Google Business Profile Security: How to Prevent Unauthorised Access and Ownership Hijacking

Your Google Business Profile is one of the most valuable digital assets your business owns. It controls what customers see when they search for you on Google Maps, influences your local search ranking, and shapes the first impression you make on thousands of potential customers every month. Yet most business owners treat it like a set-and-forget account — logging in once to claim it and then rarely checking in again.

That neglect creates an opening for one of the most underappreciated threats in local SEO: GBP ownership hijacking and unauthorised access. Someone — a disgruntled ex-employee, a competitor, a rogue agency, or an opportunistic scammer — can request control of your listing. If you don't respond within seven days, Google may hand it over. Without any notification that would alert a business owner who isn't watching closely.

This guide covers every major GBP security threat, exactly how each one works, and the concrete steps you can take today to lock down your listing.

Key Takeaways

Google's ownership transfer process has a 7-day response window — miss it and a stranger can legally own your listing.
Five distinct threat categories target GBP listings: ownership hijacking, unauthorised manager access, public suggested edits, Google's own auto-edits, and fake reviews.
You should audit who has owner and manager access to your GBP at least once per quarter.
Any previous agency, web developer, or employee added as Primary Owner — not Manager — can lock you out of your own listing.
2-step verification on the Google account that owns your GBP is the single highest-impact security step you can take right now.
Continuous automated monitoring is the only reliable way to catch unauthorised changes before they damage your ranking and reputation.

The 5 Types of GBP Security Threats

There are five distinct ways your Google Business Profile can be compromised, and understanding each one is the first step towards defending against it.

1. Ownership hijacking is the most dangerous. A third party submits an ownership request to Google, claiming to represent your business. If you fail to respond within seven days, Google can grant them full Primary Owner access — the ability to edit every piece of information on your listing, remove you as a manager, and even delete the profile entirely.

2. Unauthorised manager access occurs when someone who previously had legitimate access — a former employee, a previous agency, a business partner you've parted ways with — retains their credentials and continues to access, edit, or monitor your listing without your knowledge or consent.

3. Suggested edits from the public are a lesser-known vulnerability baked into Google Maps itself. Any member of the public can suggest changes to any business listing: incorrect opening hours, a wrong phone number, an outdated address. Google sometimes approves these suggestions automatically, without notifying the business owner in time to intervene.

4. Google's own auto-edits are perhaps the most surprising threat. Google uses machine learning and data from third-party sources — websites, social media, user behaviour — to automatically update business information it believes is inaccurate. These changes can override the information you've carefully maintained, and they can happen with minimal warning.

5. Fake reviews don't compromise your account access, but they can do severe reputational damage. A campaign of orchestrated negative reviews, or fake positive reviews designed to make competitors look suspicious, can undermine the trust your genuine customers have built for you.

How GBP Ownership Hijacking Works

Ownership hijacking is the number-one most damaging GBP attack — and Google's own policies are what make it possible.

When someone believes they have a legitimate claim to a Google Business Profile — perhaps they recently acquired a business, or they're the franchise owner of a location that was listed by a franchisee — they can request ownership through the standard verification flow. Google sends a notification to the current verified owner's email address.

Here is where the vulnerability lies: if the current owner does not respond within seven days, Google may grant the requester Primary Owner access. The seven-day window is documented in Google's own support documentation. For a business owner who checks their email infrequently, or whose GBP is registered to an email address they rarely monitor, this window can pass silently.

The consequences of a successful hijack are severe:

The new "owner" can change your business name, address, phone number, website, and hours.
They can remove all other managers and owners, including you.
They can delete the listing entirely.
All your reviews, photos, and accumulated trust signals disappear with the listing if it's deleted.
Your Google Maps ranking drops immediately if your NAP (name, address, phone) data is changed.

The attack is not theoretical. It happens regularly. A competitor who knows your listing is poorly monitored, or a scammer who purchases hijacked GBP listings to resell, can target any business with a dormant or unmonitored profile.

How to Check Who Has Access to Your GBP Right Now

The first security action every business owner should take is a complete access audit — and you should do this quarterly.

