Inman

‘I’m screwed:’ This broker’s real-life hacking horror story

Are you receiving Inman’s Broker EdgeMake sure you’re subscribed here.

Erica Ramus, a self-professed tech geek, runs a “small but mighty” indie brokerage in Pennsylvania. She’s been in the business for 15+ years, has a master’s degree in real estate, and shares that wealth of first-hand experience as a regular columnist on Inman and as the author of the 10th Edition of Dearborn’s Real Estate Brokerage: A Management Guide.

I’m a real estate broker, and in the early morning of New Year’s Eve day, I was hacked.

Since then, everything has changed. This was not a simple “I hijacked your friends on Facebook” stunt. This was a deep hack that took over my profile and resulted in me losing not only my personal information but also access to my business page and advertising accounts. If you rely on Facebook for your business, don’t ignore this.

What happened

I woke up early on December 31, 2021, and tried to check Facebook on my phone as I normally do. I was locked out. I just figured I had made a mistake and needed more coffee. I tried to reset it and was horrified to see that the recovery link was being sent to an email that clearly was not mine.

I ran to my computer and saw a half dozen messages from Facebook sent just after midnight — changing my password and other alerts. The hacker somehow got into my account and changed my recovery password, removed my emergency contacts and turned on 2-factor authentication.

To be blunt, I was screwed. 

Recovery?

I spent the next few hours trying to recover my account but quickly learned that Facebook has no way to do this, and no way to contact anyone once you are locked out. I googled it, and yes, this is a big deal.

A Washington Post article lead me to a trusted source to help recover my account — but when I did this and paid $299 for the service, they set me up on an appointment four weeks out. I was anxious and couldn’t believe it would take them a month to schedule me for help.

In haste, I tweeted about my problem and received dozens of offers for help (of course, trusted people who could hack me back for a fee). I hesitated, but then paid someone via Venmo to help me. They failed and demanded more money in exchange (yes, I know I was tricked) to buy more help on the dark web. I refused and waited for my trusted appointment that was weeks out.

In the meantime, I received dozens of email messages and texts offering to help me get my Facebook account back, which I ignored. This must be a very lucrative business. Was it the old hacker or the new guy I had just paid to hack me back? No clue.

Why was I so foolish to pay a stranger to help me get my account back? Not only was it over a decade of personal information — my family photos, chats and a history that I had saved on Facebook — but it also was my business.

What was lost

I had a company business page, a private group page for my agents (essentially my company intranet), and I also was an admin or moderator on a few other sites that were important to me. All of it was linked to my personal Facebook profile. When I lost my Facebook login, I also lost access to everything. 

Please think about that for a minute. Think about everything we rely on with our social media profiles. I had spent years building up a company page, with an ad account. I spent well over $1,000 per month on Facebook ads. That was linked to my PayPal account for payment. When the hacker took over my personal profile, he added himself to my company business page as “business manager” and started using my ad account.

Then he dug even further.

How they got to me

A few years ago, I helped an elderly friend of mine — a business owner — started his own Facebook business page. He had a flip phone and no Facebook account. I helped him open a business page, and as part of the verification process, I bought him a domain name and created a skeleton of a business website. Then, a year later, as the webpage was no longer needed I let it expire.

The hacker somehow found this, and an hour into my hack, he renewed my website name and then used it to create the new email address where my Facebook notifications were going — directly to my new hacker. That’s not a simple hack. He took time to dig into my profile, find my linkage to the other pages that I was admin on, and he took over an old expired domain name. That’s scary stuff.

A nightmare

With access to my Facebook ad account, he started running ads. Luckily I woke up early that morning and when I realized what had happened, I disabled my PayPal link to the Facebook ads. I then quickly logged into every bank account and credit card I have and changed the passwords. 

However, the ads he ran must have been pretty bad. I then got email alerts that my ad account was flagged for violations of Facebook’s terms (pretty funny — they wouldn’t let me change my password or log in because the alerts went to my hacker’s new email address, but I do still get emails to my correct email when the account has a flag). At that point, Facebook deactivated my account. 

So, here is a broker’s worst nightmare: Let’s ignore the fact that I personally lost all my photos, my family private chats and history. I now am locked out of my company business page. I cannot run ads or even comment on my business page.

And my private group with my agents is still running — without me in it.

My agents are alone in the group and doing whatever they please without their leader in the chat. And the hacker is a member of both groups as my business manager.

