Business Page Hacked and Ad Account Misused? Recovery Action Plan

You log in and find your business page taken over, your name removed as admin, and an ad account spending money on adverts you never created. This is one of the most common online business attacks in India. This guide shows you how to recover access, stop the bleeding on your card, preserve evidence, and file a cybercrime complaint — in the right order, starting today.

Reviewed on: 2026-05-29.

This guide is for Indian business owners, shopkeepers, creators, agencies and marketing staff whose business presence on a social media or advertising platform — Facebook, Instagram, a business manager, an ad account, or a YouTube or Google business profile — has been taken over by an attacker. It is most useful if any of these has happened to you:

• You can no longer log in to your business page, or you have been removed as an administrator.
• Adverts you never created are running, and money is being spent from a card or wallet on the ad account.
• You received an email or SMS saying your account email, phone number or password was changed — and it was not you.
• A fake page or profile impersonating your brand has appeared and is running scam ads in your name.
• Your card statement shows advertising charges you do not recognise.

It covers the four fronts you must fight at once: recovering the account, stopping and disputing the money, preserving evidence, and creating an official paper trail through the cybercrime system. If only your personal account was hacked, the closely related guide how to recover a hacked social media account covers the basics. If the problem is a fake page impersonating you rather than a takeover of your real one, see fake social media profile takedown in India.

Stop the money first, because ad spend grows every hour. Call your bank or card issuer on the number printed on the back of your card. Tell them an advertising platform charge is fraudulent and ask them to block the card and raise an unauthorised-transaction dispute. If a large sum has just left your account, also call the national cyber-fraud helpline on 1930 — it exists to freeze funds still in transit.

Next, capture evidence before anything disappears. Take clear screenshots of the unauthorised adverts, the billing or transactions screen, the spend amount, and any email or SMS alert about a changed email, phone number or password. Save the page URL as it appears now. Do not log out repeatedly or keep guessing passwords — that can trigger extra security locks.

Then start, but do not rush, the platform recovery. Look for the platform's dedicated “my account is hacked” or compromised-business flow, not the ordinary password reset. Begin it from a device you have used before with that account.

File your cybercrime complaint at the National Cyber Crime Reporting Portal. Choose the financial-fraud category if money was lost, and attach your screenshots and statement. Note the acknowledgement number carefully — you will quote it to the bank and the platform.

Work the platform recovery in earnest. Have ready a government photo ID, the original confirmation email from when the account or ad account was created, and the business email and phone that were on the account. Submit the recovery form, then open a support ticket through the business help centre describing the takeover and the fraudulent spend. Reference your cybercrime acknowledgement number in the ticket.

Go back to your bank with the cybercrime acknowledgement number. Many banks ask for it to progress a fraud dispute. Confirm in writing — by email or the bank app message centre — that the dispute is registered, and ask for the dispute reference and the expected timeline.

Lock down everything connected to the breach. Change the password on the email account tied to your business page, turn on two-factor authentication everywhere, and remove any unknown logged-in devices or connected apps. Check whether the same password was reused on other accounts and change those too.

Assemble a single evidence folder: screenshots, the cybercrime acknowledgement, the bank dispute reference, the platform ticket numbers, and a one-page timeline of what happened and when. Save it in cloud storage and keep a local copy. Draft your written complaint to the platform's grievance officer using the template in this guide, ready to send if support stalls on Monday.

The single most urgent task is cutting off the fraudulent spend. If the fake ads are billed to your own saved card, call your bank or card issuer and ask them to block the card and open an unauthorised-transaction dispute. If a large amount just left your account, call the national cyber-fraud helpline on 1930, which is designed to freeze money still moving through the banking system. Speed matters because card disputes have time limits set by your bank and the card network, and the spend keeps climbing while you wait.

Before the attacker deletes traces or the platform locks the page, capture everything. Screenshot the unauthorised adverts, the billing screen with the spend total, every login-alert and changed-email notification, and the page URL. Save the original welcome email from when you set up the account. Export the bank or card statement that shows the disputed charges. Note exact dates and times. This bundle is the backbone of your card dispute, your cybercrime complaint, and your platform appeal — gather it first, argue later.

Report the fraud at the National Cyber Crime Reporting Portal. Pick the financial-fraud category if money was lost, describe the account takeover and the fake ad spend, and upload your evidence. Save the acknowledgement number — it is the reference you quote to the bank and to platform support. If the amount is large or you want a formal First Information Report, also file a written complaint at your nearest cyber police station; for the steps and the right desk, our guide on reporting fake social media profiles in India walks through the cyber-cell process.

Use the platform's dedicated hacked-account or compromised-business recovery flow, not the everyday password reset, which the attacker may have already locked. Verify your identity with a government ID and the original creation email. Try recovery from a device and network you have used with the account before, as that history helps the platform trust you. If automated recovery rejects you, open a support ticket in the business help centre, explain the takeover, and quote your cybercrime acknowledgement number. For a creator or Instagram account specifically, the recovery flow differs slightly — see recovering a disabled Instagram creator or business account.

