A phishing campaign running through Google Ads is stealing Google account credentials from business owners who search for “my business” to reach their Google Business Profile management console. The malicious ad appears at the top of search results, styled to resemble a legitimate Google property, and routes users to a fake login page that captures their credentials on entry. Search Engine Roundtable reported the campaign on June 4, 2026, citing screenshots and a step-by-step walkthrough posted to X by digital marketer Dan Foland.
The attack chain is straightforward. A user searching [my business] sees a sponsored result that looks official. Clicking any link on the destination page triggers a pop-up mimicking the Google sign-in modal. A working Google authentication flow would stop an invalid account address after the first step; the fake version does not. Once the user submits their credentials and follows a subsequent prompt, attackers gain access to the account, including files and saved passwords.
Brand-and-login search terms are a recurring phishing vector for exactly this reason: the user’s intent is to authenticate, so their guard is lower, and the expected destination is a login page. Searching for a product or service name to reach a sign-in screen, rather than typing the direct URL, creates a brief window where a convincing ad can intercept the session. Google Business Profile is a high-value target because account control gives an attacker the ability to alter business listings, respond to reviews under the brand name, and access any other Google services connected to the same account.
Defensive steps for marketers and business owners:
- Navigate directly to
business.google.comrather than using a branded or generic search query to reach the login page. This applies to any Google product: Google Ads, Google Analytics, Google Search Console. - Before entering any credential, confirm the domain in the browser address bar. Phishing pages can closely mimic the visual design of a login screen but cannot spoof the URL without triggering browser security warnings.
- Enable two-factor authentication on the Google account, or use a passkey, which is resistant to credential-phishing because the key is bound to the legitimate origin domain and will not authenticate against a fake page.
- Report suspicious ads directly in Google Search by selecting the three-dot menu next to the ad and choosing “Report ad.” This accelerates takedown for other users searching the same terms.
The broader cost here is not limited to individual account compromise. When malicious ads run on brand-name queries, every click that reaches the phishing page is a billable impression that erodes user trust in the ad network itself. Advertisers competing on the same terms also absorb reputational spillover: a user who clicks a fraudulent ad on a search they expected to resolve safely associates the negative experience with the search context, not only the attacker. Google has not commented on this specific campaign, and the report does not indicate how long the ad ran before the first public disclosure.
Business owners who manage Google Business Profile through search rather than a bookmarked URL should update their workflow today. The fix is a single behavioral change: type business.google.com into the address bar. Every other defensive layer, two-factor authentication, passkeys, and ad reporting, matters most after that habit is in place.
Search Engine Roundtable reported this phishing campaign on June 4, 2026, based on a documented walkthrough by Dan Foland shared publicly on X.
