Skip to content
All insights
Cyber Security8 min read

That brand deal email might be malware: how fake sponsorships steal creator accounts

Fake sponsorship offers are one of the most reliable ways attackers take over creator accounts. The trick is that they never need your password, and two-factor authentication does not stop them.

Ada

Ada

Editor & AI Analyst

That brand deal email might be malware: how fake sponsorships steal creator accounts

A brand you recognise emails your business address. They have watched your work, they like it, and they want to sponsor a video. The rate is good. All you need to do is open the attached brief, or download the product so you can demo it on camera.

Then the channel is gone.

Fake sponsorship offers are among the most reliable ways attackers take over creator accounts, and they work on careful, experienced people. The reason they work is worth understanding, because the defence most creators rely on does nothing to stop them.

What actually happens

The offer arrives as a normal business email, often naming a real company. Google's Threat Analysis Group, which tracks these campaigns, has seen attackers impersonate antivirus makers, VPN providers, music players, photo editors and games studios: exactly the products creators are used to being approached by. The first email is usually harmless. It exists to start a conversation and build trust before anything malicious is sent.

Once you agree to the deal, you receive the "software" to demo, or a contract, media kit or brief. It might be a download link, a PDF hosted on a legitimate cloud service, or a document containing a link. Attackers often move the conversation to WhatsApp, Telegram or Discord, partly because email providers are good at catching malicious attachments.

Opening the file installs an infostealer: malware built to quietly copy things saved in your browser. It takes passwords, but more importantly it takes your session cookies, the small files a website leaves in your browser to remember that you are already logged in.

Those cookies go to the attacker. Within minutes, they can be loaded into the attacker's own browser, and your account opens for them as though they had simply sat down at your desk.

Why two-factor authentication did not save you

This is the part that surprises people, and it is the single most important thing in this article.

Two-factor authentication protects the login. A stolen session cookie skips the login entirely.

The cookie is proof that someone already logged in successfully and already passed the two-factor check. When the attacker replays it, the platform sees a session that has been verified, so it never asks for a password or a code. Nothing was broken. The attacker simply arrived after the door had been opened. Security researchers call this a pass-the-cookie attack, and it has grown precisely because two-factor authentication became common. Attackers stopped fighting the lock and started stealing the thing that proves you already opened it.

So a strong password did not fail. Two-factor authentication did not fail. They were never in the attacker's path.

What happens to the account

Hijacked channels are either sold or repurposed. Google TAG found stolen channels changing hands on account-trading markets for anywhere between US$3 and US$4,000, depending on subscriber count. Many are rebranded on the spot: the name, profile picture and videos are replaced with the branding of a large tech or cryptocurrency company, and the channel begins live-streaming a fake giveaway that asks viewers to send cryptocurrency first.

The damage is not only to the creator. It lands on the audience who trusted them, and, if an agency holds the account, on the agency's relationship with that client.

Why agencies carry more of this risk than they think

An agency is not a normal small business. It is a custodian of assets it does not own.

Agency staff are the people most likely to open an unsolicited sponsorship email, because reading brand outreach is their job. They are often logged into several clients' accounts on one machine, which means one infected laptop can expose an entire roster rather than a single channel. And the loss is not recoverable in the way a lost document is. A creator's audience took years to build.

The pattern to watch for is an agency where credentials sit in a shared spreadsheet, a departed freelancer still has access, or the login is tied to someone's personal email account. Any one of those turns a single malware infection into a client-wide incident.

How to spot a fake sponsorship offer

  • The sender's domain is not the brand's real domain. Look at what comes after the @, and check it letter by letter.
  • You are asked to download and run software, rather than being sent a link to the public product page.
  • The brief, contract or media kit is an executable file, or a document that asks you to enable content, disable antivirus, or click through a warning.
  • The conversation moves off email to a messaging app early.
  • A security warning appears and the sender tells you to ignore it. Legitimate brands never do this.
  • The deal is unusually generous, or unusually urgent.

Verifying is simple and worth the ten minutes: find the brand's real website independently, and contact their partnerships address to confirm the person is who they say. Never use the contact details in the suspicious email.

What to do before it happens

  • Never open sponsorship attachments on the machine you use to access client accounts. If you must open a file from a new contact, do it on a separate device, or in a virtual machine, or a sandbox.
  • Use delegated access, not shared passwords. Platforms let you grant someone a role on an account without handing over the login. An agency should rarely hold a client's password at all.
  • Take browser and antivirus warnings seriously. Attackers rely on people clicking past them.
  • Keep Chrome updated. In April 2026, Google made Device Bound Session Credentials generally available in Chrome 146 on Windows, a feature that ties your session to your computer's security chip so a stolen cookie will not work on the attacker's machine. It is not yet everywhere, and it depends on the website supporting it, but it directly targets this attack.
  • Consider passkeys where a platform offers them, and review connected devices and account access regularly.
  • Remove access when people leave. Offboarding is a security control.

If it has already happened

Move quickly, and in this order.

  1. Sign out of all sessions. Changing the password alone is not enough, because the attacker's stolen cookie may still be valid. Look for "sign out of all devices" or "revoke sessions" in your account security settings. Do this from a device you are confident is clean.
  2. Assume the machine is infected. Take it offline and scan it, or rebuild it. Recovering the account while the malware is still running just hands the attacker a fresh cookie.
  3. Change passwords on the email account first, then the affected platform, then anything else that shared credentials.
  4. Use the platform's account recovery process. YouTube has hardened its channel transfer workflows in response to these campaigns and says it automatically recovers the overwhelming majority of hijacked channels.
  5. Tell your clients and your audience. Silence is worse than embarrassment, and the audience is the group actually being defrauded.
  6. Report it, to the impersonated brand, to the platform, and to your national cyber crime reporting body.

The uncomfortable truth is that this attack does not target careless people. It targets people whose job is to answer email from strangers offering money. That is most of the creator economy. The defence is not vigilance alone, it is arranging things so that a single mistaken click cannot cost someone else their life's work.

Book your free security consultation

A no-obligation conversation with people who actually understand security. We'll review where you stand and show you the fastest way to close your biggest gaps.