Simple Steps to Keep Hackers Out of Your Ad Accounts

12/8/25

A few weeks ago a past client reached out after discovering their Meta ads account had been hacked. More than $30K was spent in a single day, far beyond their usual daily budget. We helped them file a fraud claim with Meta and start the reimbursement process. We have been told by Google that they are also seeing a wave of account hacks and fraud spending due to insecure ad accounts. 

We’re hearing more and more stories like this across the industry, so here’s a quick reference guide on best practices for keeping your Google and Meta accounts locked down and secure.

Meta Ads Security Best Practices

  • Use a Business Manager account to own your ad account. Running ads from a personal account creates unnecessary security risks.
    • Here is a blog we wrote a few years back on how to move a personal ad account to a Business Manager
  • Limit how many people at your company have Admin access.
    • Give access only to those who genuinely need it.
    • Remove old employees. This is a big one.
  • Turn on two factor authentication.
  • Visit the Business Manager Security Center.
    • Meta shares recommendations for improving your overall setup.
      • Consider turning on Peer Approval controls.This requires another team member to approve campaign budgets once they hit a certain threshold.
      • Explore Domain Security settings.This keeps ads running only to your verified domain and helps block hijackers who redirect to bad URLs.
  • If you are an agency, remove old client accounts you no longer manage. Keeping inactive accounts connected only increases risk for everyone.

Google Ads Security Best Practices

  • Turn on two factor authentication. Google offers a clear step by step guide.
  • Restrict Manager account access to your company’s domain.
    • Example: Only users with the email ending in @granularmarketing.com can be invited to the Granular MCC. This prevents someone from hacking your email and then adding a random gmail to the account
  • Never accept incoming invites to access a Google Ads account. Always send the invite yourself so you know exactly who is connecting.

Across both platforms, you need to be extremely careful with any email that comes through. If it feels off, it probably is. The email address itself is usually the red flag. Whenever you’re unsure, don’t click on anything and contact the platform’s support or send it our way so we can help you confirm whether it’s real or spam.

Keeping your accounts secure takes a little effort, but it goes a long way toward protecting your budget and your peace of mind.

Questions?

If you have any questions or are interested in having Granular help grow your business, please use the button below to get in touch!

Get Granular

Related Articles

Important Update: Don’t Get Locked Out of Your Facebook Account

How To Move A Personal Ad Account Into Facebook Business Manager

Emily Martin - Granular Sr. Manager, Paid Media black and white headshot

Emily Anderson

Emily Martin is a Paid Media Manager at Granular and specializes in Lead Gen, B2B, B2C, and service business paid advertising accounts. She holds a degree in Business Administration with an emphasis in Marketing from the University of Wisconsin - Green Bay and is a certified specialist in search marketing, customer acquisition, optimization & testing, content marketing, value optimization, and agile marketing. In her free time, Emily enjoys biking, skiing, and binge-watching popular TV series.