How a Forgotten Account Cost Our Client $60,000 (And How We Got It Back)

If you manage advertising on Facebook or Instagram, this article could save your business thousands of dollars or more. Over the past 12 months, we've seen a sharp increase in sophisticated attacks targeting Meta Business accounts, and the numbers are alarming.

"In November 2025 alone, security researchers identified over 40,000 phishing emails targeting more than 5,000 businesses across North America, Europe and Australia. All of them exploited Meta's own infrastructure to appear legitimate."

As your agency partner, we want to share what we're seeing in the industry, explain where the vulnerabilities lie, and, most importantly, give you clear, actionable steps to protect your business.

What We're Seeing: Real-World Attacks on Australian Businesses

At BFJ Digital, we manage over a million dollars in advertising spend across Meta platforms. This gives us clear visibility into the security landscape and unfortunately, we've witnessed firsthand how devastating these attacks can be when security best practices aren't followed.

Case Study 1: The $60,000 Weekend Attack

Earlier this year, one of our clients was hit by a serious breach. The entry point was a legacy agency account that a staff member had added years ago and never removed. The attackers moved on a Friday night, knowing business hours had ended.

In just 96 hours, they had:

• Created fraudulent advertising campaigns
• Escalated the daily budget from $350 to $130,000
• Spent nearly $60,000 on ads promoting unrelated overseas products
• Directed all traffic to scam websites, damaging the client's brand

The campaign's spend was over 700% more than the account's entire year-to-date advertising spend. All modifications happened between 11:30 PM and 2:00 AM, when no legitimate staff would be active.

Through persistent advocacy and detailed incident documentation, we successfully recovered the full amount from Meta, but it took four months of case work to achieve this outcome. Not all businesses are this fortunate.

Case Study 2: The Sunday Afternoon Strike

In a separate incident late last year, we detected a breach affecting two related business accounts. The attackers launched on a Sunday afternoon, giving themselves maximum runway before anyone would notice on Monday morning.

What made this attack particularly sophisticated was the use of dormant Instagram profiles. A recent Meta feature that automatically converts connected Instagram profiles into Business Manager users created hidden entry points that appeared alongside legitimate staff in the system.

Because we implement daily monitoring for our clients, we detected the fraudulent campaign early Monday morning and shut it down, limiting the damage to under $2,000. However, the attackers were persistent, attempting re-entry twice more over the following weeks through "sleeper" accounts that hadn't yet been removed.

Takeaway: The timing was fortunate. Had the attackers struck on Friday night instead of Sunday afternoon, the financial impact could have been catastrophic. They would have had two extra days of unchecked spending. The losses could easily have reached tens of thousands.

Understanding Your Access Points: Where the Vulnerabilities Live

One of the biggest challenges in securing your Meta presence is understanding just how many doors lead into your Business Portfolio. Each door has its own lock, and attackers only need to pick one.

Here's the reality: when we invite someone to your Business Portfolio, we're not just adding one access point, we're potentially adding several.

Let's break this down clearly.

The Access Chain Explained

The maths is simple: for each person with access to your Business Portfolio, there could be up to 5 separate credentials that need to be secured. For a business with 4 team members, that's potentially 20 points of entry and attackers only need one.

The Instagram Loophole You Need to Know About

Here's something many businesses don't realise: Meta recently changed how Instagram accounts interact with Business Manager. When your company's Instagram profile is connected to your Business Portfolio, the login credentials for that Instagram account now grant admin-level access by default.

This means:

• Old company Instagram accounts you've forgotten about could be doorways into your business
• Anyone with the login credentials to your company's Instagram has potential admin access to your entire Business Portfolio
• Attackers who compromise a company's Instagram account can use it to add themselves as partners to your entire Business Portfolio

In the incidents we've managed, this exact vulnerability was exploited: dormant company Instagram profiles were used as "sleeper" accounts to regain access even after we'd removed the initial threat.

Password Strength: Your First Line of Defence

A weak password is like a flimsy lock on a door full of valuables. With modern computing power, short or simple passwords can be cracked in seconds. Here's what you need to know:

Minimum 16 characters: This is the current industry standard for 2025. Every additional character exponentially increases the time required to crack your password. An 8-character password can be cracked in minutes; a 16-character password could take centuries.

Mix it up: Use a combination of lowercase letters, uppercase letters, numbers, and symbols. This dramatically increases complexity.

Make each password unique: Never reuse passwords across accounts. If one service is breached, attackers will try those credentials on every other platform including Facebook, Instagram, and your email.

Consider passphrases: A passphrase like "PurpleElephant$Dances@Midnight99" is both long and memorable. The Australian Signals Directorate recommends this approach: four or more random words combined with numbers and symbols can create passwords that are easy for you to remember but nearly impossible to crack.

Use a password manager: Tools like 1Password, LastPass, or Bitwarden generate and store complex, unique passwords for every account. You only need to remember one master password.

