Action Launcher developer Chris Lacy today tweeted how his Google verification code -- which starts with “G-” -- featured an “SMS AD.” The advertisement -- for a VPN -- includes a quick message and short URL.

While you might think that this was a phishing attempt, the verification code was legit and was requested by Lacy to verify a login attempt successfully.

It was so grim that Google Messages even flagged the link/message as spam. Googlers responding to the thread suspect this is an occurrence of a carrier appending an ad -- note the extra spaces -- into an actual text message.

It’s improbable that Google’s security teams would allow advertising into a very crucial part of the login process where end-user trust is paramount.

Google issued the following statement to us today: “These are not our ads, and we are currently working with the wireless carrier to understand why this happened.” Google confirms that the “SMS AD” did not originate from its own advertising network. Meanwhile, it’s working with the wireless carrier in question to find out what occurred. Lacy has decided “not to state the carrier for privacy reasons”, and Google did not share that information either.