Seems like every week I hear about someone who has had their Facebook ad account hacked. This week, I’m hearing it happened to some people who sell on Teachers Pay Teachers. (None of our clients, so far. 🤞) Here’s a list of things you can do to keep your ad account from being hacked.
- Monitor your ad campaigns closely to spot any suspicious activity. With the hacks I heard about today, the first sign that the account was hacked was an email from Facebook saying that someone weird had been added to the client’s Facebook Business Manager. The second sign was weird ads being approved in the client’s ad account. **
- Require everyone with access to your Facebook ad account to use two factor authentication to log in. (I know this is a pain, but it’s one of the very best deterrents!)
- Limit the number of people who have access to your Facebook account and business manager. Removed contractors and team members who no longer work for you or don’t need access. Every person who has access to your account is a potential door that bad guys can use to hack into your account. I see so many ad accounts with old contractors who still have access. It’s not that I don’t trust the old contractors. But it only takes one of them to accidentally fall prey to a phishing scam and every account they are associated with goes down. Even I have accidentally clicked on a scammy link before I realized it was likely a fraud. Unfortunately, no one is immune. So it’s not about how much you trust the person with access. It’s about limiting the number of people who have access.
- Do the same thing with your other accounts: Kajabi, Teachers Pay Teachers, WordPress, Convert Kit, etc. It just takes one compromised account to do a ton of damage.
- Change your passwords. Fresh passwords are always a good idea. Especially if you’re hearing about hacks in your business circles. We don’t know for sure whether these recent issues are tied to TpT or not, but I’ll be changing my TpT password.
- Stay up to date on the latest ad fraud trends and adjust your ad strategy accordingly. Keep your eyes open and act cautiously when you get information from Facebook. Especially if they’re telling you that you’ve broken a rule. The scammers love to use this to get you to click on their links and give them information. (Read about how that scam works here.) **
- Don’t click on any warning from Facebook. Send it to your ads manager if you think it might actually be legit and they can double-check it for you. (Message me if you don’t have another ads manager you trust.) Scammers have gotten SUPER sneaky about this. The thing we’re seeing a ton lately is “Notifications” sometimes even inside of Facebook, that say you or your page has violated some weird Facebook rule. 99% of the time it’s a scam. Remember, Facebook doesn’t usually warn you if you’ve broken a rule. They usually just shut you down.
**And I’m aware of the contradiction: In the first bullet, I tell you to watch for an email from Facebook telling you that someone has been added to your Business Manager. Later in the list, I say to be very wary of emails that say they are from Facebook and are alerting you of a problem. Scammers are exploiting this weakness and you have to be extra careful. If you get a weird email or notification from Facebook, and you want to verify it, instead of clicking on the link in the email, visit Facebook directly in your browser and navigate to where Facebook says there is supposed to be a problem. You should be able to tell in Facebook if you have an issue. For example, clients and I will sometimes get emails saying the ad account has been shut down and that they need to file an appeal. Instead of clicking on the link in the email, visit the ad account and Facebook to verify that it has indeed been shut down. Then work to appeal it ON Facebook, not with the email they sent.
These recommendations aren’t foolproof. I know ad accounts that were locked down tight and still got hacked. But every little bit helps.
Here’s a real-life scam example so you know what to avoid:
I got the notification you see below from the “Community Solving Center” for one of my client’s accounts. The notification came from my Facebook app and it said, “Community Solving Center mentioned {Client’s Facebook Page Name} in a post:” The notification was real and from Facebook. I also got an email that said my client’s page had been tagged. That was also a legit email from Facebook, because my client’s Facebook page actually HAD been tagged in a post by “Community Solving Center.”
The problem is that “Community Solving Center” is a scam page. And when I clicked on the notification, (which was OK to click on because it was a legit Facebook notification) it took me to the fake message below, which I’m sure contains a link that I SHOULD NOT click.
And that’s what is so tricky about all of these Facebook scams. They are all full of half-truths. The notification and the email were legit. It was the content on the post my client had been tagged in that was problematic. I know that this is not how Facebook tells you about disabled pages, so I’m less likely to be deceived here. But the truth is, when the “bad guys” pretend to be Facebook and accuse you of breaking the rules, you automatically go into panic mode, and then you don’t think as logically because you are in panic mode.
I get at least one of these notifications a day. It’s not surprising that people are being tricked into clicking on bad links. The bad guys are persistent.
While I can’t say for certain, I think most Facebook hacks come from people stealing other passwords with phishing scams like the one above. So if you can avoid them, you stand a better chance of keeping your ad account out of the hands of the bad guys.