Hackers are stealing control of Facebook Business Pages and Ad Accounts just like yours, posting misinformation, hijacking credit cards, and running up huge ad bills. How exactly are they doing this? Through the personal profiles just like yours.
Hackers are targeting the personal Facebook accounts of individuals who have admin access to business accounts. In this article we’ll show you how to protect your business page and your personal profile by just taking a few simple precautions.
Hackers have long attacked the “soft security” of individuals to circumvent the tougher security of the corporations they work for, and hacking Facebook business accounts is no different. Often, someone’s personal account is the weak link, giving hackers access to one or many business accounts.
Once they’re in the business account, they can remove all other admins, change the password, and set up camp. And Facebook has been notoriously bad about helping victims reclaim their pages and their accounts.
Once you lose access to your Facebook Business account you may never be able to reclaim it. We know of several businesses and agencies that have been victims of this approach. Some regained their accounts, others did not.
If you use Facebook and Instagram for either organic or paid marketing, you MUST take steps to secure your account.
These 3 essential steps could mean the difference between your account’s safety and vulnerability:
- Require Two-Factor Authentication
- Assign a Backup Admin
- Use Third Party Authenticators
Follow the steps below to complete each of these security measures or watch our video tutorial to walk through the process.
Require Two-Factor Authentication for All Users
Your Facebook business page and Instagram business account are managed through the Meta Business Suite. Everyone who helps you manage these accounts has some level of access to your Business Suite account.
Admins should change the security settings of the account to require two-factor authentication for all levels of access.
What is two-factor authentication?
Two-factor authentication is more secure than requiring a simple password at login. It’s now widely available for many accounts such as your Google, Facebook, and WordPress login.
When logging in, you will be asked to enter your username and password as usual. Once the platform has confirmed this information is correct they will prompt you to complete a second authentication, typically in the form of a random 6 digit code. This code can be delivered to you in many different ways such as through text, phone call, email, or on a third party authenticator app.
This heightened security creates an additional barrier between a user and an account. If your password is compromised, there is another step blocking hackers from accessing your accounts.
Change Security Settings in Business Suite
- Have an admin to the Business Suite login to business.facebook.com or navigate to the Business Suite home center via the button on the left hand menu of their business page.
- Find Settings or the gear icon towards the bottom of the left menu.
- A new page will load with an additional sub-menu shown on the left. Here you’ll want to find More Business Settings.
- You will be launched into a new tab with a different layout and left menu options. Scroll through the menu to find Security Center with the lock icon.
- Here you’ll find two options labeled as Two-Factor Authentication and Add Another Admin. In the two-factor box, click the drop down menu that asks “Who’s required to turn on two-factor authentication?”
- Select Everyone to require this security measure for all levels of access to the account.
You, along with any additional admins, employees, or partners will be sent an email from Facebook prompting them to change the security settings on their personal account. They can click the link in the email to get started or head to their Facebook page and complete these steps through their Settings. If they fail to set up two-factor authentication, they won’t be able to get into the Business Suite, make edits to the page, run ads, etc.
Before we get into the steps of setting this up on your personal account, let’s take care of one more layer of protection in the Security Center.
Assign a Backup Admin
A backup admin on your business account should be a trusted business partner, coworker, family member, or friend. They don’t need to be active in the account or even be involved in your business. You can choose whomever you want, as long as they have your trust (and a Facebook account.)
This safety measure ensures you have an emergency entry point into your Business Suite. If a hacker does access your account, blocks you out, and begins changing settings or spending your ad money for their own purposes, the backup admin opens a window for you to get back into the account and if necessary, remove your own personal account to eliminate the hacker’s access.
If your account does not have a backup admin and is hacked, it’s possible that you may never be able to recover the account again. This could mean you have to start over from scratch, and even worse, that someone else is posting what they want under your business name on Facebook.
Here’s how you add the backup admin:
- While we’re still in the Security Center use the blue Add button listed in the Add Another Admin box.
- Enter the email address of the person you’d like to add (hopefully an address they check regularly).
- Ensure the Admin Access button is toggled on and click Next.
- In the next pop-up you can assign them assets from your business. Because they are added as admins to the overarching account this isn’t necessary, but you may want to assign a few things like your primary page or ad account to start.
