With the collection of first-party data such as email addresses, contact information and sometimes more personal information, cybersecurity is a common concern for businesses of all sizes. While most businesses have security measures in place through the business, your Business Facebook accounts can easily be hacked through employees’ personal Facebook accounts. If your Business Facebook accounts have been compromised, you’re in the right place to learn how to secure a hacked business Facebook account and ad manager.
How Are My Facebook Accounts Connected?
Before getting into the steps of how to secure your accounts, it is important to understand the relationship between each Facebook entity and what is connected to your accounts. Most people think of their personal Facebook and Facebook Business page as the two separate accounts they use, one for personal and one for business. However, this is not the case; all of your Facebook accounts are connected on some level. Think of it like a tree with multiple branches and roots that access eachother with your Business Facebook page being the trunk of the tree.
You can grant access to your Facebook Business page to employees or marketing partners through each of their personal Facebook accounts like the roots. If they have access to your Business Facebook page, then you can grant additional permissions so they can reach some of the branches, like your Facebook Business Manager account, Facebook Ads Account, or Creative Studio. Note that each of these are separate “branches” and may require separate approvals to gain access. This means that if someone hacks an employee’s personal Facebook account who has access to your Facebook Business page, they can take a route from the roots, through the trunk to various branches, including your ad account, just like that employee.
Step 1: How To Find Whose Account Was Compromised
You may have noticed some unusual activity or higher charges than you expected, whatever it was that alerted you, getting your ad account hacked is cause for concern and should be addressed immediately. The first step is to pause any ads in Facebook Ad Manager to avoid unwanted spending by toggling the blue activate/disable button next to the campaign.
Next, while still in Facebook Ad Manager, you will want to look at the History Tab of any suspicious Facebook ad campaigns. To do this, click on the campaign or ad set that seems suspicious, then click on the clock icon on the right hand side of the page. Make sure you select the right time range of the suspicious activity and make sure you clicked on the campaign you want to review. The History Tab will who created the campaign or made changes, and will likely show Facebook billing or approving it.
If there is an ad campaign that is out of the ordinary, the associated employee Facebook account is likely the one that got hacked. As soon as you find it, revoke their access to the Facebook Ad Account. Additionally, everyone on your team that has access to your Facebook page should also check their personal Facebook settings and click on “Security and Login”. There is a section that shows you the devices used and locations you’ve logged in from. If there is one they don’t recognize, we suggest removing them as well until their account is secure again.
Step 2: How To Revoke Facebook Ad Account Access
Luckily revoking access to your Facebook Ad Account is easy and doesn’t require you to completely remove them from your Facebook Business page. If you are still in Facebook Ad Manager, simply click on the gear icon on the bottom left for Business Settings. Note that the business settings is connected to your Facebook Business Manager account, a main branch on the tree that splits off into multiple branches including Ad Manager.
After clicking on Business Settings, click on People, which is listed under Users on the left side panel. Select the person you wish to revoke access for then scroll down to the ad accounts section. From here, click on the arrow and toggle the blue button to remove access. Then click save to make the changes active. Once you are done the screen should look like this:
Step 3: How To Secure Your Employee’s Facebook Account
Now that you’ve found whose account was hacked and secured your ad account, you need to get the employee’s account secure before you can give them access to your Facebook Ad account again. If it is an employee, it is best to have a conversation with them at this point. Remember they are a victim of a cyber threat as well and will want to secure their personal account for their own peace of mind. If the security threat was from a marketing partner, like a digital marketing agency, then send them an email or call them as soon as you discover the breach. They should be able to help with the process.
The employee that was hacked should check their Facebook, Instagram, WhatsApp, Facebook Messenger, and associated email accounts for any other suspicious activity. Facebook has a process for kicking out the hacker, so go through this to clean up Facebook. The easiest way to start is to have the employee login to their personal Facebook and search “secure your account on facebook.” The first result should look like this:
Click on it and follow the prompts. Facebook will ask a few questions to help fix the problem. This will boot out the hacker and secure the account. If they don’t have access anymore because the hacker changed the password or something, you can go to https://www.facebook.com/hacked/.
Step 4: Try To Resolve Unapproved Ad Spend With Facebook
Now that everything is secure you’ll need to go through the account cleanup and try to restore the ad account. Start with telling Facebook what happened. This is not always easy, but you may not need to pay ad spend you didn’t authorize or was spent by the hacker. Try going to https://www.facebook.com/business/help then scroll down and click on the Get Started button. Follow the prompts and select “Other Business Manager Issue”. Let them know what happened and they should get back to you. Don’t delete the campaigns until they tell you it is okay to do so.
