10 Insights from Being Hacked on Facebook
/For most of July, I was locked out of my Facebook account, including my Facebook Page, Instagram and Facebook advertising account.
I have been advertising consistently as a significant marketing channel for the past few years and come to rely on Facebook to share my signature talk with others.
On a Sunday morning, in a swift series of email notifications from Facebook, I could see that a determined hacker was able to log into my account, remove me as the admin to my Facebook page and ad accounts and get my personal profile disabled.
It took minutes.
Then the Facebook ads receipts started coming in.
I'm a peri-menopausal woman and sometimes struggle with sleeplessness. Finally, being awake in the night finally paid off! I bolted out of bed by 3:30am to dispute the charges right away.
The first charges of nearly $5,000 went through my PayPal account.
I had been using PayPal to pay for my ads, because I thought this was efficient and I'm a cash girl.
Meaning, I rarely use a credit card. Big mistake! (I'll explain why below in my 10 Insights)
I used PayPal's online disputing process because a) it was nearly 4am and they were not open and b) finding their phone number on their website wasn't easy to find (aka hidden) to someone in my state of mind.
By 6am I was in full alarm mode and on the phone with my bank.
My family woke up to find me n my PJs, ashen and panicked, staring at my computer.
My bank thankfully helped me restrict my account and blocked all future PayPal charges.
I cancelled my cards. Ordered new ones.
I eventually closed all my bank accounts - because I had my bank accounts were connected to PayPal.
That's what you do if you receive money via PayPal. Big Mistake!
Your bank account will be a source of back-up funding. But TD Bank had my back and stopped the charges from going through.
The charges would eventually keep coming over a period of days to the tune of nearly $10,000 in fraudulent Facebook advertising expenditure.
To my surprise, I received a message from PayPal denying my dispute, closing my case and they proceeded to send the money. Wha?!?!
I was told that since I had an open billing agreement with Facebook this was between me and Facebook.
But I couldn't get in touch with Facebook! I was locked out! (Which I made clear in my dispute.)
I bet you didn't know that once your Facebook account is disabled, you have no recourse to any of the support channels.
I bet you didn't know that any purchase you make with PayPal creates an open billing agreement between you and the company you purchase from.
The two companies I had been doing business with for over a decade were closed to further support.
I was on my own and no longer had access to my Facebook page, Facebook ad account, my Facebook groups of clients and potential clients that I cultivated over a decade plus of marketing. (Oh and let’s not forget since Facebook owns Instagram, so I was locked out of that too.)
Plus PayPal was demanding that I pay them back for the $5,000 they sent to Facebook hackers (that my bank had blocked). As of this writing Facebook continues to refuse to refund me for any of the fraudulent charges stating there was “no signs of suspicious activity.”
If I showed you the itemized receipt from the fraudulent Facebook ads charges, you could see that 1) they were in a foreign language and 2) the currency was for Vietnam (I believe) and 3) the ads were very, very different from the ONE and ONLY ONE type of ad I have placed over the years (with only slight changes in copy and image now and again). And 4) had always capped at $1500 per month. (Not 10K per week.)
(Update: as of August 7th, 2020, Facebook refunded my PayPal account without explanation. More on this below.)
Here's what I learned that may be helpful to you, dear reader. I hope this never happens to you.
10 Insights From Getting Hacked on Facebook
1. Update your security on Facebook (And All Websites You Use)
Specifically set up that any and all changes to your account to be two-factor authenticated (IE you get a code via your text or email with every change - even logging in from a new computer). Go for text, it’s faster and hacking jobs happen fast.
Also, add a trusted family member as an admin to your page in case you get locked out.
Go into your accounts, look for the security section and do this now. Don’t forget your FB page too.
(Do two-factor authentication for all ports of entry into your financial and internet life.)
2. If you run Facebook (FB) Ads, remove PayPal as a payment option to pay for your ads.
Only use a credit card. Only one. Fraud charges on credit cards are simple to dispute. With PayPal, not at all.
In the case of hacking, all of your payment options, if you have more than one in your FB ads account, will be tried so stick with one credit card.
Should your account get hacked, neither company will help you in the least while the charges get racked up and the two point to each other before settling on you as the party of blame.
On the other hand, a credit card company will handle fraud charges easily.
3. Reconsider PayPal (PP) use for online purchases
I thought I was being savvy by using PP for most online, everyday purchases. “Hey, I’m not typing in my CC number. I’m being safe!”
Here’s what I didn’t know: With every purchase you end up creating what PP calls an “open billing agreement” with the merchant.
Say the shoe company you bought from charges you $1000 and you can’t get in touch with said shoe company, PP will say “well that’s between you and show company because you had an open billing agreement with them.”
4. Clean up old email accounts
Hackers got into my FB account by laying claim to an old email address that I no longer use but I think was still in my FB accounts. I THINK that’s what happened. That’s my best guess.
