hackers compromise your primary domain’s email system, they could potentially access both admin accounts.
Instead, purchase a second domain name specifically for this purpose. Domain names are cheap, typically just $8-60 per year. You can use Cloudflare to buy a domain and set up an email address for it. Then add that as your second admin.
So your setup should look like this:
- Admin 1: [email protected]
- Admin 2: [email protected]
And absolutely nothing else. If you currently have any @gmail.com addresses listed as admins, remove them immediately, but make sure you’ve added yourself through your proper domain email first and verified you have access before removing the old one.
The LinkedIn Phishing Scam You Need to Know About
While we’re talking about security, I need to warn you about a phishing campaign that’s been rampant on LinkedIn. I used to get two of these messages every single week.
Here’s how it works: Someone sends you a message saying they want to hire you for a lucrative position managing millions in ad spend. They ask you to fill out a form via a link. Do not click that link.
These are social engineering attacks designed to steal your credentials. Even if you just click the link without filling anything out, they can potentially copy your browser session and use it to access your accounts.
What should you do instead?
- Don’t click on any suspicious links, period
- Report the user to LinkedIn immediately
- Block them from your account
- LinkedIn will ban the account after investigation
I’ve also seen similar attempts on Facebook, though LinkedIn seems to be the hotspot for these scams. If you absolutely must investigate a link, type it out manually in a web search first to see who’s behind it. But if it just looks like a form, don’t even bother searching for it. Just report and move on.
Why This Matters More Than You Think
The reason hackers target Google Ads accounts is simple: money. They can rack up enormous charges very quickly, and by the time you notice, the damage is done. Even with protections in place, recovering those funds is a nightmare that involves lengthy disputes with Google and potentially your payment processors.
We’ve been talking about this issue in the community for quite a long time, and frankly, we’ve been very frustrated and concerned. I’m relieved that Google was already working on a solution and has now implemented this dual-admin approval system.
Take Action Today
Don’t wait until you’re the next victim. Here’s your action plan:
- Go to your Google Ads account right now
- Navigate to Admin > Access and Security
- Verify you have two admins from different domain names
- Remove any generic email addresses (@gmail.com, etc.)
- If needed, purchase a second domain and set up that second admin
- Be vigilant about phishing attempts on LinkedIn and other platforms
This is one of those situations where an ounce of prevention is worth a pound of cure. The small investment in a second domain and the few minutes it takes to configure proper admin access could save you from financial catastrophe.
Questions?
If you have any questions about implementing these security measures or need clarification on any of these steps, feel free to reach out or leave a comment. Account security is something I take very seriously, and I’m happy to help you protect your business.
Stay safe out there, and remember: when it comes to your Google Ads account security, there’s no such thing as being too careful.