Well I can safely say that I was never expecting to write a blog like this – but this happens to so many people across the world everyday – nobody is immune to hackers!
I hope in sharing my own personal experience that I can inform and advise others on how better to stay safe online and protect their information whilst retrieve accounts that have been hacked. Together we can keep criminals and fraudsters at bay, bring them to justice and allow businesses to continue to run safe and smoothly once again!
How I Was Contacted By Hackers
So, I have a Facebook page with 3 million followers, something that has taken me years of hard work and consistency to build up to such a size. Previously, Facebook allowed links to be posted to pages which advertising agencies would pay page owners per click for the number of views, so between pictures and video content of your own you could share news stories and videos that brands paid you to promote – think of it like an advert played during the break of a TV show.
I’d worked with several such agencies over the years, all based in America make payment at the end of each month in dollars via PayPal. When the Facebook guidelines changed recently (because of the crack down on fake news and information sharing) the majority of advertising agencies stopped sharing content to Facebook in such a way and pages that previously earned money now had no income.
To have access to the status of content, agents from the advertising agency would be added to Facebook pages with a page role assigned to them so that they could monitor the engagement and response and better match popular content to suit the audience of followers – content being relevant to the page type and interests of the viewers obviously gave the best results so it was in everybody’s interest to monitor it.
Agents would have a Facebook profile to be appointed to a page role, some had no friends and used generic names which were obviously fake profiles created just for the purpose of monitoring content, rarely others were small profiles of employees but this made their personal details open to the influencers that they worked with as we could see one anothers families and friends so the profiles were rarely used and contained little information for the employees security.
Each Facebook page has page roles for different people who have access. The admin of the page can control everything, which included myself as the page owner, whereas editors and analysts can simply view statistics without being able to edit or add to the page depending on the provisions in place. Basically ‘doers’ and ‘watchers’ which meant that giving an advertising agent access to a page wouldn’t put the page at risk of being stolen as they had no power whatsoever to make changes.
Receiving a business email informing me of an advertising service for Facebook from an unknown agency to me, I did my usual safety checks to ensure that this agency was authentic before replying:
- Is the attributed website that of an advertising agency? Yes
- Does the contact email contain the same business web address? Yes ([email protected])
- Does the email contain proper English without obviously poor spelling? Yes
- Is there any technical information and examples of their service included in the email? Yes
I also forwarded this email to a technical advisor and asked if it looked like a scam, after doing the same checks he confirmed that it wasn’t very likely to be a scam but the earning figures quoted would be much lower in reality. Considering I didn’t have any advertising on my Facebook page anymore I was open to speaking to a new agency to see what they could offer in line with the new Facebook guidelines and regulations.
Since my Facebook page was hacked I have also received this email:
The email subject was entitled “Facebook Advertising” and its text read:
We really like your work keep the good work going. Actually we need Ad space on your page for sponsored advertising,we are offering best prices for verified Ads of some multinational brands.
Our ads do not required any sort of clicking or selling on them its pure advertising of our sponsors, Plus ads will only appear on right side of your page and nothing will show on the timeline of page, and it will not affect to the audience of your page at all.
I am attaching a few screen shots as well that you can have a look how ads will look like on side of your page.
kindly Let us know if you feel like ya this is some thing you are interested in and keen to proceed it further?
After responding to the email to discuss things further, the hacker behaved very much the same as agencies that I’ve worked with successfully in the past. Obviously I didn’t identify that this was a hacker at the time of communication, but for the purpose of this blog I shall address to him as the hacker.
He used the same lingo as every ad agency I had previously worked with, so he had knowledge of advertising and appeared for all intents and purposes to be the real deal. I believed that the person I was communicating with was a genuine employee of an advertising agency and found no reason to question otherwise following my initial checks.
Moving forward, the hacker asked me to provide a contact number to jump on a call to set up my Facebook advertising via Facebook business. This contact usually takes place via telephone or Skype and again wasn’t anything out of the ordinary. I provided my telephone number and arranged a suitable time for a call back and spoke with the hacker directly who was a middle-aged Indian sounding man with the sound of traffic in the background, as if he were sitting in a city office with the window open.
The hacker was polite, informative and guided me through the entire process of requesting an advertising check for my Facebook page – much like your internet provider would talk you through troubleshooting via the telephone. Being safety cautious, I was still mindful not to give out nor confirm any personal information and the hacker ensured me that all I needed to do was use Facebook via my own profile for which I was already logged in to apply for a business feature of which he had no access to.
