Scammers Hijack Google Business Profiles: How to Protect Yours in 2026

Leave a Comment / News / By

Scammers Hijack Google Business Profiles: How to Protect Yours in 2026

A wave of Google Business Profile hijackings has hit local businesses across the country, with fraudsters successfully claiming ownership of established profiles, changing contact information, and intercepting customer leads intended for legitimate businesses. Your Google reviews play a major role in how potential customers perceive your business.

Unlike hacking (which involves breaking through security systems), GBP hijacking exploits Google’s own verification process — the same process designed to help businesses reclaim lost access. Understanding how it works is essential for every business owner with a Google presence.

How GBP Hijacking Works

The Vulnerability Google Created

Google allows businesses to request ownership or editing rights for any Google Business Profile, even one that’s already verified and managed by the legitimate owner. The theory is that ownership changes hands (businesses are sold, managers leave) and people need a way to reclaim access. Your Google reviews play a major role in how potential customers perceive your business.

The vulnerability: Google’s verification process for ownership transfer requests sometimes fails to adequately verify that the requesting party is actually connected to the business. Fraudsters have developed methods to pass these verification checks for businesses they have no connection to.

Common Hijacking Methods

  • Postcard verification exploitation — requesting a PIN code postcard be sent to a fraudulent address and intercepting it or guessing the PIN format
  • Phone verification abuse — using spoofed phone numbers or social engineering to intercept verification calls
  • Phishing the business owner — sending fake “Google Business” emails that steal login credentials
  • Business sale impersonation — claiming to be the new owner of a business after a “sale” that never happened

What Happens After a Successful Hijack

Once fraudsters gain control:

  • They change the phone number (now all customer calls go to them)
  • They change the website URL (traffic redirects to a competitor or scam site)
  • They may add or remove services
  • They may change the business address (disrupting map results)
  • In some cases they’ve deleted reviews or changed business categories

In competitive industries (law, healthcare, home services), hijacked profiles have been used to intercept leads worth thousands of dollars per week before the legitimate owner noticed.

How to Lock Down Your Google Business Profile

Immediate Security Actions

  1. Enable 2-factor authentication on your Google account — this is the single most important security measure. Go to myaccount.google.com → Security → 2-Step Verification. Use an authenticator app (Google Authenticator, Authy) rather than SMS, which can be intercepted.
  2. Use a dedicated business email address for your GBP that is not your personal Gmail. This separates your personal and business digital security posture.
  3. Audit your profile managers — go to your GBP dashboard and review who has Owner, Manager, and Site Manager access. Remove anyone who no longer needs access.
  4. Never share your GBP login credentials — if a third-party service needs access, add them as a Manager (not Owner) using their own Google account, then revoke access when the work is complete.

Ongoing Monitoring

  • Set up GBP email notifications — ensure you’re receiving alerts for all profile changes, review activity, and ownership requests
  • Check your GBP weekly — verify that your phone number, address, website, and hours are unchanged
  • Call your listed phone number periodically — this is the simplest way to catch phone number hijacking
  • Set up a Google Alert for your business name — new mentions can signal unauthorized profile activity

If You Suspect a Hijacking Attempt

If you receive an email from Google saying someone has requested ownership of your profile, or if you notice changes you didn’t make: Your Google reviews play a major role in how potential customers perceive your business.

Free Weekly Newsletter

Get actionable Google review strategies delivered every week. No fluff.

Sign Up Free →

  1. Log in to your GBP dashboard immediately
  2. Review and revoke any pending ownership requests
  3. Change your Google account password immediately
  4. Contact Google Business Profile support via phone or chat
  5. File a report through Google’s abuse reporting form

Recovering a Hijacked Profile

Recovery is possible but can take 2–4 weeks and requires:

  • Documented proof that you are the legitimate business owner (business license, utility bills with business address, bank statements)
  • Evidence of the unauthorized takeover
  • Google Business Profile appeals process submission

The process is frustrating, but businesses with strong documentation typically prevail. This is another reason to maintain organized business records — they may one day be your proof of ownership. Your Google reviews play a major role in how potential customers perceive your business.

The Broader Security Posture

GBP security is part of your overall digital security hygiene. For local businesses, the digital assets most worth protecting are your Google Business Profile, your website domain, and your customer email list. Apply strong passwords and 2FA to all three.

Review our guide on reputation security in 2026 for the complete defensive strategy, and learn how to remove fake reviews when attacks do happen.

Get More Google Reviews — Free Resources

Join our free newsletter and get your free One-Tap Review Card guide, review audit, and PDF strategy guide instantly.

→ Get Free Resources

Ready to Get More Google Reviews?

Join our free newsletter for weekly strategies, tools, and tips that actually work.

Get Started Free →

Leave a Comment

Your email address will not be published. Required fields are marked *

Logo