I spent all of January googling a solution and doing everything I could to try to get my profile back, with zero success. I messaged Facebook (there is no email or phone number to call) and tried to prove my identity to them by messaging them up to five times a day and uploading my driver’s license — with no response at all (yes, that is what a Reddit thread said to do). I used my Oculus to try to get support to help me fast-track a support ticket to Facebook using a backchannel. Although that trick worked in 2021, it does not work now. 

And my long-awaited $299 appointment with Hacked.com failed as well. My tech was amazing and kind, but after six weeks of working on my case, he gave up and refunded my money. 

In the six weeks since New Year’s, I’ve spent hours researching social media hacks and security in general. I know fraud and hacking is a huge problem in our industry, but until it hits home it’s not likely to really sink in for you. 

Why?

What did the hacker want? From my research — either money or access to my ad platform or both. I was hit up for both in emails and texts. And in the past month, one of my credit cards was flagged for fraud, and my agents were also targeted for cell phone texting scams (that’s normal, unfortunately). They know not to respond to Fake Erica who asks for gift cards to be sent because she’s at a conference and needs cash now. 

I hesitated, but after a month without any help from Facebook — despite dozens and dozens of messages asking them for help — I opened a new profile. I didn’t friend anyone except my agents (so I could create our private group) and my immediate family. And by immediate family, I mean my husband and children. Nobody else.

I removed my headshot and put up a generic photo because I don’t want past friends to think I have unfriended them on purpose (I’ve gotten texts from old friends asking me if I am mad at them or if they have done something wrong). I’m just laying low right now.

Takeaways

I opened up a new business page, and a Ramus 2.0 page for our company-only agent group. But honestly, this is really awkward. The old business site has a holiday banner on it, and I cannot get it removed. I am trying to get Facebook to take the old site down (even though I had thousands of followers) because it’s embarrassing but to no response. I’ve even reported the old page as fraudulent or fake, and they don’t seem to care.

And this is the big takeaway I want you to understand. Please think about all the places you post and how dependent we are on these social media sites.

Go to check out at a store — log in with Facebook for faster checkout. Want to sign up for something? Use your Facebook credentials. Spend thousands of dollars in advertising? Log in first, and you are you. But what will you do if tomorrow you are locked out? 

So here’s what you need to do right now: Enable 2-factor authentication on everything that matters to you. Facebook. Instagram. All of your banking sites. Anything that you would cry if you lost access to. Do it right now.

The scary part is I thought I had that all done. I always did that and thought I had it on my Facebook account. Did I slip up and disable it for some reason? I don’t know. But once that hacker enabled it — I was done. I am locked out and now, after six weeks, I am giving up. I quit. 

I no longer trust anyone. I trust no platform to keep me safe. Read the terms and conditions (no, none of us do). Facebook owes me nothing. They don’t have to reply to me. They don’t have to help me get my account back. I have uploaded my driver’s license to the site at least 100 times with a message pleading for help with zero response. 

Reworking the system

I am disgusted that a company can just ignore me — a user who actually paid thousands of dollars a month for advertising services. I am sad that I lost all my photos and chats. My boys and husband and I had private chats we never posted publicly, but we uploaded photos and videos for the family chat. They now have a three-way chat without me. Same with my agents in our private group.

Yes, I have recreated a 2.0 version of Ramus Family Chat and Ramus Realty Group, but a piece of me is missing. My trust in the platform is gone. And I need to rethink how we rely on Facebook to send our advertising messages and how I interact with my group.

Initially, we had private channels and an intranet that nobody wanted to go to. I tried to enforce it for years and kept hitting a wall. Finally, we all agreed everyone is on Facebook; let’s use Facebook as our intranet. It worked, till the broker was hacked and locked out.

Do you really want to be held hostage to a third-party site you don’t control? One that doesn’t even have to reply to your repeated pleas for help? And do we want to spend money on a platform that doesn’t respect the fact that advertisers should get help when contacted and hacked? 

Fraud and hacking are a part of our everyday life now. We teach our agents not to click links, tell our buyers not to send wires, and we are smart, but we are so dependent on these platforms that we do not control. What will you do if you go to log in to Facebook or Instagram tomorrow and you are locked out?

In my bio, it says I am a self-professed tech geek. If I can get hacked and locked out, so can you. Every one of us is vulnerable. I’m vigilant right now and locking things down. Please do the same. We all need to figure out a way to live online — in the cloud — but we also need a way to survive if our systems go down. I wish I was just talking about Facebook right now. Be safe and be smart. 

Erica Ramus, MRE, is the broker/owner of RAMUS Real Estate. You can follow her on Twitter or LinkedIn.