To check who has Owner or Manager access to your Google Business Profile:

Go to business.google.com and sign in with the account that owns your listing.
Select the location you want to audit.
Click Settings in the left menu, then select Managers (sometimes listed as the People tab or People and access).
Review every account listed. For each one, confirm: Do you know who this person is? Do they still work for or represent your business? Should they have this level of access?

The access levels Google assigns are:

Primary Owner — full control, including the ability to remove other owners. Only one Primary Owner can exist per listing.
Owner — nearly identical to Primary Owner; can add and remove managers.
Manager — can edit listing information and respond to reviews, but cannot add or remove other users.

Any account you don't recognise, or that belongs to someone who no longer represents your business, should be removed immediately.

How to Remove Old Managers and Owners

Removing a manager is straightforward. Removing an Owner or the Primary Owner is where complications can arise.

To remove a Manager: Go to Settings → Managers, click the account you want to remove, and select Remove access. This takes effect immediately.

To remove an Owner: The same process applies, but you must be signed in as the Primary Owner to remove another Owner.

To change the Primary Owner: The current Primary Owner can transfer Primary Owner status to another verified Owner on the account. Go to Managers, select the account you want to promote, and choose Transfer primary ownership. There is a waiting period of up to seven days before the transfer completes — during which the original Primary Owner can cancel it.

The situations that create real problems:

A former employee was added as Primary Owner instead of Manager. If they left on bad terms and are uncooperative, you cannot remove them without their consent unless you escalate to Google Support.
Your previous agency was made Primary Owner. Agencies sometimes request Primary Owner status for operational convenience. When the agency relationship ends, they may not voluntarily relinquish control.
You've lost access to the email address that owns the listing. If the owning account is a departed employee's company email that no longer exists, you'll need to go through Google's ownership reinstatement process.

What Happens When an Agency Is Made Primary Owner

This is one of the most common GBP security mistakes Irish and UK businesses make — and it can result in complete loss of control over your listing.

When you hire a digital agency to manage your GBP, they typically need Manager access, not Owner or Primary Owner access. Manager access allows them to update your listing, respond to reviews, add photos, and create posts. It does not give them the ability to remove you from your own listing.

If an agency requests Primary Owner or Owner status — and many do, either out of convenience or to increase client stickiness — you are placing your listing's security in their hands. If:

The agency closes down
Your contract ends acrimoniously
The agency is acquired by another company
The individual at the agency who managed your listing leaves

...you may find yourself locked out of your own Google Business Profile, or at the mercy of a business relationship that has already broken down.

What to do if an agency holds Primary Owner status: Request in writing that they transfer Primary Owner status back to you before the engagement ends. If they refuse, contact Google Support and provide documentation proving you are the legitimate business owner (business registration, utility bills, etc.). Google does have a reinstatement path for legitimate business owners, but it is slow and not guaranteed.

Best practice: Always retain Primary Owner status on a Google account you personally control. Add agencies as Managers only. Document this requirement in any agency contract.

How to Respond to an Ownership Request You Didn't Initiate

If you receive a notification from Google saying someone has requested ownership of your Business Profile, treat it as a security alert — not a routine email to deal with later.

Act within 24 hours, not seven days. The seven-day window is a deadline, not a suggestion. The moment you see the notification:

Log into business.google.com immediately.
Navigate to the listing in question.
Look for the ownership request notification and select Reject or Deny.
If you cannot find the request through the standard interface, contact Google Business Profile Support directly.

If the request is from someone with a legitimate claim — a new business owner, a genuine franchisee — you can engage with them through proper channels. But if you don't recognise the requester, reject the request immediately and then investigate.

After rejecting, review your access list for any accounts you don't recognise. Change the password on the Google account that owns your listing. Enable 2-step verification if you haven't already.

Setting Up a Dedicated Google Account for GBP Management

One of the most effective structural changes you can make for long-term GBP security is to manage your listing through a dedicated Google account rather than your personal Gmail.