- When you’re satisfied, click Invite. They will be sent an email invitation and will not be added until they set up two-factor authentication and accept the invite.
Use a Third Party App for Two-Factor Authentication
Let’s go back to two-factor authentication. Even though you’ve made it a requirement for all users in Business Suite, that doesn’t mean your work is done. You, along with all the users on the account will need to follow these steps on an individual level.
- Login to your personal Facebook account. Click on the drop down arrow in the far right corner by your profile photo.
- Navigate to Settings & Privacy → Settings
- This will open a new page with a left hand menu, from which you can click Security and Login.
- Often, two-factor authentication will appear at the top as a recommendation, but you may need to scroll down the page to find it. Click the Edit button that appears on the right side of the box.
You will be brought to a new page where you must select which authentication method you would like to set up. Though any method is better than none, we suggest selecting the Authentication App option.
Why Use Third Party Apps for Two-Factor Authentication?
When two-factor authentication first became popular, text message (SMS) was by far the most popular option. Users would be sent a code directly to their phone, which was often where they were logging into Facebook to begin with.
Unfortunately, phone networks aren’t entirely secure and lately hackers have been intercepting SMS messages. This means that even two-factor authentication may not fully prevent malicious attacks on your accounts.
Third-party apps like Google Authenticator or Microsoft Authenticator offer a convenient and more secure way to generate codes. Each time you login, they create a one-time passcode that expires after 30 seconds. This makes it extremely difficult for hackers to get a hold of that passcode in time to enter your account. These apps can be downloaded on your mobile and desktop devices
- Start by downloading the app of your choice. Depending on the app you choose, the set-up process may be slightly different, but we’ll provide the basics with examples from the Google Authenticator app.
- In the app, use the + button to add a new account. You can choose to connect the account using either a QR code or a manual setup key. Facebook will provide both options.
- In Facebook, either scan the provided QR code or copy and paste the key into the app.
- Click Continue in Facebook and enter the newly provided confirmation code from your authenticator app.
Congratulations! Once you and your team members have finished these steps you can check the three most essential security steps for Facebook off your to-do list.
Bonus Security Measures for Facebook
There are lots of other ways you can keep your account secure and if you’re looking for additional safety measures to take, here are some top ideas!
- Updating Passwords: IT experts recommend changing your password every 3 months. Make sure you choose a strong password that is at least 8 characters and uses a combination of letters, numbers, and symbols.
- Check Your Devices: In the Security and Login section of Facebook settings, you can view what devices are currently or recently logged in to your account. They will list the device type and the approximate location. If anything jumps out at you as unfamiliar, you can always manually log out of any and all devices. For frequent users of Facebook’s business tools, we suggest checking this once a month.
- Choosing Trusted Contacts: Facebook allows you to select a few trusted friends or family members who can act as a one-time two-factor login. You will only ever need this in the event that you cannot get into your own account using your password. Even if you don’t wish to set this up, it’s a good idea to check on this setting in case a hacker has already planted false contacts in your settings.
- Facebook Protect: Some individuals will be prompted by Facebook to enable Facebook Protect because they are connected to numerous business pages or have the potential to reach a wide audience. Turning on this setting will make steps like two-factor authentication a requirement for your account. It doesn’t necessarily add anything but is an easy way to initiate Facebook’s step-by-step guide on account security.
Keeping Your Accounts Secure Moving Forward
Security is not a one-and-done affair. As security methods advance, so do the hackers’ tools and techniques. It’s important to stay on top of the latest security measures to stay one step ahead of the hackers.
The goal here isn’t to be “unhackable.” That’s likely impossible. You just want to make it difficult enough that a hacker will give up and go somewhere else.
In the meantime, tackle these 3 critical steps to account security and then you can focus on growing your business with Facebook and Instagram.
Izzy joins flyte after moving to Portland in 2020, a city that is affably similar to her beloved Burlington, Vermont, with the added benefit of ocean air and fresh seafood. With a degree in English and a background in the nonprofit sector, she carries a curiosity for all things communications. From social media and email newsletters to website management and SEO, Izzy is involved. Reach out to Izzy today!