I didn’t login anywhere new, didn’t click any external links or give him any URL’s, security codes, passwords or personal information; I just accessed the Facebook business section of my existing page via my laptop. At one point, in order to request the review of my account I had to disable two-factor authentication until the request was placed and then turn it back on again immediately after – it was switched off for less than a minute – but in hindsight I believe this is where the hacker gained access to my account and the purpose of requesting that I submit an advertising review!
The hacker asked me about the menu’s that I could see and told me which options to then select, when I was unable to see a particular menu he suggested sending me a screen shot via Facebook messenger with the fake profile named John Smith that he was using so that he could direct me to the correct option. I provided no personal details aside from my email address which he already knew to contact me.
Two-factor authentication is designed to make third-parties logging into accounts more difficult as you have to provide a password, login details, a text message code and email confirmation when logging in from a new or unrecognised device. Without this added security in place just a login email and password are required to access an account – the same level of protection that the majority of people use online.
The hacker gave me no cause for concern throughout the call, I was confident that I was only accessing safe Facebook features within my own app, not via a third-party link, and that Facebook required my two-factor authentication to be momentarily switched off as a procedure of making a request on my account, not the hacker requesting me to do so. How wrong I was!
I received a Facebook confirmation immediately after that my advertising request had been received and was now pending and the hacker on the telephone thanked me for my cooperation and advised that I should get in touch via email in a day or two once I have a response from Facebook so that the advertising contract could begin.
Compared to previous advertising agencies this experience was exactly the same, I used the same care and attention against my private information and did not provide access to my account at any point nor access any third party links. Basically everything I always warn my parents to be vigilant of when opening emails, online shopping or submitting account details online!
How I Found Out I’d Been Hacked
Fast forward to around a week later and I’d pretty much forgotten all about the Facebook advertising request as I carried on with work and raising my children. I had a notification pop up one morning on my newsfeed to say that Emyliano D Gonzalez had made me an analyst of my Facebook page.
My first thought was, who on earth is this person that I’m not even friends with? And has another fraudster set up a fake account pretending to be me? There have been around 200 fake Facebook and Instagram accounts created using my name and pictures where people from across the world pretend to be me online.
Their sole purpose is to trick my followers into thinking they’re talking directly to me and then lure them into paying for explicit porn content which doesn’t exist because I don’t do porn! They convince them to hand over their bank details online, take all of their money and then never reply or use the account again. I report about 5-10 of these accounts per week every week across various social media platforms and I find it disgusting that it’s allowed to happen in the first place considering my profiles are official and verified with a blue tick and I had to provide my passport as proof of identity to show that I am who I say I am, when others can so blatantly use my name and pictures and freely pretend to be me! That’s justice for you!
Back to our friend, the hacker, now taking the form of a fake profile called Emyliano D Gonzalez which came up as the only notification on my newsfeed – no mention of a security breech, no unknown/suspicious login attempt email, no warning text messages. Just a notification to inform me of Emyliano appointing my new page role which was then somehow deleted shortly after as if it never happened – thank goodness I took a screenshot!
For the notification to disappear from my feed it quickly became apparent that the hacker was using my personal Facebook profile in order to access my Facebook page and downgrade my authority. I clicked on the page role section to see who had gained access to my Facebook page and try to discover how.
As the admin of my page, I was expecting to be able to click on the unrecognised name and ban or delete them, but an error message popped up informing me that I didn’t have the authority to do this. My other page team members had also been downgraded to analysts meaning that the hacker had full use, access and control of my page and all that we could do was sit back and watch!
Our first point of call was to report the hacking via the Facebook help, but it was pretty pointless because no option allowed me to report my page as being hacked, so I tried to report my profile as being hacked but as the hacker had totally removed the activity log and I had no unknown posts or notifications showing on my account there was nothing I could submit to say “this wasn’t me posting this” hence the reason why they remove it so that it cannot be reported!
The next call of action was to report the hackers profile as being fake. It may sound like a long-shot, but when a profile is flagged as fake it can be suspended, which means on a Facebook page that the power is lost and therefore I may be able to regain power as an admin and remove them.
However as the profile was reported the hacker then added another fake profile under the name Hector Moncada Cadena which I also reported, before they appointed another fake profile admin called Dinar Angelim which I couldn’t report as this was a real persons account with pictures, friends and identity that they had hacked and stolen. When you try to report an account as being hacked the Facebook help basically says “tell the person who has been hacked to try to login and we’ll confirm if it’s them” which leaves you unable to report a profile as being hacked as a third person – and the hackers sure as hell aren’t going to report themselves!