Using a personal Gmail account as your GBP owner creates several risks:

If you ever change your personal email, your GBP access is disrupted.
If you leave the business (or the business is sold), personal access complicates the transition.
A phishing attack on your personal account compromises your GBP along with your personal data.

Recommended setup:

Create a Google account tied to your business domain — something like [email protected]. This account should:

Be used exclusively for GBP management (and possibly Google Search Console and Google Ads).
Have its password stored in a company password manager, accessible to multiple authorised staff.
Have 2-step verification enabled (see below).
Have a recovery email and phone number set to business contact details, not a personal number.

This structure means that if a key staff member leaves, business continuity is preserved. The GBP ownership stays with the business, not the individual.

How to Enable 2-Step Verification on Your GBP Account

Enabling 2-step verification (2SV) on the Google account that owns your GBP is the single most impactful security action you can take. It means that even if someone obtains your password — through a phishing attack, a data breach, or a disgruntled insider — they cannot log in without also having your second factor.

To enable 2-step verification:

Go to myaccount.google.com/security.
Under "How you sign in to Google", select 2-Step Verification.
Follow the prompts. Google will walk you through setting up a second factor.

Recommended second factors, in order of security:

Google Prompt / Passkey — requires physical access to a registered device. Strongest option.
Authenticator app (Google Authenticator, Authy) — generates time-based codes. Strong and portable.
Hardware security key (YubiKey) — physical key required for login. Strongest possible, recommended for high-value accounts.
SMS verification — better than nothing, but vulnerable to SIM-swapping attacks. Use it as a backup, not a primary method.

Also review your trusted devices list in Google Account Security. Remove any devices you no longer use or don't recognise.

The Suggested Edits Vulnerability

Any Google Maps user can suggest an edit to any business listing. They can suggest a change to your opening hours, phone number, address, website, or business category. Google reviews these suggestions and, in many cases, auto-approves them — sometimes without notifying the business owner until the change has already gone live.

This vulnerability is not malicious by design — it's how Google maintains data quality at scale. But it creates a real risk for businesses, particularly in competitive local markets.

Real-world scenarios:

A competitor suggests you're permanently closed, particularly on a Friday afternoon before a bank holiday weekend. Google approves it. Customers searching for you over the weekend see your listing as closed and go elsewhere.
An automated scraper or data broker pushes an old address to Google, which interprets it as an authoritative source and updates your listing.
A customer who had a bad experience edits your phone number to a disconnected number, hoping to harm your business.

According to Google's own guidelines, suggested edits from users are reviewed by both automated systems and, in some cases, by Local Guides (Google's volunteer reviewers). The approval threshold for low-stakes changes (like minor hours adjustments) is lower than for high-stakes changes (like address changes).

The only reliable defence against suggested edits is monitoring. If you're not checking your listing at least weekly, a harmful suggested edit can stay live for days or weeks before you notice it.

Google's Own Auto-Edits: When Google Changes Your Information

Google actively edits business listings based on information it collects from across the web. This is documented behaviour — Google's support pages acknowledge that the company may update business information from "authoritative sources" including the business's own website, social media profiles, and third-party data providers.

Common auto-edit scenarios:

Google detects a phone number on your website that differs from the one on your GBP and updates the listing to match the website (or the other way around).
Google sources data from a directory listing (Yelp, Yell, Golden Pages) that contains outdated information and updates your GBP to match.
Google changes your business category based on keywords it detects in your website content.
Google's systems detect that a different business is now operating at your address and merge or modify your listing.

These auto-edits can override changes you've deliberately made. If you correct a mistake on your GBP, Google may re-apply the incorrect version within days if it's sourced from a third-party data provider.

The fix for this is twofold: first, ensure your NAP data is consistent across every directory, social profile, and citation on the web. Second, monitor your GBP for changes so you can catch and revert Google's auto-edits promptly.

What to Do If Your GBP Has Already Been Hijacked

If you log in and discover that your Business Profile is now controlled by someone you don't know — or that you've been removed as an owner — here's the escalation path.

