6 min.
Ad accounts: beware of phishing!
1L’art de la gestion de projet2Un projet à succès commence par une bonne gouvernance3Cascade, agilité, demandes de changement?

Ad accounts: beware of phishing!

Paid Media & SEM

Phishing attempts are part of our everyday lives. We’re mainly familiar with them in the form of suspicious text messages or emails telling us we’ve inherited a pile of cash and only need to follow their instructions to claim it.

Phishing isn’t limited to emails and texts, but also includes attempts to hack your ad accounts. How do they do it? Data pirates use multiple methods to access your Gmail or Facebook accounts and other identifiers that give them access to your ad accounts. Once a connection is made, an automated script changes all the destination pages for your ads and redirects traffic to their own digital property. Once accomplished, they can benefit from your media investments to generate maximum traffic to their own websites.

We’ve seen a significant increase in this type of fraud in recent years. Here’s how to protect your accounts so you can limit direct financial losses as far as possible.

Why is it important to ensure the security of your ad accounts on a regular basis?

The answer to this question might seem obvious, but since we’re still noticing a few blind spots far too often, now would be a good time to review what’s at stake. An unsecure email address may represent a potential hacking risk that affects all your media activities, in addition to reducing the possibility of receiving a reimbursement from the platform if a hack occurs. Furthermore, we regularly see increases in phishing emails. So this means you need to be even more vigilant.

Never send connection information by email. In the case of Facebook, for example, fraudulent emails may look like:

  • simple notifications, or false alerts stating that you have not respected community standards;
  • false alerts stating your account will be suspended if you do not act quickly; or
  • anything that looks too good to be true (for example, Facebook offers you a huge credit).

If you can’t be sure of the provenance or validity of an email, we highly recommend you immediately get it verified by a member of your media team, a Facebook representative or even take a look at help pages like this one. This also applies to Google, TikTok and any other media platform.

What do you need to check to ensure your accounts are secure?

You could start by asking for help from your media team, or follow the steps below.

1) Contact person

Determine one or several contacts tasked with managing access and security for your ad accounts. Their role will be to ensure your passwords are secure and accessible only to select people internally, and they will be able to grant access as needed to specific people (administrators, employees, an agency, etc.). Furthermore, we also highly recommend managing employee access on your own side, to avoid having an agency or third party grant individual access to your employees.

2) Levels of access

Verify the access levels currently in place for your ad accounts. Depending on the platform, go to the settings section and find the access and security section. It’s also highly recommended to have at least two administrators per ad account and at least two payment methods. This way, if something happens, you’ll always have a second chance.


Go to Business Settings > Users > People



  • Should these people still have access to your account?
  • Does each person have the appropriate access level and access to the right resources?
  • In the Partners section, are your partners still relevant (for example, after changing agencies)?

Google Ads

Go to Tools and Parameters > Access and Security > Users

wewq-2048x669 (1)

  • Should these people still have access to your account?
  • Does each person have the appropriate access level?
  • Is two-factor authentication activated for users with a Standard or Admin access level?
  • In the Partners section, are your partners still relevant (for example, after changing agencies)?
  • In the Security section, are the domain names relevant (for example, @gmail.com, @adviso.ca)?

Picture5-2048x1051 (1)

3) Activation of two-factor authentication (the most important step)

Other than giving you an opportunity to stretch your legs a bit when you get up to get your phone so you can enter the code texted to you when connecting to the Business Center on Facebook, two-factor authentication allows you to pretty much guarantee the security of your accounts. That’s why this step is, in our opinion, the most important one of all.


To verify whether two-factor authentication is activated by default on your account, visit Company Information > Company Options. Activate two-factor authentication for everyone.


Google Ads

Visit Tools and Parameters > Access and Security > Security. Activate two-factor authentication by default.

image-1 (1)

4) Company verification

Ad platforms are now asking companies to confirm their identities. If you haven’t already, we recommend doing so.


Visit Business Info > Business Information > Business Verification. If your company’s information hasn’t been verified, follow the instructions for doing so. If the button “Start verification” doesn’t display, it’s because your business does not need to perform the verification. To see what types of businesses require verification, click here.


Google Ads

Usually Google sends an email to ask advertisers to verify their identities. You can ensure this step has been performed in the section Payment > Advertiser Verification. If the advertiser identity hasn’t yet been verified, you’ll see a window like the one below. Click on Verify an Advertiser and follow the instructions.

verify-advertise (1)

Recap of steps to follow:

  • Establish a person responsible for managing access to ad accounts
  • Verify users and their access levels
  • Verify partners and their access levels
  • Have at least two administrators per ad account
  • Have at least two modes of payment per ad account
  • Verify the list of authorized domains (Google Ads)
  • Verify that two-factor authentication is activated for everyone and on all email addresses used 

We hope this article has helped you protect your ad accounts with a little effort. While it might seem like a chore, verifying the security of your accounts is essential. If necessary, our team is available to help. Don’t hesitate to get in touch with an Adviso expert.