Recently, the CEO of a very successful marketing firm had their Facebook account hacked. In just a weekend, the hackers were able to run over $250,000 worth of ads for their online gambling site via their account and removed the rightful owner as the admin, causing the firm’s entire Facebook account to be shut down.
Not only are they uninsured for this type of fraud, but they were shocked to discover that Facebook, as well as their bank and credit card company, was NOT responsible for replacing the funds. Facebook’s “resolution” was that there was no fraud committed on their account because the hacker used their legitimate login credentials, and Facebook is not responsible for ensuring you keep your own personal credentials safe and confidential. Further, they did not have the specific type of cybercrime or fraud insurance needed to cover the losses, so they are eating 100% of the costs.
Not only are they out $250K, but they also must start over building their audiences on Facebook again, which took years to build. This entire fiasco is going to easily cost them half a million dollars when it is all totaled.
In another incident, another firm logged into their account to find all their ads were paused. Initially, they thought it was a glitch on Facebook, until they realized someone had hacked into their account, paused all their legitimate ads and set up 20 NEW ads to their weight-loss spam site with a budget of $143,000 per day, or $2.8 million total.
Due to their spending limits, the hackers would not have charged $2.8 million; however, due to the high budgets set, Facebook’s algorithms started running the ads fast and furious. As they were pausing campaigns, the hackers were enabling them again in real time. After a frantic “Whac-A-Mole” game, they discovered the account that was compromised and removed it.
The compromised account was a legitimate user of the account who had THEIR account hacked. Because of this, Facebook would not replace the lost funds, and their account got shut down, with all campaigns deleted. Fortunately, these guys caught the hack early and acted fast, limiting their damages to roughly $4,000, but their account was unable to run ads for 2 weeks, causing them to lose revenue. They estimate their total damage to be somewhere in the $40,000 to $50,000 range.
When many people hear these true stories (with the name of the companies withheld to protect their privacy), they adamantly believe someone besides them should step up and take responsibility, covering the losses. “It wasn’t OUR fault!” they say. However, the simple reality is this: if you allow your Facebook account – or any other online account – to be hacked due to weak or reused passwords, no multifactor authentication (MFA) turned on, improper e-mail security or malware infecting your devices due to inadequate cyber security, it is 100% YOUR FAULT when a hacker compromises your account.
Facebook is just one of the cloud applications many businesses use that can be hacked, but any business running any type of cloud application, including those that adamantly verify they are secure, CAN BE HACKED with the right credentials. Facebook’s security did not cause their account to be compromised – it was the failure of one employee.
The BEST way to handle this is to NOT get hacked in the first place. Here is what you need to do to protect yourself:
- Share this article to make sure your staff is aware of these types of scams. Cybercriminals’ #1 advantage is still hubris; businesses and most people in general insist that “nobody would want to hack me” and therefore are not extremely cautious with cyberprotections.
- Make sure you create strong, unique passwords for EACH application you and your team log into. Use a good password management tool such as <<XXXXX>> to manage this but remember IT MUST BE USED IN ORDER TO WORK. For example, do not allow employees to store passwords in Chrome and bypass the password management system.
- Minimize the number of people logging into any account. If someone needs access, give them that access and then remove them as a user ASAP immediately after. The more users you have on a cloud application, the greater the chances are of a breach.
Make sure all devices that touch your network are secure. Keylogger malware can live on a device to steal all your data and credentials.