phishingoauthgoogle adscybersecuritysmall businesscredential theft

They Thought a Client Email Was Legit. Three Hours Later, Hackers Were Running Their Google Ads.

·Conrad Southworth
They Thought a Client Email Was Legit. Three Hours Later, Hackers Were Running Their Google Ads.

A friend of mine — let's call them a mid-sized Utah service company — runs Google Ads. Not a huge budget, but enough that it matters: a few thousand a month, driving real leads. They'd been careful. They knew phishing was a thing.

Then someone on their team got an email that looked like it came from a company they'd worked with before. Same formatting, same tone, the whole thing looked right. The email said they'd need to 'reconnect their Google account' to access some shared file or platform — something routine, something the recipient didn't think twice about.

They clicked. They connected their Google account. And three hours later, they were locked out of their own Google Ads, the attackers had added themselves as admin, and charges were already stacking up.

This wasn't a password phishing attack in the traditional sense. They didn't type their password into a fake page. The attack worked through OAuth — the same system Google, Microsoft, and dozens of other platforms use to let you connect apps safely. And it bypassed every security tool they had in place.

This is becoming a primary attack vector against SMBs. Here's what you need to know.

What OAuth Phishing Actually Is (and Why MFA Won't Save You)

You've seen OAuth before. When you sign into a third-party app with your Google account and a screen pops up saying 'This app will have access to your email and contacts' — that's OAuth. The idea is good: you never give the app your password, you just grant it limited permissions.

OAuth phishing inverts this trust. Instead of a sketchy app, it's a convincing email pointing you to the real OAuth consent screen — hosted by Google itself. Nothing looks fake. The URL is real. The login is real. You're typing your credentials into Google directly.

And this is the part that breaks people's mental models: MFA doesn't protect you here.

The victim logs in correctly. They pass MFA correctly. They land on the real Google consent screen and click 'Allow.' At that point, the attacker receives an OAuth token — a digital key that works independently of the password and survives password changes. The token stays valid until it's manually revoked.

Traditional phishing training focuses on 'don't type your password into weird sites.' OAuth phishing trains your people to approve access requests — and most teams have no training for that at all.

How the Attack Worked in This Case

The email looked like a routine business request. Click a link, connect your Google account to access a shared portal. The link went to the real Google OAuth consent flow — not a clone, not a spoof. The victim authenticated, saw a Google-hosted permissions screen, and clicked 'Allow.'

What they granted, exactly, depends on what the malicious app requested. In this style of attack, attackers typically request access to Gmail, Google Drive, and account management permissions — enough to read emails, impersonate the user, and pivot into connected services like Google Ads or Google Merchant Center.

Once the attacker had an active token, they moved fast:

  1. Added themselves as an admin on the Google Ads account
  2. Changed the recovery contact so the real owner couldn't use account recovery
  3. Started running charges — the victim's card was on file, and the attackers spent aggressively before anyone noticed

By the time the company realized what happened, they'd been locked out of their own account, their card had been charged several thousand dollars in unauthorized spend, and they were on the phone with their bank canceling everything.

No ransomware. No malware. Just a consent click.

Why SMBs Are Especially Exposed

Large enterprises have security teams that monitor OAuth app installs, enforce policies about which apps employees can connect, and run tooling that flags unusual permission grants. Most SMBs have none of that.

Google Workspace and Microsoft 365 both support admin controls for OAuth — but they don't come turned on by default, and they require someone to know to look for them. Most small businesses running Google Workspace are using the out-of-the-box configuration, which means any employee can authorize any third-party app with just a Google login.

The other problem: attackers know this. SMBs are targeted precisely because they lack those controls. A 10-person company is a softer target than an enterprise with a SOC team, and the paydays are still real enough to be worth the effort.

What the Attackers Did With the Access

Stolen Google Ads accounts are valuable. Attackers use them to:

  • Run malvertising campaigns on the victim's own budget, funding further attacks
  • Drain Google Play credits if they're linked
  • Use the account as a pivot point to attack the company's other Google integrations
  • Sell access on dark web marketplaces — compromised ad accounts go for real money

In our friend's case, the attackers used the connected billing to rack up charges quickly, presumably to exploit a window before the fraud was detected. Getting the account back required working with Google support directly — a process that took days and wasn't guaranteed.

How to Know If You've Already Been Hit

OAuth tokens don't send you a notification when they're used. The only notification you typically get is the initial 'someone connected to your account' email — which many people miss or dismiss.

Check right now: go to your Google account > Security > 'Third-party apps with account access.' Review every app. Revoke anything you don't recognize or no longer use.

