Today I wanted to share my experience of (what turns out to be) a common Paypal Facebook Ads scam that exploits Paypal’s pre-approved payment system.
Let’s start at the beginning. Like many a blogger, I have a Facebook Ads account. Over the years, I have occasionally been asked by brands to ‘boost’ content like product reviews or competitions, and I regularly post ads over Christmas that promote blog content where I share gift guides and the like.
In a typical year, I might spend anywhere up to about £50 on Facebook Ads.
But this year looks a little different.
How the Scam Happened
In the middle of February, I noticed a payment on my bank statement that I didn’t recognise. It was to Paypal for £84. That seemed weird because I hadn’t bought anything with Paypal lately. So I logged into Paypal and noticed that the payment was originally for $93 to Meta.
Weird. Have I left an ad running and forgotten about it? I looked at my Ads account. No. I haven’t run any ads since Christmas 2023.
Then a slow sense of horror as I looked at my Paypal account.
There were no fewer than 12 payments to Meta between Feb 1 and Feb 15 totalling more than $900. It started with a bunch of payments for $25, then $35 with two payments of $250. Over £700 had been taken from my bank account, which was linked to my Paypal account.
I immediately reported the Facebook Ads scam to Paypal as fraudulent. I also went to Facebook and reported the transactions, assuming that someone must have made a mistake somewhere.
It’s 2024, so I also went online and found that I am very, very far from the only person being hit by this scam.
What Paypal Said
I phoned Paypal and spent more than an hour on the phone explaining what had happened. The agent was very reassuring and recommended reporting the transactions as “product or service not received” since I had paid for ads and not received them.
He suggested to me that this is a well known scam where people use pre-approved Paypal payments to buy Facebook Ads. Certainly, looking on the Internet suggests I am far, far from the only person this has happened to. He suggested that my Facebook Ads account must have been compromised.
Unfortunately for me, Facebook contested the dispute and despite my providing screenshots of my empty Facebook Ads account (showing I hadn’t bought any ads) and details of all the payments, Paypal ruled in favour of Facebook.
What Facebook Said
I also reported the issue to Facebook. This in itself isn’t straightforward. You can’t call Facebook, you can only use their Ads Support chat service.
First, I tried reporting “unauthorised charges on my account” and provided all the details of the fraudulent transactions. I got a reply asking me to provide Facebook transaction IDs from my Ads account. They said if you don’t have this, let me know, we’ll help you out. I explained that I couldn’t provide this as the transactions were not on my Ads account. The next day I got an email telling me the case was closed and there was no evidence of fraud on my account.
Next, I tried reporting “unauthorised access to my account”. I provided all the details again. Got the same request for Facebook transaction IDs again. Once again said if you don’t have them, let me know, I’ll help you out. Replied again. Got the same email telling me the case was closed and there was no evidence of fraud on my account.
I tried completing both of these forms, talking to various agents on chat and even had two phone calls from Facebook. People were super keen to tell me how supportive they were, how much they understood how worried I was, how they would definitely do their best to help me – but ultimately, I kept getting the same automated email: “No evidence of fraud”. One agent told me that almost certainly my Paypal was hacked, it was the only possibility.
After several weeks of back and forth and repeatedly saying to Facebook, “If there’s no fraud, I’d like a receipt with details of what ads you say I bought, where they ran, and which Facebook account bought them” I finally got this reply this morning. It’s a gem, isn’t it?
It seems to say that Facebook accepts that someone else used my payment details to buy Facebook Ads. The ads weren’t on my Facebook page or even my Ads account. They definitely believe that I didn’t buy the ads. So it must have been someone I know. And of course, I can’t have my money back.
Seriously? Facebook’s ultimate response is, “We know it wasn’t you. The only possible explanation is it’s someone you know, and you gave them permission. There’s definitely still no fraud going on here. Nope. Absolutely not.”
It’s just a crappy get-out and to boot, would make some people really suspicious of friends and family with the implication that someone you know has stolen from you. That’s just terrible, isn’t it?
