This may not be the usual sort of thing we run here at Glam Adelaide, however after a turbulent weekend helping one of our business members to combat an active hack on one of their Facebook accounts, we now have a wealth of knowledge we wanted to share with you (that we couldn’t find whilst madly googling a solution at the time).
The run down of our particular situation, was that our member *Jenny* had her personal Facebook profile hacked, then they promptly changed her password and email address to theirs, so she couldn’t log in or send herself a password change. Essentially, she was locked out of her account and helpless to do anything.
The hackers then started to use her Facebook advertising account to set up a series of Facebook ads for their own business pages (Indonesian jewellery and fake watch sites) with daily budget limits of over $1000 USD. If this had gone unchecked, they could have cashed up over $6k US a day.
Be pro-active and set up Facebook Trusted Contacts via your Facebook settings. It’s the fastest way to boot a hacker out of your account”
With no way to access her personal account, Jenny was lucky that I was an admin on her business pages and advertising account. I downgraded her Page admin status just in case they had their own plans for her pages, and I jumped in to the advertising account to monitor what was going on.
While we madly searched for ways to report these people, I was deactivating fraudulent Facebook ads every minute or so, but not before they managed to rack up about $10-$50 every time. Before lunchtime, the spend for that day had exceeded $1000USD. I couldn’t remove Jenny’s payment method or remove her from the advertising account, as she was the advert account admin, and I was only an advert account advertiser.
No matter how hard we searched, we couldn’t find anywhere to report an active hack, or anything to do with an active advertising account take over. It was beyond frustrating.
Jenny had cancelled the credit card linked to the advertising account, but as it wasn’t a direct payment method, and it was a credit card linked to her PayPal account, it didn’t actually reject any Facebook spend, and every time the spend hit the threshold of $750, the amount was debited from her PayPal account. We were in a mad panic.
Long story short, we managed to get her personal account deactivated which stopped the hackers in their tracks. Facebook has since refunded all fraudulent transactions. The hacker’s pages still seem to be live which is disappointing, but at least we know what you need to do if this ever happens to you.
PRE-HACK
- BE PRO-ACTIVE. Ensure you have Trusted Contacts set up on Facebook. This can be done via settings, and allows you to choose 3 people you can call on if something goes wrong. They can access a special link in this case, which will help get you access to your account. You can’t do this once you have lost access to your account so do it BEFORE anything goes wrong.
- Personally, I’d use a credit card on your Facebook advertising account. If someone fraudulently uses it, you can cancel it with your bank. We had major issues contacting PayPal to close the PayPal account, or put a hold on it. In fact, they never got back to us.
- Have multiple admins on your business pages. If your personal account is compromised, or you have your account deactivated to combat a hack, you will lose access to your business pages. You need to have at least one other person as admin, so someone still has operational access, and you don’t lose access to the page altogether. They can then re-add you as an admin after the crisis is over. Having a second person on your advertising account is also a good idea (like Jenny had me). Pick someone you trust (obviously, as they have access to spend your money).
DURING/AFTER A HACK
- Cancel your credit card ASAP.
- Use your Trusted Contacts to regain access, and change your password and email address ASAP. Also change your password to your email account that was originally linked to the hacked account.
- If you don’t have Trusted Contacts set up, you can report unusual Facebook Advertising activity here. Choose the “I have charges that I don’t recognise or didn’t authorise” option and explain what’s happening in the description box. This is the form that ultimately got us a result. It did take 24 hours though so you want to minimise damage in the meantime. Make note of your advertising account number, and your personal profile URL or ID number so Facebook knows what you’re on about. As I personally did the report (I had an active account and Jenny obviously couldn’t) it wasn’t automatically linked to her so they needed those details to track down what was happening.
- If you have an advertising account advertiser, ask them to jump in to the account to delete or deactivate all the fraudulent ads. Take screen shots of everything just in case. I was surprised the hackers didn’t remove my access, but as they didn’t, I was able to minimise the amount debited from Jenny’s account. Even though the funds were returned to her, there are still 3-5 days where you’ll be out of pocket, so it’s best not to let the bad guys drain your bank account.
- Breathe. This happens a lot apparently. You’re not alone, and the ‘system’ is becoming better equipped to reverse the damage. Facebook and the banks are all over this, and are pretty good at refunding fraudulent transactions. Just do what you can to shut it down ASAP and keep track of what’s been happening so you have records if you need it for insurance. Generally though, after speaking to lots of people about this, Facebook and the banks usually refund this stuff as a matter of course.
TIPS FROM FACEBOOK
After this whole debacle, Facebook emailed us with some tips. They’re pretty basic, but worth repeating.
- Never click suspicious links
- Pick a unique, strong password
- Never give out your email address or password
- Only log in at facebook.com
- Update your browser
- Run anti-virus software