Warning: Sophisticated Google Ads Phishing Campaign Targeting Business Profiles

A dangerous new phishing campaign has been identified, targeting unsuspecting business owners who rely on Google Search to manage their online presence. Cybersecurity experts and search community members have flagged a malicious Google Ad that appears when users perform a search for ‘my business’—the most common way to access the Google Business Profile dashboard.

How the Attack Unfolds

Security researcher Dan Foland brought the issue to light, detailing a deceptive process where a fraudulent advertisement is positioned to look like a legitimate entry from Google. Users searching for their business profile are often conditioned to click the first result, which in this case, leads to a highly convincing, fake login portal.

Once the user clicks the ad, they are redirected to a spoofed page that mimics the standard Google account login interface. The malicious site is designed to harvest credentials by collecting the user’s email and password. In some instances, the fake form is so sophisticated that it displays errors or follows a sequence meant to mimic the real Google login flow, tricking users into believing they are interacting with the official platform.

The Dangers of Credential Theft

According to the reports, providing your credentials on these malicious sites grants attackers full access to your sensitive information. Once they capture your login details, they can gain unauthorized control over your Google Business Profile, gain access to your private files, and potentially compromise the security of your entire Google account. This could lead to a loss of control over your business reputation, personal data theft, and further unauthorized actions performed in your name.

How to Protect Your Business

To stay safe from this and similar phishing attempts, consider the following best practices:

1. Avoid Clicking Ads for Logins: Never click on search engine advertisements when you are trying to access your account dashboards.
2. Bookmark Official URLs: Instead of searching every time, bookmark the official URL (business.google.com) directly in your browser.
3. Check the URL: Always double-check the URL in your browser’s address bar before typing any password. Ensure it strictly matches ‘google.com’ without suspicious variations.
4. Enable Multi-Factor Authentication (MFA): Always have 2FA/MFA enabled on your business accounts. This provides a secondary layer of security that can prevent access even if your password is stolen.

If you believe you have interacted with a suspicious link, change your password immediately and review the security settings on your account for any unauthorized logins or changes.