Return to your bank with the cybercrime acknowledgement number and confirm the dispute is formally registered. Ask for the dispute reference and the expected resolution timeline in writing. Separately, ask the platform's billing or payments team to review and reverse the spend it agrees was unauthorised. The two routes are different: the bank dispute targets your card charge, while the platform reversal targets the ad account ledger. Pursue both, and keep paying any genuine dues so your card is not suspended for non-payment in the middle of the fight.

Once you have access back, change the password on the email that controls the business page, enable two-factor authentication, and remove unknown logged-in sessions and connected third-party apps. Reset any account that shared the same password. Review the list of page roles and remove any administrator or editor you do not recognise. Turn on payment alerts so a future fraudulent charge surfaces instantly.

If support keeps stalling, send a written complaint to the platform's India grievance officer. Under India's IT intermediary rules, significant platforms must publish a grievance officer's contact and acknowledge complaints within a set period. Reference your earlier ticket numbers and your cybercrime complaint, state exactly what you want — page restored, fake ads stopped, unauthorised spend reversed — and ask for a written reply.

If money remains unrecovered after the bank dispute and platform routes, you may explore a consumer complaint or civil claim. Stakes here can be high, so take advice from a qualified lawyer before filing. Your preserved evidence, the cybercrime acknowledgement and the bank dispute trail are exactly what any forum will want to see.

Replace the text in square brackets with your own details before sending. Use this for the platform's grievance officer or to attach to a police complaint.

To, The Grievance Officer [Name of Social Media / Advertising Platform], India

Date: [DD/MM/YYYY]

Subject: Unauthorised takeover of business page and fraudulent ad spend on

       account [Page name / Ad account ID / handle]

Respected Sir / Madam,

1. I am [Your Name], the [Owner / Authorised Representative] of

 [Legal Name of Business]. I operate the business page / ad account
 identified as [Page name, URL, or Ad account ID].

2. On or around [DD/MM/YYYY] my account was taken over without my

 authorisation. I received notifications that the registered
 [email / phone / password] was changed, which I did not do, and I was
 removed as an administrator of the page.

3. Following the takeover, advertisements that I did not create were run

 from the account, and an amount of approximately Rs [Amount] was spent /
 charged between [start date] and [end date]. I have not authorised any
 of this spend.

4. I have taken the following steps:

 (a) Reported the fraud at the National Cyber Crime Reporting Portal,
     acknowledgement number [XXXXXXXX], dated [DD/MM/YYYY].
 (b) Raised an unauthorised-transaction dispute with my bank,
     dispute reference [XXXXXXXX].
 (c) Opened support ticket(s) [ticket numbers] through your help centre.

5. The following evidence is attached:

1. Screenshots of the unauthorised advertisements and the billing screen.
2. Notifications showing the unauthorised change of email / phone.
3. The original account creation confirmation email.
4. Bank / card statement showing the disputed charges.
5. Government photo ID and proof of the business.

6. I therefore request you to:

 (a) Restore my access and administrator rights to the page / ad account.
 (b) Immediately stop and remove the fraudulent advertisements.
 (c) Review and reverse the unauthorised ad spend of Rs [Amount].
 (d) Provide a written reply with the action taken and a reference number.

I am available for any identity verification your team requires.

Yours faithfully,

[Your Full Name] [Designation] [Legal Name of Business] [Mobile Number] [Email Address]

The Right to Information Act, 2005 applies only to public authorities — government departments and bodies substantially financed or controlled by the government. A social media or advertising platform is a private company, so RTI cannot be used against the platform itself. But once your complaint enters the government system, RTI becomes useful for the public-authority side of the matter:

• Status of your cybercrime complaint or FIR: If the police or cyber cell goes silent after you file, an RTI to the Public Information Officer of that police department can ask for the current status of your complaint or FIR, the action taken so far, and the name and designation of the officer handling it.
• Action taken on funds frozen via 1930: Where money was reported through the 1930 helpline, RTI can ask the concerned authority what action was taken on the freeze request and the present status, subject to the Act's exemptions for ongoing investigations.
• Grievance handling by a government body: If you escalated to a government grievance mechanism that oversees intermediaries, RTI can ask about how your specific reference was processed.

To file an RTI online, follow our step-by-step RTI filing guide. The standard fee for Central government authorities is the prescribed amount, and the PIO must reply within 30 days. If you get no reply or an inadequate one, our guide on filing a first appeal under RTI Section 19 explains the next move, and the full first and second appeal guide covers the path to the Information Commission. For combining a grievance with an RTI, see how to use CPGRAMS and RTI together. For deeper strategy, The RTI Playbook shows how to use RTI alongside other remedies.

