As the founder and director of a nonprofit animal shelter on the East Coast, Alana has spent most of the past decade caring for pets that might otherwise be euthanized. Her work also resonates with people online—the Facebook page for the shelter has more than 1.3 million followers. But in August, she noticed something strange: A series of unfamiliar posts began appearing on the page, and no one at the shelter could say where they were coming from. For several days, Alana and her staff simply deleted them. It didn’t initially occur to Alana that her account may have been breached.

Then, in the early morning hours of August 19, a link to a fraudulent GoFundMe fund-raiser appeared on the shelter’s page, claiming the nonprofit was raising money for pets displaced by wildfires thousands of miles away in California. By the time Alana spotted the fund-raiser, it had already raised around $1,500. She quickly crafted a Facebook post alerting donors that it was fake, but it was useless. “The post was immediately removed,” says Alana, who for privacy reasons requested that her last name and the name of the shelter not be used.

Another staff member soon discovered that a stranger had been added as an administrator to the shelter’s Facebook page nearly two months earlier, silently waiting for the right opportunity to act. In a Facebook Messenger chat, the stranger warned the animal shelter to stop telling people the fund-raiser was bogus. “If I see one more post we will delete the page forever,” he wrote.

Frightened and angry, Alana scrambled to ensure GoFundMe canceled the fund-raiser, which it did. “Our fraud protection measures prevented this individual from gaining access to any of the funds raised. This user has been banned and the money has been refunded to donors,” a spokesperson for GoFundMe said in a statement.

But the incident marked only the beginning of what would become a months-long struggle between Alana and a hacker determined to steal her nonprofit’s donations—by weaponizing Facebook.

Americans gave a record-breaking $410 billion to nonprofits last year, according to Giving USA, an annual report from Indiana University researchers. More people are also donating online, either directly through organizations’ websites or via social media platforms.

Facebook entered the game five years ago when it introduced a simple “Donate” button, which allowed users to send funds directly to a select group of major nonprofits. Since then, charitable giving has become a central part of the social network. The company has developed more tools for both nonprofits and regular users interested in raising money for causes; Facebook notifications encourage people to start fund-raisers for their birthdays. Last year, the company stopped charging nonprofits fees to accept donations (though Facebook still collects a small percentage of the money raised via personal fund-raisers).