Delete, purge and clean up any old emails you have and all the places they may still be associated to your financial and internet life. It's so easy to put this off.
5. File a FBI Internet Crime Complaint
Visit The FBI Internet Crime website IC3.gov - Whether this does anything, I do not know yet. But at least you can point to this for your records.
You may also choose to file a complaint at your local or state police as well.
6. If you get locked out of your FB account and your account is disabled, you will never ever get back in.
Why? Because you need a FB account to access all FB support. UNLESS you beg your network for someone who works at FB and they can file an internal report on your behalf (how I got back in). Do NOT ask me for this person, they are sick of me as it is. Without my internal contact at Facebook, who generously followed up on the internal report that they filed, my social media accounts would have been dead in the water and a decade of marketing would have been gone.
Again, have a trusted family member be an admin to your account, in case this happens. But this won’t stop a hacker because they will remove everyone who is an admin, and make themselves an admin. But worth a try.
7. There is ONE place you can get through to FB if you’ve been locked out.
Search for their Intellectual Copyright Infringement support page and they will get back to you within 2 days.
They will ask you if you would like to proceed (which means deleting your FB page or profile in question) or be handed over to the Page Admins department. The latter may help you restore your access to your Page. It has helped some people. They didn’t with my situation. Worth a try. Took me forever to find this tidbit.
8. FB says they refund fraudulent charges but they won’t.
They will deny your experience and the ample evidence you have that is clear as day to see and say “we do not see any suspicious activity.”
They claim to have a "due process" but they do not. At any point and time they can flip the script and you have lost everything you've done on social media and they own all of your content.
(Update: I was surprisingly refunded on August 7th, 2020 without any explanation — but I’ll take it!)
9. Make sure your marketing/source of clients is not solely reliant on social media.
In my book, social media is a supportive, keep-in-touch marketing strategy, not a stand-alone strategy.
UNLESS you are paying for ads to a specific action like a webinar (or some other free or paid opt-in), month after month. (Occasionally placing an ad is not a solid advertising marketing strategy.)
Social media for business is far less important to having the following two things in play (at least for my clients who are companies of one like myself):
one core, direct marketing strategy that puts your message in front of your ideal clients and allows you to educate, enlighten and invite them to a first appointment with you... (and you can easily measure and track your results.)
one robust, on-message email marketing strategy (twice per month minimum up to a weekly email -- I know many organizations do much more but I find that unnecessary for solo professionals working with within Happy Little Practice Method). I call this a keep-in-touch strategy.
That said, if you are paying for social media ads, then social media can be a core marketing strategy. Which I was, and it was working well, but guess what? It leaves you totally vulnerable. At any point and time you can lose that. I'm not being dramatic, it's just how it works.
More on this and marketing without reliance on social media coming.
10. Reflect and start being discerning about your technology use, and it's promise AND cost of efficiency in your life.
It's SO easy to add an app on your phone, sign up for things and enjoy the perks of efficiency and speed from technology.
With efficiency and speed comes a cost.
For example, be willing to slow down a bit and weigh the pros and cons of free (and paid) services and the companies you work with.
For example, you are Facebook's product. They make money selling your info to advertisers.
For example, it's so easy and fast to pay with PayPal for everything, but it leaves you vulnerable.
I’m not saying you shouldn't be on Facebook or do social at all, but I am saying go in with eyes wide open.
Take the time to think things through, and reevaluate from time to time, about what's right for you and your business, your values and your audience.
BONUS #1 Consider Getting Identify Theft Insurance
This comes from Happy Little Practice client JD Rose of TheResourcedWoman.com -- She helps single women take charge of their money with an integrative approach. JD suggested looking into identify theft insurance and recommends the following company. It's actually very affordable and I wish I had done this.
https://www.zanderins.com/identity-theft-protection
BONUS #2 Be Mindful How You Use Alexa and Echo Smart Devices
If you own one of these devices to play music and conveniently order things with voice command, it’s important to know that this give entry point to Amazon into your everyday conversations. That may be fine, you say, but be mindful of anyone asking you for your password or suspicious links from Amazon. This BBC News article talks of potential vulnerabilities, although Amazon says they’re on top of it and there is no evidence of this happening yet.
(In July 2020, my mother’s friend lost $20K via a security breach on Amazon, thinking she was talking to Amazon. She had called the number on the home screen. Guess what? Amazon’s number is pretty hard to find and is never on the home screen. I only know this because I’ve had to call a few times for customer service, which is quite good and efficient. Her bank did not back her up since she thought she was talking to Amazon and willingly gave her info.)
Please let me know if this is helpful to you by writing a comment or sending me a message, and I'll keep updating this.
Is a Happy Little Practice possible?
Discover how to radically simplify your marketing and messaging and keep your mindset straight as one-woman show. Learn more about the Happy Little Practice Method here.