How To Protect Your Facebook Business Account From Being Hacked
At this point, you should have been able to regain control of your account and hopefully started the conversations with Facebook to address the lost ad spend. Naturally, you’ll also want to stop this kind of thing from happening again. Unfortunately, there is no way to be 100% secure, especially when your Facebook cybersecurity is only as good as your employee’s personal cybersecurity. However, there are several tips that can help keep hackers out.
Understand How Hackers Break Into Accounts
Some education for employees and your marketing teams can go a long way to help prevent getting hacked. Whether it is part of onboarding or an annual team conversation, make sure your employees are aware of how hackers break into accounts. Remember, this is not just for inside the company, but also for their personal cybersecurity.
Some of the most common tactics that hackers use include:
Phishing Scams
Most of us at some point have received some type of spammy email claiming to be from Facebook, Google, or even an internal email that is just a little off. The problem is these emails look pretty official and will send you to a site that looks like the real thing, but in reality is solely meant to steal your credentials.
Email Attachments
Similar to phishing, an email with an attachment marked as “invoice” for something you never purchased can lure people into a trap.As soon as you open the file, it will execute some kind of malware designed to steal your information.
For both of these hacks, the key takeaway is to be suspicious of any email that looks slightly off or phishy. Always check the “from” address to see if the email is actually the right email address and the domain is correct.
Data Breaches
Unfortunately companies with a large amount of data, including your employees’ personal data, can get hacked and sold on the dark web. Well, if you use the same email and password for multiple logins, it would be very easy for them to access any of your online accounts. Once a hacker gets hold of your information, they have tools that will automatically test email/password combinations looking for valid logins to other websites (like Facebook). Use a service to keep up on any potential data breaches to stay ahead of the hackers.
Step Up Your Password Security
It seems basic, but is super important and can avoid a lot of issues. Simple things like changing your passwords intermittently is key. As we mentioned when talking about data breaches, you need to avoid using one password for multiple accounts or websites. Using the same password gives hackers an easy one-step program to all of your personal accounts.
Limit Access To Your Business Accounts
Limiting access goes beyond just keeping a clean Page Roles roster. If people don’t actually need access to the business page or only need access to the business page, but not the ad account, limit their access. Typically with new clients, this is one of the areas we address as part of the onboarding to keep their accounts secure. The more people who have access to your account, the more possible places where you can get hacked.
Check App Permissions
Apps and other integrations, like users, are another potential entry point for hackers. Similarly to limiting user access unless it is needed, we highly recommend keeping your app list clean as well and removing integrations you don’t need. To review your apps, just click “Apps” in your Business Settings.
Most Important For Facebook Security: Two-Factor Authentication
Turning on two-factor authentication is one of the easiest and most effective things you can do to protect your personal account from unwanted access. Once this setting is on for your personal Facebook page, even if a hacker steals your login information, they cannot get access to your Facebook page without having your phone as well.
Here’s how to do it on your personal Facebook page. We’ll talk through the business side in moment:
Click the menu button in the upper-right
Then click “Settings & Privacy”
Click “Settings”
Once you’re on the settings page you’ll find the setting. You can choose to authenticate with a text message or with an authentication app like Google Authenticator.
For businesses, we highly recommend requiring two-factor authentication for everyone that has access to your business accounts. It is the best security measure out there to keep hackers out of your Facebook accounts, even with employees using their personal accounts. In Facebook Business Manager, you can require that people with access to your page turn this setting on in their personal account.
To activate this, go to Business Settings, Security Center, and change the two-factor setting there. This is an easy step that can dramatically improve your security.
Create a Culture Around Security
The security measures we have discussed so far are really about stopping threats mechanically. When it comes down to it, a business’s highest security risk is the people who work there and their awareness of cybersecurity. An organization can have all of the security measures in place, but if team members get caught in a phishing scam, even at home, it can affect your business.
The best advice is to be proactive and foster a culture of security within your organization. Develop systems design to create ownership of cybersecurity at the employee level. Everyone should feel the need to do their part in protecting the company’s assets. This culture will go beyond the workplace and instill good behaviors at home as well.
Some ways to do this is to have a security policy for employees to read and sign. This is not to hold them liable for damages, but just to have them think about it seriously. Other methods are to have regular security days where teams review top ways hackers gain access or talk about ways to be more secure. A few minutes a month can go a long way to protecting the organization and employees.
If you are trying to secure a hacked Business Facebook Account or Ad Manager, feel free to contact us for help!
