If you run paid advertising on Meta or Google, there is a good chance you have received an alarming email at some point — something like "Your account will be suspended in 15 days" or "You have unclaimed Partner Credits." These emails look convincing, but they are scams — and businesses running paid ads are specifically targeted because compromising an account gives instant access to active credit lines and billing details.
The good news: a few simple steps can protect your account completely. This guide walks you through exactly what to do.
Why your ad account is a target
Scammers target Meta and Google Ads accounts because they are connected to live payment methods. Once inside, they can run their own ads and charge them to your card before you notice. They use two main tactics:
Urgency threats — emails claiming your account is at risk, designed to make you act fast without thinking
Fake reward offers — emails claiming you have unclaimed credits or bonuses, designed to lure you with something appealing
Both lead to fake login pages that steal your credentials. Your account is only at risk if you click and enter your details.
The two most important things you can do right now
You do not need to be a tech expert to secure your account. These two steps take less than five minutes each and make a significant difference.
1. Use a strong, unique password
A strong password uses at least 12 characters with a mix of uppercase letters, lowercase letters, numbers, and symbols — for example, BlueTiger#2026!. Most importantly, it should be unique to that account — never reused from another site.
If remembering multiple passwords sounds difficult, a password manager like 1Password or Bitwarden will generate and store strong passwords for you securely.
2. Enable Two-Factor Authentication (2FA)
Two-Factor Authentication means that even if someone steals your password, they still cannot log into your account without a second code from your phone. This single step blocks the vast majority of account takeover attempts.
You have two options: SMS (a code sent by text message) or an Authenticator App. We recommend the Authenticator App option — Google Authenticator is free on iOS and Android — because it works even without mobile signal and is more resistant to SIM-swap attacks.
How to set up 2FA — step by step
Meta / Facebook Ads
Type facebook.com in your browser (do not use any link from a suspicious email)
Profile picture → Settings & Privacy → Settings → Security and Login
Click Two-Factor Authentication → Get Started
Choose Authentication App (recommended) or Text Message
Follow the on-screen steps and click Finish
Google Ads
Type myaccount.google.com in your browser
Click Security → 2-Step Verification → Get Started
Choose Authenticator App (Google Authenticator recommended), or Text Message
Follow the on-screen steps and click Turn On
How to spot a phishing email
Before clicking anything, check for these red flags:
The sender's email does not end in @facebook.com, @facebookmail.com, @google.com, or @accounts.google.com
The email creates urgency — "suspended in 15 days", "immediate action required"
It asks you to claim credits, verify your account, or confirm billing via a link
There are typos, unusual fonts, or mismatched logos
It asks for your password or any personal information
The golden rule: all legitimate notifications from Meta and Google appear inside your account dashboard — not in your email inbox. When in doubt, open your browser and type the address manually.
What to do if you think you've been compromised
If you clicked a link in a suspicious email and entered your details, act immediately:
Change your password straight away
Log out of all active sessions (Security and Login → Where You're Logged In on Meta; Your devices on Google)
Check Billing for unexpected charges
Check Account Access for any users or apps you didn't add
Contact your account manager immediately so we can help