Step 1: Check if you still have any access. Log into business.google.com with your normal credentials. If you can still see the listing but your role has been downgraded, you may be able to contact the new owner through the platform.

Step 2: Request ownership back. If you've been removed entirely, use the "Request access" flow at business.google.com/add-single-location to submit an ownership request for your own listing. Gather documentation: business registration, invoices, photos of your premises, screenshots of your original GBP setup.

Step 3: Contact Google Business Profile Support. Go to support.google.com/business and escalate to a human agent. Explain that you are the legitimate business owner and that your listing has been taken over without your consent. Have your documentation ready.

Step 4: Report it as fraudulent. If you believe the hijack was malicious — not just a misunderstanding with an ex-agency — report the listing as fraudulent through Google Maps. Click the three-dot menu on the listing and select "Suggest an edit" → "Remove this place" or use the flag option to report the listing.

Step 5: Consider legal action. In cases where a competitor has hijacked your listing and is using it to divert customers, you may have grounds for a complaint to the Competition and Consumer Protection Commission (CCPC) in Ireland, or equivalent bodies in the UK.

Google's reinstatement process can take weeks. The best strategy is always prevention.

Real-World Case Studies

The restaurant owner and the ex-employee. A Dublin restaurant owner promoted a trusted member of staff to Owner-level access on their GBP so the manager could handle day-to-day listing updates. When that manager left acrimoniously after a dispute over pay, they changed the restaurant's phone number and opening hours on the GBP before the owner realised what had happened. Customers calling the listed number reached a disconnected line. Customers showing up on a Tuesday — listed as "closed" by the ex-employee — found the restaurant open and were confused by the discrepancy. Reversing the changes took four days. The damage to trust took longer to repair.

The agency handover that became a hostage situation. A Galway B&B worked with a local digital agency for three years. The agency had been given Primary Owner status "for convenience" when the listing was first set up. When the B&B owner decided to bring their digital marketing in-house, the agency refused to transfer ownership, insisting the owner pay for a handover package. The owner had no leverage — the agency legally controlled the listing. After six weeks of back-and-forth and a Google Support escalation, the owner regained control. The listing had not been updated during this period, missing the peak summer booking season.

The competitor's false claim. A Cork tradesman discovered that a competitor had submitted an ownership request to Google for his listing, falsely claiming that the business had "changed hands" and that they were the new owner. Because the tradesman didn't notice the email notification, the seven-day window passed. The competitor gained access and changed the phone number to their own, diverting leads. The tradesman only discovered the hijack when a customer mentioned they'd rung a different number. The Google Support escalation, combined with evidence of the tradesman's original verification, resolved the issue — but not before an estimated several weeks of diverted enquiries.

Continuous Monitoring: The Only Reliable Defence

All of the threats above have one thing in common: they're most damaging when they go undetected. An ownership request you catch on day one is a five-minute problem. An ownership request you miss is a potential weeks-long nightmare.

Manually checking your GBP every day is impractical for most business owners. That's why automated monitoring exists.

MyReputation.ie monitors your Google Business Profile continuously, alerting you within the hour if any change is detected — whether it's a field edited by a manager, a suggested edit approved by Google, or one of Google's own auto-edits overriding your data. When a change is detected, you receive a detailed alert showing exactly what changed, what the old value was, and what it's been changed to. You can revert the change with a single click, without having to log into Google Business Profile Manager at all.

For businesses with multiple locations, or agencies managing listings on behalf of clients, this kind of systematic monitoring is not optional — it's the operational baseline that keeps listings accurate and secure.