For Google Workspace admins: Google Admin Console has an audit log for OAuth grants. If you see app installs you didn't authorize, treat that as a potential compromise and rotate your admin passwords immediately.

Red flags indicating an active compromise:

  • Unexpected charges on your Google Ads or cloud billing
  • Being locked out of an account you should have access to
  • New admin users or recovery contacts you didn't add
  • Emails being forwarded to addresses you don't recognize

What SMBs Should Actually Do About This

1. Audit OAuth Permissions Now

Don't wait for an incident. Go to myaccount.google.com/permissions and review every third-party app. Revoke anything questionable. For businesses, the Google Admin Console gives you central visibility — use it.

2. Restrict Who Can Authorize OAuth Apps

In Google Workspace admin, you can require admin approval for new app installs. This is a setting that exists and is off by default. Turn it on. It won't stop all attacks but it adds a friction layer that matters.

3. Train Your Team on the OAuth Click

Most security awareness training never mentions OAuth. Your people know not to type passwords into weird forms. They don't know that clicking 'Allow' on a Google consent screen can be just as damaging. Add this to your training.

4. Monitor Billing in Real Time

Set up alerts on your Google Ads and cloud billing for any charges over a threshold you define. The faster you catch unauthorized spend, the faster you can act. In this case, three hours of undetected spending was the problem.

5. Use App-Specific Passwords and Scoped Access Where Possible

If a vendor needs access to your Google Ads, they don't need full account access. Google Ads has limited access levels — use them.

How Wolfgang Solutions Helps

We manage IT for companies that can't afford a full-time security team but can't afford to get burned either. For this specific threat vector, that means:

  • OAuth audit and hardening — we check your Google Workspace or Microsoft 365 tenant for overly permissive app installs and lock them down
  • Phishing simulation and training — we run exercises that test your team's ability to spot OAuth consent phishing, not just credential phishing
  • Monitoring and alerting — we set up billing alerts and account change notifications so you're not discovering a compromise three hours too late
  • Incident response — if something does happen, we're the people you call to contain it and get your accounts back

We're not a ticketing queue. We're the people who know what to do when something breaks — and we work with companies that have 5 to 50 people and can't justify enterprise security pricing but can't afford to go without.

If you've never had your OAuth permissions audited, that's the place to start. It's a two-hour engagement and it tells you where you stand.

Book a free 30-minute security assessment — we'll walk through your current exposure and give you a clear picture of what a real attacker would find.

Frequently Asked Questions

What is OAuth phishing and how is it different from regular phishing?
Regular phishing tricks you into typing your password on a fake website. OAuth phishing sends you to the real login page, gets you to authenticate properly, and then tricks you into clicking Allow on a permissions screen. The attacker gets a token that works independently of your password and survives password changes. MFA doesn't help because you completed MFA correctly on the real site — you're just granting access to something you shouldn't.
How did the attackers lock the real owner out of their Google Ads account?
Once they had OAuth access, they used it to add themselves as an admin user on the Google Ads account and changed the recovery contact to an address they controlled. This is the same mechanism Google uses for legitimate account recovery — once the attacker controls recovery, the real owner can't use self-service recovery to get back in. Resolving it required direct engagement with Google support.
I have MFA turned on. Does that protect me from OAuth phishing?
No. OAuth phishing bypasses credential-based defenses entirely. The victim authenticates with their password and MFA correctly — they're on the real Google site. What they do wrong is click Allow on a permissions request from a malicious app. Hardware security keys help against credential phishing but don't stop someone from voluntarily granting OAuth access to an app. The protection here is app allowlisting and user training on what permissions mean.
What's the difference between OAuth access and a direct password compromise?
A password compromise means the attacker knows your password — they can log in as you until you change it. An OAuth token compromise is different: the attacker has delegated access that's scoped to specific permissions. But here's the problem — OAuth tokens often survive password changes. If you get phished for an OAuth token and then change your password, the attacker may still have valid access. You have to revoke the token, not just rotate the password.
How do I audit OAuth apps connected to my business Google account?
For personal Google accounts: go to myaccount.google.com/permissions. For Google Workspace (business): sign into admin.google.com, go to Security > Manage apps > OAuth apps or Third-party app access. You can block specific apps, restrict which users can install apps, and see audit logs of who authorized what. If you see apps you don't recognize, revoke them immediately and treat it as a potential incident.
How much can attackers charge on a compromised Google Ads account?
As much as your card limit allows, fast. Attackers want to maximize spend before the fraud is detected. In our friend's case, thousands in charges accumulated within a few hours. Google Ads billing doesn't have real-time fraud blocking — it's your credit card issuer who ultimately catches it, which means you're disputing charges after the spend is already gone. This is why billing alerts and low credit limits on connected cards matter.