Home social Make Sure Your Facebook Account Is Secure

Make Sure Your Facebook Account Is Secure

AdminPosted on Posted in social
Make Sure Your Facebook Account Is Secure

A cautionary tale for dentists – don’t make this mistake.

Are you running Facebook/Instagram ad campaigns for your dental practice, or perhaps more importantly, is an agency running these on your behalf? If so, then this blog has some important security information for you.

A few weeks ago, one of our long-term clients had their Facebook (Meta) ads manager account hacked. The hackers waited until the early hours of the morning and then increased the daily spend limit of the account to £15,000. They then very quickly published scam adverts and churned these out to tens of thousands of unsuspecting users – all paid for by the client’s credit card! It was 8am the following morning before the hack was spotted but by this stage, thousands of pounds of the client’s money had been spent.

This is a “churn and burn” attack i.e. the hackers know that it will likely be spotted quickly but by accessing overnight, they can still push out lots of spam ads and spend a lot of money before it gets closed down – very dangerous. Their ads purported to sell personal medical devices which very likely didn’t get delivered to the folks who clicked the ads and paid for them. This was a clever scam, but at the same time appalling. Unfortunately the hackers were able to access the top-level client’s account where there are no controls on the daily click budget – so they could simply change it to whatever they wanted.

What happened – how did the hackers get in?

Our client couldn’t understand how the hackers got in as they use two-factor-authentication (2FA) – and we do too. So in theory this should not have been possible. We are linked to the client’s account to facilitate the administration of the ads, however we are extremely cautious and we knew that the hack hadn’t come via ourselves. This meant that the hack either came via the client (they were adamant that it hadn’t) or something else. It didn’t take us long to see what had gone wrong.

Access from a third-party agency

Although the hackers had tried very hard to cover their tracks within the account, we could see from the change logs that they had accessed via a link to an old ads agency that the client had failed to remove. We couldn’t see that link as we only had administrative access for ads – not top-level account ownership. As part of our general advice, we always advise that old account connections are removed but unfortunately the client hadn’t followed this.

What happened next?

We quickly helped the client to shut down the hack and remove the connection to the old agency from where the hack originated. We also contacted the agency and credit to them they were totally transparent and advised that they’d had a lot of their clients affected in the same way. What they wouldn’t say is how they got hacked but it seems likely that it was a password leak coupled with a failure to use 2FA. Whatever it was, the outcome was devastating.

We also offered the client guidance about how to claim the lost money back from Facebook and they may also have approached the other ad agency for compensation.

Moving forward

The client is understandably cautious but following a detailed explanation of what happened and removal of the rogue account, we are now able to move forward with best-practice security controls in place. This means full use of two-factor-authentication and only approved management accounts allowed to have linked access. Of course the usual “strong password” requirement also applies.

Conclusion

If you are like many dentists and use a third-party agency to look after your Facebook/Instagram ads, please ensure that your account is secure and also their linked account too. Make sure 2FA is in use, strong passwords and critically, unlink any legacy accounts that are no longer in use.

With those precautions in place, you can be reasonably sure that you won’t get compromised.

If you’re interested in social media ads for dentists, done professionally and securely, please get in touch with the Dental Media paid ads team on 01332 672548 for a no-obligation discussion. Please remember that you can avoid anything like this happening to you as long as you follow best-practice security protocols to keep your account secure – if you need advice, we can assist.