As Henry Lau slept on Oct. 15, hackers quietly took control of the ads manager page for his Facebook account. By 6:15 a.m. PT, Facebook had approved a widespread advertising campaign with a budget of $10,000 per day to promote a 13-second video in the US, Mexico and Australia.
Lau, who hadn't taken out any Facebook ads in two years, had no idea his credit card racked up thousands of dollars in charges until he got an alert that the ad campaign was shut down -- six hours later.
But Facebook didn't stop the campaign because it was pushed by hackers, Lau said. Facebook shut it down because his credit card had expired, and he wasn't able to pay for the ads.
"Had my credit card not been expired, they would have run the ads for $10,000 or more," Lau said. "It could have been days before I found out."
He said he "freaked out" once he saw what hackers were trying to charge on his account -- and then he grew angry at how the fraud was allowed to play out under his name.
Lau isn't the only person with growing frustrations over Facebook's handling of fraudulent ads. The more than 2.45 billion people who log on to Facebook each month make an attractive target for ads with malicious links, and utilizing someone's ad account has become an increasingly popular way for an online criminal to bankroll the scam for free.
It's led to a lot of headaches for the victims. Some ad account owners affected by these hacks have found little help from Facebook and have complained that the tech giant isn't doing much to prevent these attacks. In July, Digital Trends detailed several cases in which Facebook's customer support failed to help people whose ad accounts had been taken over.
Another blogger described how hackers took over his Facebook account and started running ads at £1,200 (about $1,550) per day, and how he didn't get an alert until PayPal notified him about the transaction.
"This is, and has been growing to be, an even more viable opportunity for fraudsters and cybercriminals," said Emily Wilson, vice president of research for data protection service provider Terbium Labs. "There's a lot of people on Facebook, and they're often interacting with it quite mindlessly. Cybercriminals only need a small percentage of people to click on the wrong ad."
Facebook said that it takes measures to prevent these kinds of hacks and also keeps a close watch for any ads that lead to malware. When it approves an ad, the company said, it checks the website that the post leads to and will ban people who direct viewers to malware.
"Linking to landing pages containing malware is against our policies. When we find bad actors using techniques like cloaking to avoid our reviews, we immediately take action and remove their ability to advertise on Facebook," a company spokesperson said in an email.
Facebook has taken several measures to protect people from ad scams, like rolling out tools to report these schemes in the UK. To prevent foreign election interference, Facebook added a new authorization process for political ads, in which you need to verify your identity and mailing address.
But hackers have been able to circumvent these protections by taking over people's accounts instead and running ads under someone else's name. And even if the campaigns are banned within hours, cybercriminals have found that they're able to trick hundreds of people on Facebook within that window.
Using 'free money' to commit fraud
The ad posted using Lau's ads account was a video clip of a toy wagon for kids and purposely listed with a pricing error -- showing five items for the normal price and one item "accidentally" listed at 99 cents. Lau said it was designed to make people want to click and buy something immediately, taking advantage of the low prices and perceived mistake.
Though the ads weren't promoting any real products, they were doing something valuable for hackers: The fake sale site had credit card skimmers embedded on it, Lau said. People rushing for a deal online would instead end up giving away their credit card information to hackers.
Lau, whose account was taken over because of a compromise on a third party, said the posts reached 64,784 people before Facebook shut them down. The price for reaching tens of thousands of people: $915.95.
Because Facebook ads offer tracking pixels, Lau got a rare inside view of how effective this scam is. More than 3,000 people clicked on the ads, and 813 people added their payment information on the website, according to metrics from Facebook. A small handful actually went through with trying to purchase the fake item, he said.
"They ended up ripping off at least 24 people in the hour or so that it ran," Lau said. "They're essentially using free money from stolen Facebook accounts to then commit credit card fraud."
Lau isn't a stranger to the ad industry. He runs Privolta, a company he co-founded that specializes in privacy-focused ads. He said that the ad industry suffers anytime fraudulent ads slip through and that Facebook should be putting in better protections to prevent these scams.
After the hackers launched the $10,000-a-day campaign, Lau saw there was a warning on the checkout page.
"You've set a daily budget that is significantly greater than the average on this account ($231.59). If this was intentional, please ignore this warning," read the Facebook note. For him, it showed that Facebook has systems in place to detect fraudulent behavior but that the company allowed the payment to go through anyway.
"Clearly, if they wanted to, they could," Lau said. "But the problem then becomes, it stops them from printing money. It slows that process."
Hackers have coveted Facebook accounts for years, often selling them to cybercriminals online, Wilson said. The older an account is, the more valuable it is, she said.
She's found markets where people will set up Facebook accounts and have them lie dormant for five or six years, then sell them in bulk to potential scammers. Older accounts are more valuable because Facebook's fraud detection algorithm is often looking for brand-new accounts, she said.
But the supply of fake accounts might not meet the demand; not all cybercriminals have time to wait for a dormant account to become available. That's when they turn to real ad accounts, where everything has already been set up for them.
Wilson said that with live accounts, cybercriminals have control only until victims realize they've been hacked. As Lau saw, sometimes just a few hours is all a dedicated scammer needs.
"The way Facebook is designed, and we've seen this play out with serious ramifications, is that it's really easy to run ads for whatever you want," Wilson said. "Facebook's model is to approve first and ask questions later."
Shut out at Facebook
Lau knew he was lucky that his credit card on the ads account was expired. He was also lucky enough to know people who worked at Facebook who could help him resolve the issue. Most people would have to deal with Facebook's automated process, which has been described as a digital door shut in your face.
Though Lau was able to get back on his account after the hack, Annie Beth Donahue, a writer in North Carolina, wasn't as fortunate.
Her account had been hacked in late September and then banned from Facebook shortly after. She can't even log back in to see what the fraudulent ad was for.
The hackers had taken out multiple ads with multiple payments, two campaigns for $250 each, another one for $750 and a fourth one for $400. She said she didn't even know her account had been hacked until she got messages from PayPal five days later telling her she had spent $1,200 in ads on Facebook.
"Facebook didn't send me a message and say something weird is going on with your account," Donahue said.
Donahue was able to get a refund, but getting her Facebook account back was an entirely different ordeal.
She struggled to find a live person to speak with, and after looking for two days, got a response from staff at Facebook.
"The live chat lady was not helpful and just felt sorry and said she couldn't help us," Donahue said.
A few hours later, she received an email from Facebook stating that her account violated its terms, telling Donahue that the social network doesn't allow posts that contain "credible threats to harm others, support for violent organizations or exceedingly graphic content."
She still hasn't been able to find someone who's willing to explain to her what posts got her banned, or anyone willing to hear her case that she had been hacked. Donahue said it's been frustrating to hit this wall each time she wanted to get her issue resolved.
Nearly a month after her account got banned, Donahue said she tried making an Instagram account for a business she helps manage. She used the phone number tied to her old account to sign up, and Facebook's automated fraud detection blocked it, she said.
"It's atrocious. It's horrible," Donahue said. "I was so upset with Facebook that if this wasn't part of my job, I wouldn't have an account anymore."