Heartbroken by the disappearance of her cat, Filipino IT specialist and blogger Sophie* decided to use her Facebook Ads account to appeal to anyone in her local area who might have seen it. 

Just two days later her bank account had been emptied and Facebook was sending her a demand for further advertising it served after her debit card charge bounced and before her campaign was cancelled. In total, she was asked to pay the local equivalent of US$1050.

But it wasn’t Sophie’s campaign. She was the victim of a sophisticated Facebook Ads scam believed to originate in Vietnam in which people are hacking legitimate Facebook Ad accounts and launching retail campaigns selling totally unrelated products: in the case of Sophie’s hack, cheap, ugly t-shirts. 

With unsuspecting victims footing the bill for the marketing campaigns, the hackers simply wait for the orders to roll in, charge for the products and ship them (or not). As Mashable reports, they are boasting of the huge income they are receiving thanks to large-scale campaigns where only a tiny percentage of people who see the ads need to purchase the goods for them to cash in. 

But worse in Sophie’s mind is the response of Facebook, which is raking in stolen funds and leaving victims like her to foot the bill. She has shared her experience with Inside Retail in the hope to make other online retailers and advertisers aware of the potential for large-scale scams – and Facebook’s indifference, as the ultimate benefactor. Some 10 million companies and individuals around the world use Facebook Ads

Repeated messages and emails Sophie sent to Facebook drew only automated responses – signalling a lack of understanding of the issue, despite projecting itself as a caring, responsible company, boasting of its commitment to fraud protection measures and technology to weed out irregular, suspicious activities. 

Page 30 of the company’s extensive Code of Conduct document, downloadable online, states: “As we operate regulated payment platforms, we are required by law to stay vigilant, verify the identity of customers and protect them by carefully monitoring for fraud and suspicious behaviour. We also provide transparency through customer notices and timely resolve complaints and disputes.”

But the reality seems very different. 

When legitimately using her Facebook Ads account, Sophie routinely buys very small campaigns directed at a nationwide audience to promote postings on her blogs. Typically she would spend PHP500-1000 per campaign (US$10-20). For the virtual ‘missing cat’ poster, she set the spend at PHP1000. Yet when hackers accessed her Facebook Ads account they were able to launch a campaign valued at PHP120,000 (US$2380) as a sub-account of the missing cat campaign, using it to market the t-shirts. This did not trigger a red flag through any of Facebook’s “careful monitoring” aimed at detecting unusual activity, despite Sophie having never spent more than $20 on a campaign. The system thought it was usual for her to book one worth 100 times that value without seeking any further confirmation. 

First, the bank account linked to her card was emptied of around $600. Then another $451 in charges was chalked up before she discovered the hack, noticing an unusual name on her Facebook friends list. She cancelled the campaign, which had been suspended anyway because the payment method had bounced.

How the hackers work

According to Mashable, in some cases, the hackers are using an .exe file disguised as a pdf that runs a script on PCs allowing them to access the account, but Sophie, a qualified IT programmer, is adamant she never clicked on an .exe file and has no idea how they got in. It is likely someone first copied a friend’s profile and impersonated them, before sending a friend request she accepted – or that she accidentally added the hacker as a friend on her Facebook page.

Mashable says a computer engineer based in Vietnam runs legitimate e-commerce shops that have all but gone out of business as an effect of the grift. 

Immediately after she discovered the hack, Sophie cancelled what remained of the campaign and contacted Facebook Ads ‘support’ desk. An automated response said it had investigated the refund request. “Unfortunately, we’re unable to refund the ad charges because we ran the ads based on the settings you selected. Every time you make a purchase on Facebook, you agree to our Terms and Conditions”. 

“The response completely missed the point that I had not placed the advertisement and that I had not “agreed” to anything. The hackers did,” Sophie told Inside Retail. “So hackers stole money from me, Facebook gets to keep the cash and they tell me it’s my problem. How can that be the action of a responsible company?”

When she followed up on the company’s response she received another link to a Help Centre page which invited her to repeat the complaint and told her “Due to limited support resources, this case will now be closed automatically”. 

“They don’t care,” Sophie told Inside Retail. “Considering how big their company is, I’m just a small fry.”

“There is a warning here for all companies with Facebook Ad accounts. They are not secure and Facebook does not care if you are hacked – it just pockets the cash.” 

Social-media scams and hacks are increasing 

Australian cybersecurity specialist Susie Jones, co-founder & CEO at Cynch Security, said the stress these kinds of incidents cause can be very hard to stand by and watch, let alone experience first-hand. 

Cynch Security focuses on helping small business owners to get on top of their cyber risk and avoid having incidents such as that which impacted Sophie “becoming one of the worst days of their working lives”.

She says her team has heard that the number of social-media ad scams and hacks have dramatically increased over the past couple of years, especially in the wake of the pandemic forcing more small businesses than ever to move to online advertising, thereby increasing the number of poorly protected ad accounts being opened. 

“Our advice is to always treat any account that has a credit card or personal details attached to it as you would your bank account and lock it down. Make sure you are using long, strong and unique passwords (preferably managed by a password manager) on each account and enable multi-factor authentication (which Sophie had done). This makes it that much harder for a criminal to gain access to your account in the future.”

Jones says she has yet to hear of any small business receiving adequate support from Facebook or Instagram after suffering such hacks. 

“The most success seems to come from working with your bank to resolve the stolen funds, rather than Facebook themselves.”

For her part, Sophie immediately moved to close her bank account, reporting that she had not authorised the campaign that led to the withdrawal of funds from her Facebook Ads account. At the time of writing, her bank has yet to conclude its investigation into her case. 

Facebook, meanwhile, has still not formally responded to her complaint, even after an apparent human intervention broke the trail of bot responses. A “payment specialist” with Facebook called only “Linda” said the social-media company was “currently investigating this issue further” and would update Sophie “as soon as we have more information”. That was three weeks ago, December 2. She has not had any further communication since. 

Facebook’s Philippines marketing manager has not responded to an approach from Inside Retail for comment. 

• Sophie is a pseudonym to protect the victim’s identity, which has been verified by Inside Retail.