Advertising accounts are not just tools for revenue creation; they are valuable assets driving your business growth with machine learning and AI. They are also prime targets for increasingly sophisticated cyber threats. The cost of a compromised advertising account is substantial, ranging from direct financial losses due to unauthorised ad spend to the erosion of trust and the distortion of your marketing analytics. If you are unable to recover your account, you may consider your AI/ML data and all digital measurement setups previously invested in as lost. We have heard how customers had to pay out from their debit balances and couldn’t recover the money. What volume are we speaking of? Enough to wipe out a million-dollar-a-year company.
Under certain conditions, your ad account could be eligible to run at $70,000 per campaign, per day. It may take you a couple of hours to discover that your account is compromised. Like you, I used to believe that companies like Meta and Google have surely created systems to prevent this. Over the past 15 years, I have seen it to be otherwise multiple times. We have often found scammers to be faster, wiser and able to circumvent all product security features; hence, I hope this article allows you to be preventative instead of reactive. At the bottom of this article, we also share some of our favourite tools, so keep reading.
Pay attention, as reports indicate that the problem is significant and growing. The FBI’s Internet Crime Complaint Centre (IC3) has reported that business email compromise (BEC) scams, which can often lead to advertising account takeovers, have cost U.S. and global organisations billions of dollars. Studies on cloud account compromises, which can include advertising platforms, reveal substantial financial risks.
Implementing a multi-layered security approach is crucial. Combining robust system-level controls with a culture of user awareness and diligence could effectively mitigate some of the most common threats to your advertising accounts.
These are some of the steps, we recommend your organization to take. For more advanced protection and prevention, we recommend getting in touch with a cyber security professional.
System-Level Fortifications
Think of these as the foundational layers of your security defence. Implementing these across your organisation can significantly reduce the attack surface.
- Enforce Multi-Factor Authentication (MFA) / 2-Step Verification (2SV) Everywhere: MFA/2SV adds a crucial second layer of security beyond just a password. It typically requires a second verification factor, such as a code from an authenticator app or a one-time password sent to a registered device. 2FA/2SV should be mandated for all work-related accounts and personal accounts accessed on work devices and accounts linked for recovery purposes. Imagine a scenario where an employee receives a convincing phishing email, seemingly from a colleague, requesting a one-time password (OTP) for a quick verification. With MFA enabled on their email, even if they inadvertently provide their password, the attacker would still need that second verification factor to gain access.
- Implement Strict Access Control and Limit Administrators: Adopt the principle of minimum required access – grant users only the access they need to perform their roles. Furthermore, you should limit the number of administrative users with broad control over your advertising accounts to a select few individuals who are well-trained on your security policies. Too many administrators increase the potential for mistakes or malicious insider activity. A regular cadence of reviewing user roles and permissions is considered essential.
Fortify Your Devices with Robust Policies
- Mandatory Separate Work Accounts: Ensure each employee uses a distinct work account on their company-provided laptops. This isolates work-related activities and data from personal use. We’ve seen instances where a seemingly harmless download by a family member on a shared device led to an immediate compromise of the work environment. Separate accounts help prevent such cross-contamination.
- Scheduled Anti-Virus Full Scans: Regular, automated full system scans using reputable anti-virus software are crucial for detecting and removing malware that may be operating silently in the background, capturing credentials or sensitive information.
- Force Regular Password Changes: Implementing a policy that requires users to change their passwords every four weeks (or a similar reasonable timeframe) limits the window of opportunity for attackers if a password is compromised.
- Remove inactive Users Promptly: Dormant accounts are a security vulnerability. Regularly audit and remove inactive user accounts to eliminate potential entry points for malicious actors.
Lastly, consider having a cybersecurity assessment done, especially if you are already a large organisation. This proactive step can help identify potential vulnerabilities and ensure that your security measures are up to date. Don’t just sit by and trust your internal IT.
Empowering Your Team: User Education and Due Diligence
Your employees are your first line of defence, and they are also the weakest link.
Educating them about potential threats and fostering a culture of security awareness is paramount.
- Recognise and Sidestep Phishing Attacks: Phishing remains a prevalent attack method. Train your team to be cautious of unsolicited emails, especially those that create a sense of urgency (e.g., “Your account has been banned! Click here now to reactivate it”). Be sure to highlight real-world examples, such as the fake co-worker asking for an OTP or emails with suspicious attachments. Emphasise verifying the sender’s email address and being cautious of any links asking for login credentials.
- Respond, don’t react: We have often seen business owners panic and send these phishing emails to group chats or forward without thinking. Your authority creates a stronger sense of urgency than that produced by the scammer, and it triggers the misfortune that the scammer was hoping to achieve in the first place.
- Practice Safe Browsing and Downloads: Educate users on the risks of downloading files or software from untrusted sources. As we have seen, even seemingly innocent emails, such as “Download these five tips to improve your return on ad spend,” can contain malicious executable files. Stick to official websites and verified sources for all downloads.
- Master Password Management: Emphasise the importance of creating strong, unique passwords for every account and the risks associated with password reuse. Consider recommending the use of reputable password managers to store and generate complex passwords securely.
- Never share passwords with anyone.
- Be Mindful of Device Usage: Emphasise the importance of using work devices responsibly and avoiding lending them to family members or using them for personal activities that might introduce security risks.
Securing Your Financial Transactions
Payment information linked to your advertising accounts is another critical area to safeguard.
- Prefer Credit Cards Over Debit Cards: Consider using credit cards instead of debit cards for your advertising expenses. Credit cards offer better fraud protection and allow you to dispute unauthorised charges more effectively, limiting your direct exposure to funds in your bank account.
Building a Security-First Mindset
Yes, we love convenience, and with things becoming easier, we will tend to be more irritable with these policies, and that’s precisely the window that a bad actor needs. Cultivate a security-first mindset within your organisation and review and update your security policies.
These proactive steps will significantly enhance the security of your advertising accounts and safeguard your valuable marketing investments from malicious actors.
Here’s a list of recommended tools
- Password managers such as McAfee and Norton are considered great
- Browsing/scanning software from McAfee and Norton does a decent job
- 30-day policies for scans and password changes
- American Express business cards
