I’m sure a lot of my regular visitors know this by now, but I had some trouble last week with my Facebook account. My personal account got hacked into, and the person got into my Ads account. And from there, it was like something out of a nightmare.
They set up seven (seven!) different scam ads with way too many peach emojis on my personal account and the account for my blog’s Facebook page, each set up to run perpetually for $1,300 a day. That gave me a major metaphorical heart attack.
I don’t know if I would have even known if Facebook hadn’t flagged it.
See, I’m not usually one for ads, so I just keep my Ads account for the random times I want to boost posts related to the blog. Usually, just to reach more people, because as someone whose full-time job is social media, I know how limited organic posts can be.
The last time I’d boosted anything was back when I launched the Academy in March. So you can imagine my surprise last Wednesday morning when I got a notification that my Ads account had been disabled for violating Facebook’s rules.
I logged in, and immediately saw two notifications that an agency I’d never heard of in my life had requested access to my Ads account. A quick search told me the agency didn’t even exist. And obviously, by the presence of those horrible scam ads, the agency had gotten access.
Somehow, someone had gotten my email and my password, used that to add a fake account as an admin, and then added this agency. Just to scam me out of thousands of dollars, and anyone who clicked on them too.
I spent two days in a panicky haze, calling my bank after I’d seen a $300 charge actually go through, dealing with Facebook, yelling at PayPal for basically acting like I was lying about the whole thing.
That was the second-most frustrating thing; feeling like no one believed what had happened.
The most frustrating part, though, was not knowing. I had no idea why I’d been targeted, how they’d gotten my information—I had no idea if I was even safe on social media anymore.
I was incredibly lucky in that I managed to lock the hacker out, lock down every other part of my online presence, and even get Facebook to agree that yes, my account had been hacked, and return the money that had been stolen from my account.
I know that many aren’t so lucky.
So now that I’ve lived the nightmare, here’s what I’ve learned about protecting myself online—and what to do if you do get hacked.
How to keep yourself safe
Use a good password.
I sound so much like our office IT guy that I’m laughing at myself as I write this, but I’m absolutely serious. Hackers are getting more sophisticated every day, and algorithms can crack passwords that were perfectly fine five years ago. Make sure you update your password regularly, and make sure you use unique passwords for everything.
That’s a lot to remember, so if you’re worried, there are all kinds of safe password-generating and storing programs out there. Just be sure to use one that runs on your computer’s local drives—never store your passwords on the web.
Use two-factor authentication.
I would literally never have said this until last week. Most social platforms have an option for two-factor authentication, which basically just means that before you can log in on a new device, it’ll text you a six-digit code to enter.
This is a lot harder to hack into—and as a bonus, it means that if someone tries to log into your account, you’ll get a text message and can immediately secure your account. Like I did just yesterday morning.
Don’t directly connect anything bank-related.
Again, I would never have thought of this one. But if two hours on the phone Wednesday night trying to deal with PayPal has taught me anything, it is what a massive pain in the neck it is to try to get stolen money back.
I absolutely recommend using a protective third party like PayPal—but don’t directly connect any of your banking information to it. You can send money to and from your account with the PayPal balance, and that should be as close as hackers ever get to your actual money.
It’s less convenient, but no online purchase is ever worth risking your rent.
What to do if you get hacked
You never think it’ll happen to you until it does. I never thought it would happen to me—I keep up with cybersecurity lessons at work, and I’m careful about what I click on and what I do online.
I have my computer programmer father to thank for that.
But there are some scary people out there—and if they can do things like hack into major corporations and shut them down, they could easily get into our online presences if they really wanted to.
If they do get into your Facebook account, here’s my advice for what to do.
Secure your account.
This should be the absolute first thing you do. If your account’s been hacked, Facebook has a series of steps you can take to lock it back down.
This will walk you through changing your password, booting out any logged-in devices you don’t recognize, and any other activity that you’ve done recently that could be causing the problem. In my case, that’s how I found out about the dummy account—someone named Tess Smith had been added to my page, and I know no one by that name.
Depending on what happened and how they gained access to your account, there are a few different places in Facebook Support that can help. But the bottom line is that you want to submit a report as quickly as you can.
Because in my case they got into my ads and actually spent my money, I used this page (which is very hard to find without the help of a support rep) to submit a full report. Include as much detail as you can, including who else you have or are going to talk to.
When I first started contacting Facebook about my issue, the fact that my account was hacked into was entirely disregarded. It wasn’t until I submitted a screenshot of the notifications of the agency requesting access—followed by screenshots of the ads themselves in my account—that they believed me, and anything was actually done.
Contact your bank.
If you have any reason whatsoever to think that the hacker could have used money from your bank account or credit cards on Facebook (it’s surprisingly easy to do these days), call your bank immediately and tell them. They may be able to block any suspicious charges, and at the very least, this gives you some power in your corner when negotiating with Facebook or if you aren’t able to get back lost money.
Don’t take no for an answer.
This was a hard one for me to learn. If companies think you’re making things up, they will try to disconnect you any way they can—usually by telling you there’s nothing they can do. You’re the only one who can really protect what you’re fighting for, so don’t take no for an answer!