Business Page Hacked and Ad Account Misused? Recovery Action Plan

Who this guide is for

This guide is for Indian business owners, shopkeepers, creators, agencies and marketing staff whose business presence on a social media or advertising platform — Facebook, Instagram, a business manager, an ad account, or a YouTube or Google business profile — has been taken over by an attacker. It is most useful if any of these has happened to you:

• You can no longer log in to your business page, or you have been removed as an administrator.
• Adverts you never created are running, and money is being spent from a card or wallet on the ad account.
• You received an email or SMS saying your account email, phone number or password was changed — and it was not you.
• A fake page or profile impersonating your brand has appeared and is running scam ads in your name.
• Your card statement shows advertising charges you do not recognise.

It covers the four fronts you must fight at once: recovering the account, stopping and disputing the money, preserving evidence, and creating an official paper trail through the cybercrime system. If only your personal account was hacked, the closely related guide how to recover a hacked social media account covers the basics. If the problem is a fake page impersonating you rather than a takeover of your real one, see fake social media profile takedown in India.

What you can do this weekend

Friday evening

Stop the money first, because ad spend grows every hour. Call your bank or card issuer on the number printed on the back of your card. Tell them an advertising platform charge is fraudulent and ask them to block the card and raise an unauthorised-transaction dispute. If a large sum has just left your account, also call the national cyber-fraud helpline on 1930 — it exists to freeze funds still in transit.

Next, capture evidence before anything disappears. Take clear screenshots of the unauthorised adverts, the billing or transactions screen, the spend amount, and any email or SMS alert about a changed email, phone number or password. Save the page URL as it appears now. Do not log out repeatedly or keep guessing passwords — that can trigger extra security locks.

Then start, but do not rush, the platform recovery. Look for the platform's dedicated "my account is hacked" or compromised-business flow, not the ordinary password reset. Begin it from a device you have used before with that account.

Saturday

File your cybercrime complaint at the National Cyber Crime Reporting Portal. Choose the financial-fraud category if money was lost, and attach your screenshots and statement. Note the acknowledgement number carefully — you will quote it to the bank and the platform.

Work the platform recovery in earnest. Have ready a government photo ID, the original confirmation email from when the account or ad account was created, and the business email and phone that were on the account. Submit the recovery form, then open a support ticket through the business help centre describing the takeover and the fraudulent spend. Reference your cybercrime acknowledgement number in the ticket.

Go back to your bank with the cybercrime acknowledgement number. Many banks ask for it to progress a fraud dispute. Confirm in writing — by email or the bank app message centre — that the dispute is registered, and ask for the dispute reference and the expected timeline.

Sunday

Lock down everything connected to the breach. Change the password on the email account tied to your business page, turn on two-factor authentication everywhere, and remove any unknown logged-in devices or connected apps. Check whether the same password was reused on other accounts and change those too.

Assemble a single evidence folder: screenshots, the cybercrime acknowledgement, the bank dispute reference, the platform ticket numbers, and a one-page timeline of what happened and when. Save it in cloud storage and keep a local copy. Draft your written complaint to the platform's grievance officer using the template in this guide, ready to send if support stalls on Monday.

Evidence and documents checklist

Step-by-step action plan

Step 1 — Stop the money before anything else

The single most urgent task is cutting off the fraudulent spend. If the fake ads are billed to your own saved card, call your bank or card issuer and ask them to block the card and open an unauthorised-transaction dispute. If a large amount just left your account, call the national cyber-fraud helpline on 1930, which is designed to freeze money still moving through the banking system. Speed matters because card disputes have time limits set by your bank and the card network, and the spend keeps climbing while you wait.

Step 2 — Preserve evidence immediately

Before the attacker deletes traces or the platform locks the page, capture everything. Screenshot the unauthorised adverts, the billing screen with the spend total, every login-alert and changed-email notification, and the page URL. Save the original welcome email from when you set up the account. Export the bank or card statement that shows the disputed charges. Note exact dates and times. This bundle is the backbone of your card dispute, your cybercrime complaint, and your platform appeal — gather it first, argue later.

Step 3 — File a cybercrime complaint

Report the fraud at the National Cyber Crime Reporting Portal. Pick the financial-fraud category if money was lost, describe the account takeover and the fake ad spend, and upload your evidence. Save the acknowledgement number — it is the reference you quote to the bank and to platform support. If the amount is large or you want a formal First Information Report, also file a written complaint at your nearest cyber police station; for the steps and the right desk, our guide on reporting fake social media profiles in India walks through the cyber-cell process.

Step 4 — Recover the account through the right channel

Use the platform's dedicated hacked-account or compromised-business recovery flow, not the everyday password reset, which the attacker may have already locked. Verify your identity with a government ID and the original creation email. Try recovery from a device and network you have used with the account before, as that history helps the platform trust you. If automated recovery rejects you, open a support ticket in the business help centre, explain the takeover, and quote your cybercrime acknowledgement number. For a creator or Instagram account specifically, the recovery flow differs slightly — see recovering a disabled Instagram creator or business account.

