Digital agencies are used to receiving new lead inquiries through website forms. Many are legitimate. Some are vague, some are low-quality, and some are clearly spam. But a more concerning pattern has started to appear: fake leads that appear to come from real companies, using convincing company names, matching website references, and follow-up emails designed to push agencies into an OAuth login flow.
The goal appears to be simple: get someone at the agency to sign into a portal or calendar system using Google authentication, potentially exposing access to Google accounts, Google Ads accounts, internal files, or other connected business tools.
We recently saw examples using names connected to legitimate businesses, including Thor Equities and Homelight, but with suspicious domains such as:
thorequitiesmedia.comhomelightads.com
At first glance, these inquiries look like real business development opportunities. They mention Google Ads, SEO, website redesigns, project collaboration, and marketing support. But when you look closer, the pattern becomes much clearer.
The Pattern We’re Seeing
The scam typically starts with a website form submission that looks like a serious marketing inquiry.
The lead will often claim to represent a recognizable company or a company with a real website. The message usually says they are looking for an experienced Google advertising expert, a reliable agency partner, or help with website redesign, SEO, and campaign management.
The message is intentionally broad enough to sound plausible, but specific enough to feel like a qualified opportunity.
In one example, a lead appeared to reference Homelight Real Estate and linked to the real Homelight website, but the email address came from homelightads.com, not the legitimate company domain. In another example, the inquiry referenced Thor Equities, while the email came from thorequitiesmedia.com.
That mismatch is the first major warning sign.
Real Company Name, Fake Supporting Domain
One of the most effective parts of this scam is that the attacker borrows credibility from a legitimate company.
They may include:
- A real company name
- A real company website
- A realistic-sounding employee name
- A business development or marketing-related message
- A domain that looks close enough to seem believable
For example, thorequitiesmedia.com may look connected to Thor Equities at a quick glance, but it is not the same as the actual company domain. The same applies to a domain like homelightads.com, which sounds advertising-related but is separate from the legitimate Homelight domain.
This is a common phishing technique: create a domain that feels familiar enough that a busy person may not question it.
The Follow-Up Pushes You Toward OAuth Login
The most concerning part comes after the initial contact.
In the follow-up message, the sender may direct the agency to book a meeting through a link that appears to be a scheduling tool or internal project portal. The email may say that the system is connected to their internal calendar, project dashboard, or secure project environment.
The message may include language like:
“To keep our scheduling and project data secure, our booking system is integrated into our internal portal.”
It may also say that the system will require you to sign in with Google Auth as a security step.
That is where the risk becomes much higher.
OAuth login prompts are not inherently bad. Many legitimate apps use Google login. But in this case, the login request is being used as part of a suspicious lead flow, from a questionable domain, impersonating or borrowing credibility from a real company.
If an agency employee signs in and grants permissions, the attacker may be trying to gain access to email, calendar, Google Drive, Google Ads, or other connected Google Workspace resources, depending on the permissions requested.
Why This Is Especially Dangerous for Agencies
Agencies are attractive targets because they often manage access to multiple client accounts.
A single compromised agency Google account could potentially create risk across:
- Google Ads accounts
- Google Analytics properties
- Google Tag Manager containers
- Google Business Profiles
- Google Drive files
- Client reporting dashboards
- Internal project systems
- Email conversations with clients
This makes the phishing attempt more than a nuisance. It is not just spam. It is a potential access attack against the systems agencies use to manage client work.
Warning Signs to Watch For
These leads can look polished, but there are several red flags agencies should pay attention to.
First, check whether the email domain matches the company’s official website. If the message says it is from a major company but the email comes from a newly created or slightly modified domain, treat it with caution.
Second, be careful when a lead pushes you to use their portal before any real conversation has happened. A legitimate prospect may send a calendar link, but it is unusual for a first-contact lead to require Google OAuth access to view project details or schedule a call.
Second, be careful when a lead pushes you to use their portal before any real conversation has happened. A legitimate prospect may send a calendar link, but it is unusual for a first-contact lead to require Google OAuth access to view project details or schedule a call.
Third, watch for vague but attractive project language. These messages often mention “major projects,” “Google Ads campaigns,” “SEO,” “website redesign,” or “partnership opportunities,” but avoid giving enough specific detail to validate the opportunity.
Fourth, be cautious of urgency or overexplained security language. Phrases about “secure internal portals,” “project dashboards,” and “required Google Auth” can be used to make the login step feel normal.
What Agencies Should Do Before Clicking
Before clicking any booking link or signing into any third-party portal, take a few minutes to verify the inquiry.
- Search the company independently and compare the official website domain to the sender’s email domain. Do not rely only on the link they provided in the form submission.
- Look up the person on LinkedIn or the company website. If the name does not appear anywhere, that does not automatically prove it is fake, but it should raise caution.
- Check the domain registration if the domain looks suspicious. A recently registered domain that imitates a real company name is a major warning sign.
Most importantly, do not approve an OAuth request unless you fully understand what application is requesting access, what permissions it wants, and why that access is necessary.
What to Tell Your Team
Agencies should make sure account managers, sales teams, and anyone monitoring website leads know what this type of scam looks like. A simple internal rule can help:
Do not sign into a prospect’s portal, dashboard, calendar system, or shared workspace using Google until the company and domain have been verified.
It is also worth reminding team members that Google login does not automatically mean something is safe. OAuth can be abused when users are tricked into granting access to a malicious or impersonating app.
Protecting Your Google Ads and Client Accounts
If you manage Google Ads accounts for clients, this is a good time to review your internal access policies.
Make sure two-factor authentication is enabled for all users. Review who has access to Google Ads, Google Analytics, Google Tag Manager, and client reporting tools. Remove old users, unused accounts, and unnecessary permissions.
You should also be careful about which Google account is used for sales, scheduling, and intake workflows. If possible, avoid having broad client account access tied to the same inbox that receives public website form submissions. For agencies, the safest approach is to slow down before signing in.