Advertising Account Compromised: Recommended Recovery Actions.

If you’re dealing with an unfortunate advertising account compromise, please proceed directly to the list of actions in the “Immediate Actions: Securing Your Assets” section below.

Discovering that your advertising account is compromised can be a stressful experience. It’s natural to feel a sense of panic or frustration. However, it’s crucial to remember that swift, decisive action response (not reaction) is key to minimising the damage and regaining control. This article highlights key essential steps to take when unauthorised activity occurs in your advertising account, helping you navigate the recovery process with confidence.

I. Immediate Actions: Securing Your Assets

The priority is to secure your account and prevent further unauthorised activity.

1. Secure the Account:

   • Instantly change the passwords for your advertising account. Assume that your email account is also compromised, and change your password accordingly. If you use a business manager or a similar tool, change those passwords as well.
     • For Google Ads: Go to your account settings and change your password.
     • For Meta Ads Manager: Navigate to your account settings and update your password.
   • Force 2SV/2FA as soon as you can.
   • Revoke access for any unauthorised users. Review the list of users with access to your account and remove anyone you do not recognise or who no longer requires access.
   • Temporarily pause all ad campaigns to prevent any further unauthorised spending while you investigate. You can resume them once you’ve secured your account and verified its settings.
   • Do not delete your campaigns, as they are the proof of activity. You have no choice but to temporarily pause your legitimate ads while the media platforms remove them.

2. Contact Financial Institutions:

   • Immediately contact your credit card company to report and dispute these unauthorised charges on the payment method linked to your advertising account.
   • Follow their procedures for disputing fraudulent or unauthorised transactions.
   • Cancel the compromised payment method and replace it with a new one.
     • Conversation Tip: When contacting your bank, it is best to call them directly. Do not rely solely on email communication.

3. Contact Advertising Platforms’ Support:

   • You must report unauthorised activity to the advertising platforms as soon as possible.
     • For Google Ads: Contact Google Ads support through their online help center or phone support. You can find the most current contact information by searching “Google Ads support” on the internet. You may also use this link: https://support.google.com/google-ads/contact/compromised_account (Please refer to the internet for the most recent link.)
     • For Meta Ads Manager: Use the Meta Ads support channels to report the issue. You can find the most up-to-date contact information by searching for “Meta Ads support” online. You may also use this link: https://www.facebook.com/business-support-home/<your business manager ID> (Please refer to the internet for the most recent link.)
   • When communicating with ad account support, it’s crucial to use precise wording. Refer to the situation as a “compromise” and state that “unauthorised activity” was conducted. Avoid stating that a specific person was responsible unless you are sure, as this can create liability issues and delay your restoration process.
   • Provide the platforms with all relevant details, including:
     • The date and time you discovered the compromise.
     • Any suspected unauthorised activity (e.g., changes to campaigns, new ads, unusual spending).
     • Have you received any error messages or notifications?
   • Keep detailed records of all communication with the platforms, including dates, times, and the names of any support representatives you spoke with.

II. Investigation and Damage Assessment

Once you’ve secured your account from further damage, you will need to investigate how the unauthorised activity occurred and then derive insights from this incident.

1. Identify the Source of the Compromise:

   • It is often difficult to pinpoint the exact cause but understanding common attack vectors can help you prevent future incidents. Common causes include:
     • Phishing emails: Scammers send deceptive emails that trick you into revealing your login credentials by prompting you to enter passwords or similar information.
     • Weak passwords: Users tend to be lazy and use easy-to-guess passwords that attackers can crack.
     • Malware: This is malicious software that runs on your device and can steal your information. Some of them can even act on your behalf.
   • Review your and your employee’s account activity logs for any suspicious behaviour, such as:
     • Logins from unfamiliar IP addresses or locations.
     • Unexpected changes to campaign settings or budgets.
     • The creation of new, unauthorised ads.
     • Download of free tools and free apps.
     • Sharing of devices or passwords.
   • Some attacks are sophisticated and you will find it difficult to recover. This is when you will need to consider consulting a cybersecurity professional for assistance with the investigation and future prevention.

2. Assess the Tangible and Intangible Value of Damage:

   • Determine the extent of unauthorised ad spend. Calculate the amount of money spent by these unauthorised campaigns.
   • Identify any changes made to campaigns, settings, or audiences. Restore these settings to their original state only after the support process from advertising platforms is complete.
   • Evaluate any potential damage to brand reputation. If bad actors ran unauthorised ads appearing as you and these were inappropriate or damaging to your brand, take steps to mitigate the impact (e.g., issuing a public statement, reaching out to customers).

III. Recovery and Prevention

The final stage is restoring your account to its regular operation and implementing systematic measures to prevent future compromises. I have written some of these in my article, “Advertising Account Security Best Practices: Protecting Your Marketing System“.

1. Restore Account Settings and Campaigns:

   • Carefully restore only your own campaigns and settings to their original state.
   • Double-check all settings to ensure accuracy and prevent any unintended consequences.

2. Implement Enhanced Security Measures (Referencing Article 1):

   • Refer back to our previous article, “Advertising Account Security Best Practices: Protecting Your Marketing System“, and implement all the recommended security measures.
   • Specifically, implement these:
     • MFA/2SV: Enable multi-factor authentication on all your accounts (personal and business).
     • Strong password policies: Enforce the use of strong, unique passwords and consider using a password manager for added security.
     • Access control: Limit the number of users with access to your account and grant only the necessary permissions.
     • Device security: Ensure all devices used to access your account are secure and protected from malware.
     • Employee training: Educate your employees about security threats and best practices.

3. Monitor Account Activity Closely:

   • Pay attention to your alerts for unusual account activity, such as new logins or significant changes in spending.
   • Regularly review your account activity logs to detect any suspicious behaviour and remove idle and unnecessary users.

Move Forward with Enhanced Security

A compromised advertising account is a setback, mainly when it generates revenue for you, but it doesn’t have to be a disaster. You must respond calmly and quickly, investigate thoroughly, and implement robust security measures (I have outlined a few in “Advertising Account Security Best Practices: Protecting Your Marketing System“). By doing so, you can recover your account and protect your valuable marketing investments from future threats. Mister Marketeer has experience in assisting businesses with ad account recovery and can provide guidance; do contact us with as much information as possible. Remember, prevention is better than a cure.