Step 5 — Press the card dispute and ad-billing reversal

Return to your bank with the cybercrime acknowledgement number and confirm the dispute is formally registered. Ask for the dispute reference and the expected resolution timeline in writing. Separately, ask the platform's billing or payments team to review and reverse the spend it agrees was unauthorised. The two routes are different: the bank dispute targets your card charge, while the platform reversal targets the ad account ledger. Pursue both, and keep paying any genuine dues so your card is not suspended for non-payment in the middle of the fight.

Step 6 — Secure every connected account

Once you have access back, change the password on the email that controls the business page, enable two-factor authentication, and remove unknown logged-in sessions and connected third-party apps. Reset any account that shared the same password. Review the list of page roles and remove any administrator or editor you do not recognise. Turn on payment alerts so a future fraudulent charge surfaces instantly.

Step 7 — Escalate to the platform grievance officer

If support keeps stalling, send a written complaint to the platform's India grievance officer. Under India's IT intermediary rules, significant platforms must publish a grievance officer's contact and acknowledge complaints within a set period. Reference your earlier ticket numbers and your cybercrime complaint, state exactly what you want — page restored, fake ads stopped, unauthorised spend reversed — and ask for a written reply.

Step 8 — Consider consumer or legal remedies for unrecovered loss

If money remains unrecovered after the bank dispute and platform routes, you may explore a consumer complaint or civil claim. Stakes here can be high, so take advice from a qualified lawyer before filing. Your preserved evidence, the cybercrime acknowledgement and the bank dispute trail are exactly what any forum will want to see.

Escalation ladder

Copy-paste complaint template

Replace the text in square brackets with your own details before sending. Use this for the platform's grievance officer or to attach to a police complaint.

When RTI can help

The Right to Information Act, 2005 applies only to public authorities — government departments and bodies substantially financed or controlled by the government. A social media or advertising platform is a private company, so RTI cannot be used against the platform itself. But once your complaint enters the government system, RTI becomes useful for the public-authority side of the matter:

• Status of your cybercrime complaint or FIR: If the police or cyber cell goes silent after you file, an RTI to the Public Information Officer of that police department can ask for the current status of your complaint or FIR, the action taken so far, and the name and designation of the officer handling it.
• Action taken on funds frozen via 1930: Where money was reported through the 1930 helpline, RTI can ask the concerned authority what action was taken on the freeze request and the present status, subject to the Act's exemptions for ongoing investigations.
• Grievance handling by a government body: If you escalated to a government grievance mechanism that oversees intermediaries, RTI can ask about how your specific reference was processed.

To file an RTI online, follow our step-by-step RTI filing guide. The standard fee for Central government authorities is the prescribed amount, and the PIO must reply within 30 days. If you get no reply or an inadequate one, our guide on filing a first appeal under RTI Section 19 explains the next move, and the full first and second appeal guide covers the path to the Information Commission. For combining a grievance with an RTI, see how to use CPGRAMS and RTI together. For deeper strategy, The RTI Playbook shows how to use RTI alongside other remedies.

When RTI will not help

RTI has firm limits in a hacked-page dispute:

• RTI cannot make a platform act: It cannot compel Facebook, Instagram, Google or any private platform to restore your page, stop ads, or refund spend. Use the platform recovery flow and its grievance officer for that.
• RTI cannot reverse a card charge: Your money comes back through the bank's unauthorised-transaction dispute, not through an information request.
• RTI is not an emergency tool: The 30-day reply window is far too slow to stop live ad spend or freeze funds. For speed, rely on the bank, the 1930 helpline and the cybercrime portal first; use RTI later to chase the official record.

Common mistakes to avoid

• Trying to recover the account before stopping the money: Recovery can take days while the card keeps getting charged. Block and dispute the card first, then recover.
• Deleting the fake ads or page before screenshotting: Once you regain access, the urge is to clean up. Capture all evidence first — screenshots are what the bank, police and platform need.
• Missing the bank's dispute time window: Card disputes have deadlines set by the bank and the card network. A delay of even a few days can cost you the chargeback. Raise it the same day.
• Using the ordinary password reset instead of the hacked-account flow: If the attacker changed the email and phone, the normal reset sends codes to them. The dedicated compromised-account flow is built for exactly this.
• Stopping payment of genuine dues: If you also run legitimate ads, do not let the real bill go unpaid in the panic, or your card and account may be suspended for non-payment, blocking recovery.
• Skipping the cybercrime complaint: The acknowledgement number is often what unlocks faster bank and platform action. Filing it is quick and free at cybercrime.gov.in.
• Reusing the same password elsewhere: Attackers test stolen credentials across services. Change every account that shared the breached password and turn on two-factor authentication.
• Expecting RTI to fix a private-platform problem: RTI does not reach private companies. Treat it as a tool to track the police and government side, not to recover the page.

If the attack has also disrupted your business banking — for example a card you need to replace or a current account to re-secure — our guide on opening a current account for your business in 2026 and the note on checking your bank account and Aadhaar seeding status may help you tidy up the financial side.