A client had their Facebook ad account hacked, and from that experience, today I want to share some recommendations to protect your accounts.
A hacker changed the contact information on her business page or fan page and ran two traffic campaigns, costing $847 per day. Luckily, Facebook noticed the suspicious activity and disabled the ad account. In many cases, this doesn't happen, as recently happened to a colleague who lost over $800 in a matter of minutes.
As a result, I've studied several cases and found that this is something that happens, and Facebook hasn't taken more proactive measures to prevent it from continuing. The problem is that one might think the hackers ' target would be large advertising accounts, but that's not the case. It can happen to any of us.
In this writing, I want to leave you with some recommendations:
What to do if your Facebook ad account is hacked?
Step 1: Find out whose account was hacked.
The first step is to regain control of your account. Remember that you can only access your Facebook ad accounts through your personal Facebook account. This means that if someone has hacked your ad account, they could only have done so by hacking the personal account of someone who had access to yours.
To find this, click the clock icon on the right side of your Ads Manager (Business Manager):
Set the date range and you'll see a list of all the changes made, along with who made them:
Another way to find out if someone has hacked your account is to go to your personal settings page and then click on Security and Login . There's a section there that shows the devices and locations you've recently logged in from.
If you see a login from a location you don't recognize, it probably means it was the hacker .
Step 2: Delete the hacked account
As quickly as possible, you must remove access to the hacked account. To do this, go to Settings, click on People , and then click the trash can icon next to your ad account to remove access.
Step 3: Secure your account
You'll need to protect your account and ban that hacker permanently. Facebook has a process for this. To find them, log in and search for the hacker . At the top of the results, you should see an option to protect your Facebook account.
This will take you to this page, where Facebook will ask you some questions to help you fix the problem. Follow the instructions to protect your account and remove the hacker .
If for some reason you can't log in to your own account (if the hacker changed your password, for example), you can still protect your account by going to this page:
https://www.facebook.com/hacked/
Step 4: Contact Facebook
Unfortunately, contacting someone on Facebook can be very complicated. Try going to this page: https://www.facebook.com/business/help
Scroll down and look for the contact option:
If you don't see that contact option, the support team may be too busy. Try again later. Don't delete the campaigns the hacker ran so the Facebook team can investigate.
Whether you're waiting to resolve this situation or want to prevent it from happening, follow these steps to protect your account and increase security.
What steps can you take to prevent your Facebook ad account from being hacked?
I suppose you're wondering: Brendaliz, how can I prevent this from happening to me? There are some safety measures you can take to protect yourself:
1. Understanding how hackers infiltrate accounts
These are some of the most common tricks hackers use:
- Phishing scams
At some point, you've probably received a spam email claiming to be from Facebook, Amazon, PayPal, or some other official site. If you open these emails, they'll direct you to a website that LOOKS legitimate, but it's a fake version designed to steal your login credentials.
- Email attachments.
Another variation of this is an email with an attachment containing an "invoice" for a purchase you never made. As soon as you open the file, it will run some type of malware designed to steal your information.
- Data breaches.
Do you use the same email and password for Facebook that you use everywhere else? If so, your login information may have been compromised elsewhere and is now available on the dark web.
Once a hacker obtains your information, they have tools that will automatically test email and password combinations for valid logins on other websites (such as Facebook).
I recommend using one of these services to receive an alert if your email address appears in a data breach:
2. Improve passwords
It's simple, but important. Use uppercase letters, numbers, symbols, and uncommon combinations. You should also change that password regularly.
As you can see, hackers can steal your information from less secure sites and use that information to access more secure sites (like social media, email, and even bank accounts). That's why you should also avoid using the same password for multiple websites.
3. Remove people or administrators with unnecessary access.
As a general rule, don't give access to people who don't really need it. The more people who have access to your account, the more potential places it can be hacked.
4. Check the Apps (applications).
Just like users, applications and integrations are another potential entry point for hackers . This is an area where you should pay attention and avoid granting access to applications or integrations you don't need.
To review your apps, simply click on "Apps" in your business settings:
5. Enable two-factor authentication
Enabling two-factor authentication is one of the easiest and most effective things you can do to protect your personal account from unauthorized access. With this setting enabled, even if a hacker manages to steal your login information, they won't be able to access your account without also having your phone.
Here's how to do it, and remember, this is done on your personal Facebook account:
- Click on the menu button in the top right
- Click on "Settings and privacy"
- Click on "Settings"
- Once you're on the settings page, here's where to find the settings:
You can choose to authenticate with a text message or with an authenticator app like Google Authenticator or Authy.
6. Require two-factor authentication in Business Manager.
Two-factor authentication is a great security measure, but it's something you can only enable in your personal settings, which means you can't automatically enable it for your other administrators.
In Business Manager, you can request that people with access to your page activate this setting in their account.
To do this, go to Business Settings and change the settings here:
This is another simple step that can dramatically increase the security of your account.
7. Be proactive and prepare a security policy.
All these steps can help strengthen your account security, but they aren't a foolproof solution. Even if you follow them perfectly, there's still a chance someone could hack your account using other methods. The best advice I can give you is to be proactive.
Within that policy, you should schedule yourself to monitor ads at least twice a day (am and pm), set your spending limits ( adspent limits ) both daily and per campaign, and create rules in the ads manager that deactivate ads according to parameters you have already established.
And as an added bonus, I recommend using your PayPal account as the payment method for your ads. If any issues arise, the PayPal Buyer Protection program will protect you, and they'll likely respond faster than Facebook's support team.
As a social media manager, I have a security policy in place for the benefit of clients who are unfamiliar with Business Manager. Hiring a social media manager is a viable alternative, not only so you can dedicate the necessary time to preparing your products or services, but also because delegating these tasks to someone who knows the system will save you a lot of headaches.
If you need heavenly help, fill out the contact form and let's talk.