PubPlus

From time to time, we face breaches to our Facebook Business Manager due to users who fall for phishing attacks.

This Protocol should be applied every time we face these breaches.

- Account Manager
- SLS (the Technical Support Engineer)
- R&amp;D Member

How we will be notified that there has been a breach?

A campaign without a name will appear on the Pub+ dashboard (such as the Image below)

A message of a campaign was automatically deleted will be sent on the #policy-deleted-budget channel on Slack

- A campaign without a name will appear on the Pub+ dashboard (such as the Image below)
 

- A message of a campaign was automatically deleted will be sent on the #policy-deleted-budget channel on Slack

Inform the Network owner (Partner or Internal) that there has been a breach of the Facebook account. If it was a partner it's the Account Manager's responsibility, If it was Internal it is the SLS's responsibility

Remove the infected user from the Business Manager. (Account Manager's responsibility)

Go to Pub+ and make sure that there is no active campaign that matches the description above (campaign with no name). (Account Manager's responsibility)

Go to Ads Manager, and look at each account that the Network owns (usually it's 10 ad accounts). Search for the fraud campaigns using these steps:

1. Go to Ad set level.
2. Select a time frame that contains the dates of the breach
3. use the filter: Ad Set Delivery is Active, Deleted, Errors, Inactive, Off, Pending.
4. Sort the table by Budget descending
 
 
 You should see the fraud campaigns in the first rows of the table, make sure that all of them are Deleted (same as the image above).
 Repeat this action for all of the network's account These actions are under the SLS's responsibility

Go to Rules on FB Ads Manager and make sure there are no active rules. (SLS's responsibility)

Repeat this action for all of the network's accounts.

Provide all the gathered information regarding those campaigns to R&amp;D for them to verify that everything was deleted. (SLS's responsibility)

Contact Upper Management and let them know about the campaigns and rules and that everything has been handled. If the campaigns managed to spend until the system detected and deleted them gather their information and forward it to the CFO for contacting the Meta Account Manager. (SLS's responsibility)

1. Inform the Network owner (Partner or Internal) that there has been a breach of the Facebook account. If it was a partner it's the Account Manager's responsibility, If it was Internal it is the SLS's responsibility
2. Remove the infected user from the Business Manager. (Account Manager's responsibility)
3. Go to Pub+ and make sure that there is no active campaign that matches the description above (campaign with no name). (Account Manager's responsibility)
4. Go to Ads Manager, and look at each account that the Network owns (usually it's 10 ad accounts). Search for the fraud campaigns using these steps:
 1. Go to Ad set level.
 2. Select a time frame that contains the dates of the breach
 3. use the filter: Ad Set Delivery is Active, Deleted, Errors, Inactive, Off, Pending.
 4. Sort the table by Budget descending
 
 
 You should see the fraud campaigns in the first rows of the table, make sure that all of them are Deleted (same as the image above).
 Repeat this action for all of the network's account These actions are under the SLS's responsibility
5. Go to Rules on FB Ads Manager and make sure there are no active rules. (SLS's responsibility)
 
 Repeat this action for all of the network's accounts.
6. Provide all the gathered information regarding those campaigns to R&amp;D for them to verify that everything was deleted. (SLS's responsibility)
7. Contact Upper Management and let them know about the campaigns and rules and that everything has been handled. If the campaigns managed to spend until the system detected and deleted them gather their information and forward it to the CFO for contacting the Meta Account Manager. (SLS's responsibility)

Handling FB Security Breach

Find answers and get help from Intercom Support and Community Experts

Link, Press control-option-right-arrow to exit

Empty Help Center

Uh oh. That page doesn’t exist.

Disappointed

Neutral

Smiley

Thinking...

Searching through sources...

Analyzing...

Tickets submitted through the messenger or by a support agent in your conversation will appear here.

Handling FB Security Breach

Who would take action in such a case:

How we will be notified that there has been a breach?

Actions that need to be taken: