very year, thousands of people log into their Facebook or Google ad accounts to find that it has been hacked. In some cases, the platform picks up on the issue and disables the account to prevent further hacking. In others, it’s the users who see thousands in unauthorized spending. Either way, it’s not a nice way to start the working day.
Unfortunately, the vast majority of ad account owners ignore the topic of security until it becomes a necessity to address; they would rather ignore the threat and pretend it doesn’t exist… that is until it affects them. Ad account hacking is often a case of when rather than if.
What happens if someone hacks your ad account? Do Facebook and Google have good systems in place to deal with the problem? How do you regain control of your account?
The problems of a hacked ad account go well beyond the money spent (although this is obviously still an issue). Don’t worry though, advertising platforms are typically good at recognizing hackers and you won’t normally pay for unauthorized ad campaigns. Even if a hacker generated $10,000 of ad spend, you won’t have responsibility for these charges as long as you take the appropriate steps to report the hacking.
Ad accounts are a huge target because they hold information - lots and lots of information. For some cybercriminals, the aim is to access audience information to sell on, steal identities, or further target them.
Besides the monetary issues, hackers can delete existing campaigns. Remember the campaigns that you have spent months trying to optimize for the audience? Hackers can erase them in a matter of seconds. Also, you need to think about the opportunity cost. As a business, you’re accustomed to the idea that time spent on one project is effectively time taken away from another. When an ad account is hacked, you lose time and resources that would have gone into making your ads successful.
Another purpose for hacking is to gain access to an ad account in order to set up ad campaigns in their name. Account holders tend only to identify the problem when they see thousands in ad spend that they didn’t authorize or generate. Back in 2018, a group of hackers in China were able to access a number of many Facebook ad accounts, and they eventually spent close to $4 million. Using malware, they turned notifications off, and the hacking went unnoticed for some time; only those taking a proactive approach to their security picked up on the problem quickly.
Depending on the threat, there’s a chance your ad account will be inaccessible for some time. During this period, the competition continues to advertise and thrive while you lose out on revenue and, ultimately, profit.
Unfortunately, after having an account hacked, many businesses are cautious about investing time and money into the practice again. With a lack of confidence, it again allows competitors to take advantage of the market.
First and foremost, sign in to your Google account and look over the activity. If you can’t access your Google account, there’s a special Account Recovery page that can help. After answering the questions, Google will work hard to resolve the problem. This page is designed for those who have had an account deleted, who can’t sign in, or who have noticed a change to important account information. For example, it might be that somebody outside of the business has changed the account password or recovery phone number.
If your account is suspended, Google has spotted the issue and you have a head start. If not, the first question on the form will ask about the status of your account. Depending on the issue, you can even upload a screenshot to show why you’re entering the account recovery process. For those with a dedicated account manager, now is the time to engage their assistance.
From here, Google will attempt to recover your account and investigate the hacking. Unfortunately, you won’t have access to all Google products for a couple of weeks while this investigation takes place. Of course, you should take steps to secure your account once back (more on this later!).
If your Facebook ad account has been hacked, we recommend canceling charges with your bank card. Also, you’ll probably be tempted to delete the fraudulent campaigns, but leave them in your account so that the Facebook investigators can confirm the hacking and learn more about what happened.
The difficulty with Facebook ad hackings is that everything is done through personal accounts. The more people with access, the more potential accounts to search. Before you can restrict the hacker, you need to learn how they are accessing the account in the first place. Normally, the best way to achieve this is through the activity history. Get the whole team together and search through the history - somebody should spot activity that they didn’t complete.
Although most will find the account this way, another route is to check the location/device history. If you’re based in New York and somebody is accessing the account from Los Angeles, this is likely the hacker.
Once you have the account in question, remove access as soon as possible. If you’re unsure of how to do this, head into the business settings and choose ‘People’. From here, choose the small trash can icon on the ad account. This won’t fix everything, but it should remove the hacker’s access and stop the bleed (so to speak!).
Simultaneously, the hacked user should secure their account and the business should inform Facebook of the event. For the individual, encourage them to choose the ‘Secure Your Account on Facebook’ option after searching for ‘hacked’ in the help section. For the business, you only need to report the event if the hacker created campaigns in your name and racked up expensive bills. The bad news is that Facebook is difficult to contact for those without an account rep.
After going into the help center, scroll down the page and you should see an option to chat through Messenger. If the option is blank, you may need to return when the system is a little quieter. As before, they will encourage you to keep all campaigns open, so don’t delete anything.
Whether your accounts were hacked, or you’re just here as a precaution, one of the best ways to secure your ad account is to take a proactive approach. Here are some tips to keep your ad account as secure as possible:
Both Google and Facebook have settings that allow users to check device and activity history. As a business, this is something you should be doing because you can spot potential hackings early. The more aware businesses are on ad accounts, the less breathing room there is for hackers. Of course, the ideal situation would be to drown them out completely and make this a non-rewarding environment for hacking.
It might sound obvious, but we continually see businesses that allow access to employees who left the company many years ago. As soon as somebody leaves the company, remove them from the permission list. You should also go through the list and remove any account that doesn’t need to be there. As you reduce this list, the criminal has fewer targets to hack your business account. This may sound obvious, but decide who in the company will be responsible for keeping this access clean. It could be the HR rep, the IT guy or the marketing manager. By specifically delegating the task to someone, you avoid mishaps and pointing fingers because one person thought it was another person’s job.
Often, people ask how to secure their accounts when they haven’t even used the measures available on their chosen platform such as two-factor authentication (also called two-step verification). In this system, the platform will ask for something you own and something you know to log in; this is normally a password and a code sent to a device.
Other security measures include anti-virus software, anti-malware software, secure browsers, updates for apps, Password Alert, and good business practices. One of the things you can also do is communicate with your bank; set up a password or system to prevent a hacker from changing banking instructions without authorization.
When somebody hacks an ad account, they normally do so to create ad campaigns or to steal PII. For business owners, it’s disconcerting to log in and see thousands of dollars of unauthorized ad spend and seeing their trust of your customers fade away. Thankfully, both Facebook and Google are improving their security and developing strong systems for those who have been hacked. Just remember, they can’t fight the battle alone. You need to stand alongside the technology giants and protect your account by checking activity and devices, setting up two-step verification and other measures, and managing account access properly.