RTI has firm limits in a hacked-page dispute:

• RTI cannot make a platform act: It cannot compel Facebook, Instagram, Google or any private platform to restore your page, stop ads, or refund spend. Use the platform recovery flow and its grievance officer for that.
• RTI cannot reverse a card charge: Your money comes back through the bank's unauthorised-transaction dispute, not through an information request.
• RTI is not an emergency tool: The 30-day reply window is far too slow to stop live ad spend or freeze funds. For speed, rely on the bank, the 1930 helpline and the cybercrime portal first; use RTI later to chase the official record.

• Trying to recover the account before stopping the money: Recovery can take days while the card keeps getting charged. Block and dispute the card first, then recover.
• Deleting the fake ads or page before screenshotting: Once you regain access, the urge is to clean up. Capture all evidence first — screenshots are what the bank, police and platform need.
• Missing the bank's dispute time window: Card disputes have deadlines set by the bank and the card network. A delay of even a few days can cost you the chargeback. Raise it the same day.
• Using the ordinary password reset instead of the hacked-account flow: If the attacker changed the email and phone, the normal reset sends codes to them. The dedicated compromised-account flow is built for exactly this.
• Stopping payment of genuine dues: If you also run legitimate ads, do not let the real bill go unpaid in the panic, or your card and account may be suspended for non-payment, blocking recovery.
• Skipping the cybercrime complaint: The acknowledgement number is often what unlocks faster bank and platform action. Filing it is quick and free at cybercrime.gov.in.
• Reusing the same password elsewhere: Attackers test stolen credentials across services. Change every account that shared the breached password and turn on two-factor authentication.
• Expecting RTI to fix a private-platform problem: RTI does not reach private companies. Treat it as a tool to track the police and government side, not to recover the page.

If the attack has also disrupted your business banking — for example a card you need to replace or a current account to re-secure — our guide on opening a current account for your business in 2026 and the note on checking your bank account and Aadhaar seeding status may help you tidy up the financial side.

• National Cyber Crime Reporting Portal (cybercrime.gov.in) — File online fraud and account-takeover complaints; financial-fraud category
• Reserve Bank of India (rbi.org.in) — Rules on unauthorised electronic transactions and customer liability; banking ombudsman scheme
• Ministry of Electronics and Information Technology (meity.gov.in) — IT intermediary rules under which platforms publish a grievance officer
• CPGRAMS (pgportal.gov.in) — Central government public grievance portal for escalation to a government body

Usually no. Charges run on a payment method the attacker added belong to that card, not yours. The real risk is when the fake ads were billed to your own saved card. In that case raise an unauthorised-transaction dispute with your bank or card issuer immediately, attach your hack timeline, and ask the platform's billing team to reverse the spend. Keep paying your genuine dues so your card is not suspended for non-payment.

Within hours, not days. The first 24 to 48 hours matter most. Card disputes have time limits set by your bank and the card network, ad spend keeps growing while you wait, and platform recovery is easier before the attacker removes your email and phone. Lodge a cybercrime complaint, freeze or dispute the card, and start the platform recovery flow the same day you discover the breach.

Both routes exist. For financial loss and online fraud, the National Cyber Crime Reporting Portal at cybercrime.gov.in is the fastest first step, and the 1930 helpline can freeze funds in transit. If you want a formal First Information Report or the loss is large, also file a written complaint at your nearest cyber police station or local police station. The portal acknowledgement number helps when you escalate.

No. Social media platforms are private companies, so the Right to Information Act does not apply to them. RTI cannot compel a platform to restore your page or refund ad spend. RTI only helps where a public authority holds records, for example the status of your cybercrime complaint, action taken by police, or a grievance you filed with a government body under the IT rules.

Capture screenshots of the unauthorised ads, the billing or transactions page, any login-alert emails, the changed-email or changed-phone notifications, and the URL of your page as it appears now. Save the original confirmation emails from when you created the page and ad account. Export your card or bank statement showing the disputed charges. Note exact dates and times. This bundle supports the card dispute, the cybercrime complaint and the platform appeal.

Use the platform's dedicated hacked-account or compromised-business flow rather than the ordinary password-reset page. Verify your identity with a government ID and a confirmation email from when the account was set up. If automated recovery fails, open a support ticket through the business help centre and reference your cybercrime complaint number. Keep every ticket reference. A grievance to the platform's India grievance officer under the IT rules is a further step if support stalls.

Sometimes. If the fraudulent spend was charged to your own card, a successful unauthorised-transaction dispute with your bank can reverse it. The platform may also credit back spend it agrees was unauthorised, but this is discretionary and not guaranteed. Recovery is far more likely when you preserved evidence early, disputed the card charge within the bank's time window, and raised the issue with the platform billing team promptly.