Beware: How Phishing Scams Are Targeting Digital Marketing Agencies in 2025

Intro: In the ever-evolving digital world, not only do we as digital marketers stay updated with the latest strategies and ad trends—we must also be alert to new cybersecurity threats. One alarming trend we’ve noticed is an uptick in sophisticated phishing attempts aimed directly at digital marketing companies. These aren’t your average spam messages. They’re targeted, well-crafted, and designed to catch even experienced professionals off-guard.

The Scam That Landed in Our Inbox: Recently, our Toronto-based digital marketing agency received an inquiry that, at first glance, looked legitimate. The message claimed to be from Lizanne Kindler, CEO of the well-known women’s fashion brand, Chico’s. Here’s the inquiry we received:

On the surface, it sounded promising. A major brand, an exciting project, and a massive ad budget ($100,000–$300,000/month). But as we dug deeper, several red flags became apparent.

5 Signs It Was a Phishing Scam:

1. Fake Email Domain: The email came from info@jobs-chicos.com, which is not associated with the official Chico’s brand. Their verified domains end in @chicos.com.
2. Too Good to Be True: Promising a huge advertising budget from a cold outreach without prior contact or due diligence is a hallmark of phishing.
3. Generic Messaging: The message lacked any real personalization or detailed knowledge of our agency, a sign it was likely blasted out to many.
4. Inconsistencies in Location and IP: The message claimed to be from Florida, but the IP traced back to Singapore—an obvious mismatch.
5. Impersonation of a Real Executive: Lizanne Kindler is a real person, but this email had no connection to her or the official Chico’s organization.

UPDATE: Google Business Manager Scam Impersonating LoopNet Shortly after the Chico’s impersonation attempt, we received another inquiry—this time from someone posing as “Jeffrey Friedman” from LoopNet.

This scam took things a step further. While the Chico’s case was a classic phishing attempt, this one used a more technical approach, leveraging a fake Google Business Manager (GMB) invite to gain access to your Google Business Profile (GBP) and possibly your Google Ads Manager. Here’s what makes it so risky:

• Fake Domain: The sender used @loopnetglobal.com — not the official @loopnet.com domain of the real company.
• Phishing with Access Control: By asking you to join their “Google Business Manager,” the scammer tries to exploit the Google account permissions system. Accepting such an invite can grant them partial or full access to:
  • Your Google Business Profile (GBP)
  • Your Google Ads account (especially if linked)
  • Any client assets you manage if you’re an agency admin
• Google Authentication Risks: Because the invite uses Google’s authentication system, it can appear trustworthy. But once accepted, you effectively legitimize the scammer’s account and give them admin access, which they can use to:
  • Inject their accounts as managers
  • Modify campaigns or steal leads
  • Launch spam or malicious ads using your billing info
• IP Obfuscation: The inquiry again used IP 127.0.0.1, a known technique to mask origin — very suspicious.

 

Why Digital Marketing Agencies Are Being Targeted Hackers know that digital marketing companies manage high-value ad accounts, social media platforms, and sensitive client data. By posing as big-name brands with attractive offers, they aim to:

• Steal login credentials
• Inject malware via email attachments or phishing links
• Gain access to ad accounts for malicious activity
• Trick agencies into divulging sensitive business or client information
• Infiltrate Google Business Managers to gain high-level permissions

Protect Your Agency: Best Practices

1. Verify the Source: Always verify unfamiliar inquiries with a quick domain check or direct brand contact.
2. Check IP Locations: A simple IP lookup can reveal mismatched locations and flag suspicious submissions.
3. Train Your Team: Make phishing awareness a regular topic of discussion for everyone handling incoming leads.
4. Enable 2FA Everywhere: Two-factor authentication adds a critical layer of protection for email, ad accounts, and CRMs.
5. Use a Contact Form Filter: Protect your website forms with reCAPTCHA and auto-filtering for known scam patterns.
6. Never Accept Google Business Manager Invites Without Verification: Always confirm the identity of the sender and the legitimacy of their organization before accepting any Google account invitation. Be especially cautious with GMB or GBP access requests.

Conclusion: Stay Alert, Stay Secure As digital marketing professionals, we’re trusted with massive ad budgets and client reputations. Falling victim to phishing could not only damage your agency’s credibility but also compromise your clients.

So let’s make “hacking digital marketing companies” and “digital marketing phishing” less successful by sharing our experiences and spreading awareness. Stay sharp, and always double-check before you click.

Want to protect your business from phishing and cyber threats? Get in touch with our Toronto-based digital marketing team to learn more about how we keep our operations and our clients safe.

#DigitalMarketingPhishing #HackingDigitalMarketingCompanies #PhishingAlert #CybersecurityForMarketers #TorontoMarketingAgency #GoogleBusinessScam #GMBScam #GoogleBusinessProfileHack

 

1. Home
»
2. blog
» Beware: How Phishing Scams Are Targeting Digital Marketing Agencies in 2025