10-Point GBP Security Checklist

Work through this checklist to secure your Google Business Profile:

Audit access now. Go to Settings → Managers in Business Profile Manager. Identify every account with Owner or Manager access. Remove anyone who shouldn't be there.
Ensure you are the Primary Owner. Your Google account — not an agency's, not an employee's — should be the Primary Owner of your listing.
Demote all agencies to Manager. If an agency currently holds Owner or Primary Owner status, request a downgrade to Manager immediately.
Create a dedicated GBP management account. Set up a Google account at your business domain (e.g. [email protected]) and use it as the Primary Owner account.
Enable 2-step verification. Turn on 2SV on every Google account that has Owner or Manager access to your listing. Use an authenticator app, not SMS, as your primary second factor.
Set up a recovery email and phone. Ensure your account recovery options are up to date and point to contact details you control.
Check for pending ownership requests. Log in to Business Profile Manager and check for any pending ownership requests you haven't responded to.
Audit your listing fields. Review your current business name, address, phone, website, hours, and categories. Confirm everything is accurate and matches your other online profiles.
Check your review list for suspicious activity. Look for patterns of negative reviews appearing in clusters, or reviews that seem to describe a different business entirely.
Set up automated monitoring. Manual audits are not enough. Use MyReputation.ie to monitor your listing continuously and receive instant alerts on any change.

Frequently Asked Questions

Q: How long does Google give me to respond to an ownership request?

A: Google's documented policy is a seven-day window. If the current verified owner of a Business Profile does not respond to an ownership request within seven days, Google may grant the requester access. In practice, this window can sometimes be shorter if Google's systems determine the requester has strong evidence of legitimate ownership. Always treat ownership request notifications as urgent.

Q: Can I see a history of changes made to my Google Business Profile?

A: Google Business Profile Manager does not provide a comprehensive change history in the standard interface. You can see some edit history in the "Edits" section of your profile, but it does not always capture every change — particularly changes made by Google's automated systems or suggested edits approved by Google. Dedicated monitoring tools like MyReputation.ie log every detected change with timestamps and before/after values.

Q: What's the difference between Owner access and Manager access on a GBP?

A: An Owner can add and remove other managers and owners, and can transfer Primary Owner status. A Manager can edit listing information, respond to reviews, and add photos and posts, but cannot manage other users' access. From a security perspective, Owner access should be restricted to a very small number of accounts — ideally just the Primary Owner account — while agencies and employees should operate as Managers.

Q: My previous agency still has access to my GBP and isn't responding. What can I do?

A: If the agency holds Manager access and you hold Primary Owner or Owner access, you can remove them unilaterally through Business Profile Manager → Settings → Managers. If the agency holds Primary Owner status and is uncooperative, you'll need to contact Google Business Profile Support directly and provide documentation proving you are the legitimate business owner. This process can take one to three weeks but Google does have a resolution path for legitimate business owners.

Q: Does enabling 2-step verification affect how Google Business Profile Manager works day-to-day?

A: The only change is that logging in requires a second step — approving a notification on your phone, or entering a code from your authenticator app. Once logged in, everything works exactly as before. The minor inconvenience of the extra login step is a very small price for the significant security improvement it provides. For accounts that stay logged in on trusted devices, you may only need to complete 2-step verification once per device per month.

Q: Can a competitor request ownership of my GBP and succeed?

A: Yes — this is a documented attack vector. A bad actor can submit an ownership request claiming to represent your business. If you don't respond within seven days, or if Google's systems are deceived by false documentation, the request can succeed. The defences are: monitor the email address associated with your GBP ownership account closely, respond immediately to any ownership request you didn't initiate, and ensure your GBP is verified under a Google account with 2-step verification enabled.

Q: What should I do if Google auto-edits my listing with incorrect information?

A: Log into Business Profile Manager, navigate to the affected field, and correct the information. Then audit every other directory and website where your business is listed to ensure your NAP data is consistent — inconsistent citations are often the source Google is pulling from. If Google keeps reverting your corrections, contact Google Support and flag the specific third-party source causing the conflict. Automated monitoring via MyReputation.ie will alert you each time Google makes an auto-edit so you can catch and revert them quickly.

Your Google Business Profile represents years of reviews, trust signals, and local SEO authority. Protecting it is not a one-time task — it's an ongoing security practice, just like protecting your website or your email accounts.

The business owners who lose their listings to hijacking, disgruntled ex-employees, or opportunistic competitors are almost always the ones who weren't watching. The solution is simple: watch.

Start monitoring your Google Business Profile free at MyReputation.ie.