Skip to main content

Ah phishing, the time-honored practice of sending people fake emails that look *almost* legit in an effort to garner anything from PINs to login credentials & passwords.

While this type of “hack” has been around for decades, it shouldn’t be dismissed. With every advance we make in security, those who don’t give up on their end, innovate. The fact that it hasn’t gone away means it is still working, apparently. In fact, according to the FBI(pdf)companies lost $676 million US last year from Business Email Compromises (BECs) and Email Account Compromises (EACs) that were sent to unsuspecting executives, accountants, and business managers. That’s a lot of motivation for the bad guys to keep at it.

Facebook is no stranger to these threats, but an interesting take on the old phishing scam isn’t focused on your personal account, but rather on your Facebook Ad Manager account. That’s right, the account that controls your budgets for your ads.  Think about it.  

There has been a recent string of phishing attempts towards Facebook users in an attempt to gain access to Ads Manager to run fraudulent ads. Some of these pose as “security issues” with your account and request you to log in to perform some action, under the guise of verification of your account. Unfortunately, when someone does this, they inadvertently give away their login information.

The payoff? They can now run their own ads for whatever, on your dime (dollars, really – lots of them).

We at Enilon want to make sure everyone is protected. The good news is that there is a 100% effective way to test the authenticity of any email asking for your login credentials from Facebook. In fact, it only takes 4 simple steps:

Step 1

Before you respond to any email that appears to be sent to you from Facebook regarding your Ads Manager account, go to your Ads Manager profile page, click the drop-down arrow in the top right corner of the screen (a) then click “Settings” from the drop-down menu (b).

Step 2

Click “Security and Login” (c).

Step 3

Scroll down to the “See recent emails from Facebook” menu item (d).

Step 4

Check the list that appears against the date and time of the email you received (e). If it isn’t here, it wasn’t from Facebook. It’s as simple as that!


At Enilon, we go to great lengths to protect our client’s media budgets, by actively monitoring campaigns, dynamically adjusting media spends, constantly a/b testing ads, and of course, against attacks like this. If you’d like to have a conversation about putting together a media campaign – Facebook or otherwise – drop us a line, we’re listening.