Beware! Hard-Learned Lessons About Protecting your Facebook Business Page

I start­ed my mar­ket­ing man­age­ment busi­ness in April of 2009. Since that time, I’ve seen more than my share of poten­tial­ly harm­ful emails, includ­ing hack­ing and phish­ing attempts. I love and use tech­nol­o­gy every day, so it comes with the ter­ri­to­ry (unfor­tu­nate­ly). The good news is that I’d man­aged to avoid all of them… until Feb­ru­ary of this year.

It start­ed with a fake email from Facebook

A long-time client reached out to me one day with a ques­tion about an email she had received from ​“Face­book.” It warned her that her page vio­lat­ed some of their terms, and it would be shut down soon if the prob­lems weren’t corrected.

The URL looked legit, begin­ning with face​book​.com. I’m always cau­tious, and even right-clicked the URL first to get a bet­ter look at the des­ti­na­tion before clicking.

Next, a fake Face­book login

The login page looked legit too, and sim­ply asked me to con­firm my cre­den­tials and access. Once I did, it opened the door to my per­son­al account, my busi­ness account, and a num­ber of con­nect­ed client accounts as well. 

As of right now, I’m still deal­ing with the long-term impact. Com­pro­mised accounts, cred­it cards, and lost pho­tos of my own, plus being per­ma­nent­ly locked out of my pri­vate Face­book and Insta­gram profiles. 

I keep ask­ing myself what I’ve learned from all of this, and what good I can glean that might help oth­ers. I’d like to pass the take­aways on to you.

6 Tips for pro­tect­ing your small busi­ness’ Face­book account

1. Be sus­pi­cious of any emails ask­ing for login information

Nev­er send­ing pass­words or cre­den­tials through an email is a no-brain­er. But even URLs sent through email need to be care­ful­ly ver­i­fied. Like I men­tioned above, right click and check the URL path to see where they lead before blindy click­ing.

2. When in doubt, ask support

If you’ve received an email warn­ing you of an issue, a secu­ri­ty breach, or some oth­er prob­lem that needs to be addressed, go direct­ly to the provider’s sup­port with ques­tions. There’s often a chat option on their web­site, and you can share the details of the email and ask if this is legit­i­mate or not. It might take a few extra min­utes, but it’s SO worthwhile. 

3. Use a Face­book Busi­ness Man­ag­er account

Face­book Busi­ness Man­ag­er is a suite designed to help busi­ness own­ers and man­agers man­age their page and ad account. It’s very easy to set up, requir­ing your email and busi­ness info. You then con­nect your Face­book page to the Busi­ness Man­ag­er account, then either add or cre­ate your ads account. 

From there, you can add peo­ple to the Busi­ness Man­ag­er and choose exact­ly what lev­el of per­mis­sion and access each per­son has. This way nobody has to con­nect their per­son­al Face­book account to the busi­ness or ads account. It’s an extra lay­er of secu­ri­ty — a buffer, if you will. Plus, it makes it very easy to man­age peo­ple with­in your organization. 

4. Enable 2‑factor authen­ti­ca­tion right on your Busi­ness Man­ag­er account

In your secu­ri­ty set­tings, you can tog­gle on 2‑factor authen­ti­ca­tion. This means that some­one who access­es your Busi­ness Man­ag­er will need to ver­i­fy their iden­ti­ty by either receiv­ing a text mes­sage with a code, or by enter­ing a ran­dom­ly-gen­er­at­ed pass­word from the Google Authen­ti­ca­tor app. Sounds con­fus­ing, but it’s all very straight­for­ward and sim­ple. The ben­e­fit here is that even if some­one access­es the Busi­ness Man­ag­er some­how, they’ll need to ver­i­fy them­selves before they can do any­thing else. 

5. Set a spend lim­it on your Face­book ad account

I’ve observed illic­it ads being run with out­ra­geous bud­gets (like $20,000/day in some cas­es!). As a side note, these are often spam-relat­ed ads that are intend­ed to reach as many peo­ple as they can before get­ting flagged and shut down. Based on your nor­mal ad bud­get, you may want to set a spend lim­it that needs to be reset before any addi­tion­al ad spend is charged. That way you’re pro­tect­ed against a huge amount of mon­ey being spent before you catch the activity. 

6. Have a back-up Admin­is­tra­tor of your Face­book Busi­ness Man­ag­er account

If you set up the man­ag­er account, you’ll be the pri­ma­ry admin. It’s rec­om­mend­ed (and you’ll see a prompt from Face­book about this) that you add a back­up admin­is­tra­tor. That way if some­thing hap­pens to your account for any rea­son, or you sim­ply can’t access Face­book, some­one else can step in and assume respon­si­bil­i­ty. If you’re the only one, you can get your­self in a bind. 

Stay vig­i­lant! Secu­ri­ty threats aren’t going any­where

I’ve seen a major spike in phish­ing and hack­ing activ­i­ty on social media. One of the areas I’ve seen this almost dai­ly is on the Google Busi­ness Pro­file. This is the plat­form where cus­tomers can leave reviews and mes­sage a busi­ness (think Google Maps). If your com­pa­ny has turned on the mes­sag­ing plat­form, you’ll inevitably encounter fake users. These peo­ple will ask dumb ques­tions like, ​“Do you offer exte­ri­or paint­ing ser­vices and accept cred­it cards?” or ​“I’d like you to go ahead and paint my inte­ri­or and I’ll send you a check for $4,500…”

My advice is to mark these as spam and block them right away. 

We live in a dig­i­tal world, and that means there will be huge poten­tial for growth and fresh oppor­tu­ni­ties, but also attacks. We have to be extra care­ful, and make sure our teams are aware and edu­cat­ed as well.