Never Share Passwords Insecurely

This is critical: never share passwords via email, Slack, Teams, text message, or any other messaging platform. These channels are not secure, and messages can be:

• Intercepted by attackers
• Found in search history if someone gains access to your account
• Stored indefinitely on servers you don't control
• Accidentally forwarded or visible on shared screens

Instead, if you must share access credentials, use your password manager's secure sharing feature or share verbally in person. Better yet, create individual logins for each person who needs access; that way, credentials never need to be shared at all.

Remember: If a password has ever been sent via email or messaging, consider it compromised and change it immediately.

Your Security Audit: A Complete Checklist

For each person with access to your Business Portfolio, ensure ALL of the following are secured:

Pro tip: Use a password manager to generate and store unique passwords for each account. This makes managing multiple complex passwords practical rather than overwhelming.

How These Attacks Work: Understanding the Threat

Modern Meta account attacks are far more sophisticated than traditional phishing. Attackers are now exploiting Meta's own legitimate infrastructure to deliver convincing fraudulent messages.

The Anatomy of a Modern Attack

1. Phishing emails from legitimate Meta domains: Attackers create fake Facebook Business pages, then use Meta's own Business Suite invitation feature to send phishing emails that genuinely come from facebookmail.com, bypassing traditional security filters.
2. Credential harvesting: Victims are directed to convincing fake login pages where their passwords and even two-factor authentication codes are captured in real-time.
3. Silent partner additions: Once inside, attackers add their own partner accounts with full access to advertising assets. These often go unnoticed among legitimate business partners.
4. Weekend/night-time execution: Fraudulent campaigns launch outside business hours to maximise spend before detection.
5. Sleeper accounts: Attackers plant dormant accounts that can be activated later, even after initial remediation.

Common Entry Points

In every breach we've investigated over the past three years, the root cause has been the same: compromised client credentials or forgotten access permissions. The most common vulnerabilities include:

• Facebook or Instagram accounts without two-factor authentication
• Reused passwords across multiple platforms
• Legacy partner accounts from previous agencies or staff members
• Email accounts with weak security
• Dormant Instagram profiles connected to Business Manager

How to Protect Your Business: A Practical Security Checklist

The good news is that most attacks are entirely preventable. Here's what you can do today to dramatically reduce your risk:

Immediate Actions (Do This Today)

1. Enable Two-Factor Authentication on ALL accounts: This includes your personal Facebook profile, any Instagram accounts connected to your business, and the email addresses associated with these accounts. Use an authenticator app (like Google Authenticator or Microsoft Authenticator) rather than SMS codes for stronger protection.
2. Update your passwords: Use unique, complex passwords for Facebook, Instagram, and your associated email accounts. A password manager makes this manageable.
3. Review your Business Manager users: Go to Business Settings > Users > People and review everyone with access. Remove anyone you don't recognise or who no longer needs access.
4. Audit your Partners: Go to Business Settings > Users > Partners and remove any legacy agency or partner accounts that no longer work with you.
5. Check connected Instagram accounts: Review which Instagram profiles are connected and remove any that are unused or unrecognised.

Ongoing Best Practices

• Require 2FA for all Business Manager users: You can mandate this in Security Centre settings.
• Maintain at least two administrators: This ensures recovery is possible if one account is compromised.
• Set appropriate spending limits: Credit card limits or ad account spending caps can prevent runaway fraudulent spend.
• Use a trusted email domain: Add your company's email domain in Security Centre so only company email addresses can access your Business Manager.
• Review access quarterly: Make it a habit to audit users, partners, and connected accounts regularly.
• Be sceptical of urgent messages: Even legitimate-looking emails from Meta should be verified by logging in directly to Business Manager. Never click through email links.

Red Flags to Watch For

How BFJ Digital Protects Your Investment

As your agency partner, we take account security seriously. Here's what we do to protect your advertising investment:

• Daily monitoring: We review account activity and campaign performance regularly, allowing us to detect anomalies quickly.
• Rapid incident response: When breaches occur, we know exactly how to contain them—removing malicious access, pausing fraudulent campaigns, and documenting everything for recovery efforts.
• Meta support advocacy: We have extensive experience working with Meta's support processes to recover fraudulent spend and restore account access.
• Proactive security guidance: We advise clients on best practices and flag potential vulnerabilities before they become problems.

However, we can only be effective if you maintain security on your end. The accounts we manage are only as secure as the personal Facebook and Instagram profiles connected to them.

Your Action Items

We strongly encourage you to take the following steps this week:

• Enable two-factor authentication on your personal Facebook and Instagram accounts
• Update your Facebook, Instagram, and associated email passwords
• Review and clean up your Business Manager users and partners
• Let us know once you've completed these steps

If you need any assistance with these security measures, or if you notice anything suspicious in your accounts, please don't hesitate to reach out to our team. We're here to help.

Additional Resources

For more information on securing your Meta Business accounts, visit Meta's official security guide: Meta Business Help Centre - Security