It also stated that 8 hackers had access to my account operating from Canada, when my team and I are based in England. The hackers may have used a different IP address to appear to be in Canada – so this information was pretty irrelevant – but it showed how many fake profiles they’d used to access my page.
Locked out of my page and unable to do anything but watch on in despair as the hackers spammed my page with clickbait videos every half an hour, their activity caused hundreds of my followers to drop away and I felt entirely helpless to stop it.
I literally reported everything to Facebook, the hackers profiles, the posts they put on my page, the page of bodybuilder Tyler McPeak which they’d hacked and used to upload the videos to them share on my page and spam my feed. Each time something happened I immediately reported it, but Facebook saw no wrong and informed me that none of it went against their community guidelines.
In reporting each event and receiving a review which said there was no wrongdoing I was then able to leave feedback with a series of sad or happy faces and a text box. I must have wrote 20-30 reviews all with sad faces to determine they’d be flagged for attention with the information of “My Facebook page has been hacked by these individuals who are now self-appointed admin against my consent. They are spamming my page with videos from another account they’ve hacked. Please stop this and remove them immediately!”
But because the hackers were also using my account I received no notification of my hacking reports, nor any response or conclusion. So I tried to reset my password to get them out of my Facebook account. Seeing as I had such high security on my Facebook including code generators and text messages to login, even I didn’t know my own password to my account! It was literally like fort knox. So I requested a password reset – but no such email ever came!
In Facebook the action showed as my password reset being sent to me, but my inbox and junk mail didn’t receive it. Somehow the hackers had cut me off from email notifications, even though my email was still listed on my account! So I couldn’t reset my password, I couldn’t receive reports and they deleted any notifications as soon as they happened to keep me blind and helpless.
Digging deeper into the spam that the hackers posted onto my Facebook page it became apparent that the pages they had previously hacked before mine, they’d had use of for several weeks already with the genuine page owners still locked out and any reports left unresolved.
Bizarrely Facebook has no option to report a hacked account if the hackers remove their activity, as nothing suspicious shows on the account, no warning notifications are issued and you cannot prove it’s not you. At this point I felt angered and disheartened that I would ever get my Facebook page back, let alone have any of my followers left – I just watched them destroy everything I’d worked so hard to achieve for the purpose of them sharing clickbait stupid videos for their own monetary gain!
How I Got My Facebook Account & Page Back
This is where my saviours came in to save my account and page! Seeing as my admin had been demoted to analyst without any notification he was able to report the loss of his page control via his own profile – not mine that had been hacked! He submitted a report to Facebook about accessing a page and waited patiently. In the meantime I was able to get hold of an actual member of Facebook staff through a friend of a friend who reported this internally for me and bumped my reports up the queue.
Just 19hrs after my Facebook account and page were hacked I had both of them back safe and sound! The sense of relief that I felt was enormous and I feel so incredibly grateful to my admin team and friends for having the power to submit reports on my behalf and give me back my business to continue to motivate and inspire others with the work that I do and love.
Shortly after I regained control of my account my admin received notification to say that the issue had been resolved – so if my friends hadn’t have helped then the admin report would have rectified it anyway, it just would have taken longer. That’s why it is so important to have admin on your page – whether it’s a member of staff, technical specialist or even your partner or parents! Basically, another person of power who can submit a report on your behalf when there is nothing that you can report yourself without any evidence of a hacking.
Since regaining my Facebook account and page I have changed all of my social media passwords, also my email password, appointed a new email address on my accounts, closed my linked bank account and added further security information to everything. I’ve also reported the other accounts that were hacked and used to share content to my page.
Hackers are nothing more than desperate scum, unable to get a real job or do an honest days work and pay taxes, instead cowardly stealing identities, accounts, businesses and lifelines of innocent people for their own monetary gain and I strongly believe that karma will deal with them one day in its own sweet way. They must live with the knowledge of the hurt and pain that they cause others, knowing how vindictive, deceitful and untrustworthy they are and I hope that the people who surround them see their true reality and walk away.
We all have the choice to lead a genuine and loving life to make a positive difference to this world for the sake of our children over that of crime and deceit. At the end of the day we will all be judged for the choices and actions that we take and how we treat others, we must take sole responsibility and live with the consequences accordingly. I pity the criminals who live constantly watching over their shoulder in fear of the judgement to come – and come it shall!