Your advertising accounts are valuable assets, driving revenue for you. These accounts are also attractive to cybercriminals, and your accounts can drive revenue for them. It’s a dangerous misconception to believe that scammers are limited to accessing only your confidential information. In reality, a compromised ad account, especially one with a significant advertising history, grants bad actors access to substantial spending thresholds. It enables the scammers to exploit your available credit and payment mechanisms for their campaigns.
You might assume that you’ll detect unauthorised activity quickly enough to prevent significant damage. However, scammers can act swiftly. They can establish e-commerce websites within hours, and deceptive “too good to be true” offers can drive rapid consumer purchases, potentially depleting your advertising budget.
The potential damage extends beyond unauthorised ad spend. Scammers often restrict or completely remove your access to your accounts, including social media pages. In the worst cases, we have witnessed credible social media accounts hijacked to promote inappropriate content, causing severe reputational damage.
I have aimed to highlight the financial losses, reputational damage, opportunity costs, and immense stress that account compromises can inflict with two real-world cases. These consequences arose from a simple cause: insufficient attention to ad account security.
Real-world examples of what happens when your ad account gets compromised
Case 1 (Meta):
- Even with 2FA and other security measures in place, a Meta advertising account was compromised due to a phishing attack targeting an access member’s email.
- Scammers gained access to the Meta advertising account, capable of spending at least $8,000 per day, despite the account’s average monthly budget being $6,000.
- A comprehensive advertising campaign, deceptively similar in name to the brand’s existing campaigns, was launched in the USA.
- The campaign featured an enticing offer on an Omron device.
- The subsequent support process with Meta proved lengthy and unproductive, requiring over 20 emails and 3.5 months to regain access to the Business Manager.
- What was never recovered: The advertising account itself was permanently lost. Although there were no direct cash losses, thanks to the American Express credit card, the brand suffered opportunity losses, missing out on three days’ worth of revenue, exceeding the average quarterly median income in Singapore.
Case 2 (Google Ads):
- A Google MCC access holder allowed a younger brother to use their laptop, leading to the inadvertent download of malware disguised as a school exam preparation file.
- Despite Google’s 2FA and other security checks (campaign verification, budget increase verification, AI website promotion checks), scammers circumvented these measures.
- Within hours, unauthorised campaigns were running across multiple ad accounts within the MCC, with daily budgets ranging from $30,000 to $70,000, exploiting the accounts’ high spending capacity.
- The scammers created a demand generation campaign targeting the UK.
- Video campaigns and callouts promoted a 50% discount on Wi-Fi and dashcam products.
- Recovering a clean Google Ads account took approximately 30 days, 10-15 support tickets, and over 60 person-hours of work.
- What was never recovered: Significant opportunity losses, as the ad account recovery process extended beyond a month, surpassing the annual median income of a salaried person in Singapore.
I have encountered numerous cases, of which I could successfully resolve a few and I am finally sharing these experiences to encourage you to prioritise on your advertising account security. A basic internet search reveals that recovering compromised ad accounts is often perceived as impossible. Although this is not entirely accurate, the process is undoubtedly challenging.
So, what are the Scammer Motivations?
- Unauthorised Ad Spending: Scammers use compromised accounts to run their advertising campaigns, frequently promoting fraudulent or low-quality products and services. The legitimate account owner is then liable for the ad spend, resulting in direct financial losses.
- Promoting Fraudulent Products or Services: Compromised accounts are used to advertise counterfeit goods, illegal substances, phishing schemes, or other scams. The established trust and spending limits of legitimate accounts makes the promotion process easier for scammers.
- Data Theft: In some instances, scammers may gain unauthorised access to ad accounts to steal customer data or other sensitive information stored within the account. The data can be sold by these scammers on the dark web or used for subsequent fraudulent activities.
- Bypassing Ad Platform Restrictions: Scammers exploit compromised accounts to circumvent advertising policies they would otherwise be unable to adhere to. Advertising accounts with verification and history are valuable for this purpose: subject to less scrutiny.
- Direct Financial Gain: Ultimately, scammers profit when users click on fraudulent ads, visit scam websites, and complete transactions. Long delivery time for these e-commerce products imply that buyers do not realise these scams for weeks. These buyers also unknowingly provide scammers with their confidential information, which can be used in future attacks.
Prevention is better than cure, even when it comes to advertising accounts.
I believed that platforms like Google and Meta have implemented comprehensive security measures to make their product safe, and prompt support would be readily available. Despite all of it, the timing and nature of attacks are always suspiciously unique, and the support systems offered by these platforms are often inadequate to help you recover. I will refrain from further comment on this, and I am not pointing to any in particular (names are given as examples of commonly used ad accounts)
Ultimately, you have to protect yourself first and so I ask you to consider some of the best practices that I have outlined in Article 1: Advertising Account Security Best Practices: Protecting Your Marketing System, you will significantly reduce the risk of these situations. Please contact Mister Marketeer if you have further questions on advertising security.
