Make Sure Your Facebook Account Is Secure
A cautionary tale for dentists – don’t make this mistake.
Are you running Facebook/Instagram ad campaigns for your dental practice, or perhaps more importantly, is an agency running these on your behalf? If so, then this blog has some important security information for you.
A few weeks ago, one of our long-term clients had their Facebook (Meta) ads manager account hacked. The hackers waited until the early hours of the morning and then increased the daily spend limit of the account to £15,000. They then very quickly published scam adverts and churned these out to tens of thousands of unsuspecting users – all paid for by the client’s credit card! It was 8am the following morning before the hack was spotted but by this stage, thousands of pounds of the client’s money had been spent.
This is a “churn and burn” attack i.e. the hackers know that it will likely be spotted quickly but by accessing overnight, they can still push out lots of spam ads and spend a lot of money before it gets closed down – very dangerous. Their ads purported to sell personal medical devices which very likely didn’t get delivered to the folks who clicked the ads and paid for them. This was a clever scam, but at the same time appalling. Unfortunately the hackers were able to access the top-level client’s account where there are no controls on the daily click budget – so they could simply change it to whatever they wanted.
What happened – how did the hackers get in?
Our client couldn’t understand how the hackers got in as they use two-factor-authentication (2FA) – and we do too. So in theory this should not have been possible. We are linked to the client’s account to facilitate the administration of the ads, however we are extremely cautious and we knew that the hack hadn’t come via ourselves. This meant that the hack either came via the client (they were adamant that it hadn’t) or something else. It didn’t take us long to see what had gone wrong.