What the Bank Said
If you have a pre-approved payment method set up on a Facebook Ads account, it is processed by your bank as a direct debit. I know that some victims of the Facebook Ads scam have got money back through their bank. In fact, one Facebook agent said to me, “Try the bank. If they tell us we have to pay you back, we have to pay you back.”
So I called Santander. Who said, “Because you approved the payment, they can take any money, any time they want, and we can’t do anything about it, sorry.”
After an hour on the phone, they promised to look into it but I shouldn’t hold out any hope.
The next day I got an automated text telling me my query was “resolved” – when I called Santander, it turned out that meant “closed”. Unless I could provide a signed copy of the original direct debit agreement, the bank wouldn’t help.
What happens next?
I honestly feel like this process is designed to make you give up. The circular emails, the automated responses, the long delays, the inability to speak to a real person in real time. Fortunately, I have a lot of barely suppressed rage and I’m online a lot. So I didn’t give up.
I spent another two hours on the phone to Paypal asking for details of how they knew my account hadn’t been hacked and what about the “buyer safety” and what evidence had Facebook even provided, and generally being polite but inconvenient.
I said I wanted to appeal Paypal’s decision and would also like to make a formal Subject Access Request and have the dates, times and IP addresses of all logins to my account, along with a copy of the original agreement made pre-authorising the payments to Facebook and all payments made under that arrangement.
I suspect this might have been what tipped the balance because within 12 hours of submitting that request, Paypal removed the open/closed cases, and refunded the transactions in full.
Fallen victim to a Facebook Ads scam?
If you’re also stuck in this situation, firstly I’m sorry. It sucks and even if you did everything right, it seems like this is a known issue and weakness that Facebook should be taking steps to address.
I recommend trying all of the above. If that doesn’t work there are a few things you could also try that were next on my list:
- Call Action Fraud. Make sure you report the theft and get a crime reference number. Not only are the police able to request the details of who exactly bought the ads, having a crime reference number might help Facebook take your complaint more seriously. Having said that, I personally think most of these scams happen because someone with access to Facebook Ads billing info is passing that info to people who hack into innocent Facebook accounts to buy ads that direct users to fake websites. It feels like a big criminal enterprise that Facebook and Paypal know all about.
- Make a subject access request to Facebook and Paypal. Specifically you want to know the times, dates and IP addresses of all logins to your Ads account, and all actions associated with your payment account. If you have a pre-approved payment, ask for a copy of that plus all transactions associated with that agreement, including times/dates and IP addresses. While Facebook might claim GDPR means that can’t tell you the name of a person, they can pretty well tell you the details of the ads they say you paid for.
- Third, complain to the Financial Ombudsman, who can handle complaints about both your bank and Paypal.
- Finally, it’s quick and simple to issue a small claims court summons against Facebook for non-delivery of goods. To claim for my £700 the fee was £70 (which can be added to the claim) plus 15p/day in interest. The odds are Facebook will refund you rather than send someone to your small town to argue their case in court.
How to avoid the Facebook Ads scam
I’ve learned quite a few things from this process that I think are important to help other people falling victim to this scam:
- If you have a pre-approved payment method on any Meta account, REMOVE IT IMMEDIATELY. Literally, go and do it now. You do not have any automatic protection from your bank, Facebook or Paypal if funds are taken by a hacker.
- Of course, use 2FA on all your accounts, but be aware that it doesn’t protect you if the fraud originates from someone with access to Facebook billing info (as I strongly suspect this one does). I had 2FA on my accounts and it made no difference.
- If you use Paypal, do not connect your Paypal account to your bank account or debit card. Yes, it’s convenient but a scammer can also use that info to drain your bank account. Use a temporary credit card that you can add funds to as needed.
- Be very clear on Paypal’s “buyer protection” covers because it does not seem to apply to pre-approved payments. If you give consent for future payments to a company then you could be deemed to have given consent for ANY payments at ANY time by ANY individual.