Nowadays you’ll find that the majority of people in the United States have a Facebook profile. Chances are, you have one as well. If you have a business page on Facebook, you definitely have a personal profile. By having profiles on Facebook, or really on any social network, you can be vulnerable to risks such as hacking or phishing. It may be tempting to simply delete your profile(s) – including your business page – but Facebook is a necessary evil these days, particularly with social media marketing.
Threats to Be Aware of on Facebook
Over the last few weeks, we’ve been made aware of a few different phishing and hacking attempts made on our client’s accounts. To start out with, we want you to know that should we ever need access to your personal profile, we will let you know in advance. We will NEVER reset your password without your knowledge. If you get an email with a code to reset your password on Facebook, and we did not ask you about resetting your password, there is likely an attempt to hack your account, and should be reported to Facebook.
It’s important to note that if you’ve received (or receive in the future) an email like the one below from facebook, they will contact you by using this email address: email@example.com. Once you’ve verified the sender’s email address, which is super important, you can click on the “let us know” text if you did not request a password reset. This will report the attempt to Facebook. We want to stress to you that before you click on any links in any emails you receive, you should ALWAYS verify the sender, otherwise you may fall victim to a phishing attempt.
Here’s an example email we’ve received.
Some of you may be wondering what phishing is or specifically, what phishing on Facebook might look like. Let’s break it down a bit.
Phishing on Facebook
Phishing on Facebook refers to a deceptive and malicious practice where cybercriminals attempt to trick Facebook users into revealing sensitive personal information, such as login credentials, credit card details, or other confidential data. These attackers typically create fake websites or impersonate legitimate entities to lure users into providing their information.
Here’s how phishing on Facebook typically works:
- Deceptive Messages: Cybercriminals may send deceptive messages or emails that appear to come from Facebook or a trusted friend. These messages often contain urgent or enticing content to grab the user’s attention.
- Fake Login Pages: Victims are directed to fake login pages that closely resemble the legitimate Facebook login page. These fake pages are designed to capture the user’s login credentials when they enter them.
- Impersonation: Phishers can impersonate well-known companies, organizations, or friends on Facebook, making it harder for users to identify the scam.
- Malicious Links: Attackers share links that lead to these fake pages through messages, posts, or comments on Facebook. The links may be disguised using URL shorteners or other techniques to appear legitimate.
- Data Collection: Once users enter their information on the fake login page, the phishers collect this data, which can then be used for various malicious purposes, including unauthorized access to Facebook accounts, identity theft, or further phishing attacks.
Knowing what phishing on Facebook is, is also super important to know. Why? Glad you asked. In addition to a vast number of attempted hacks of Facebook profiles, there are a number of other phishing attempts ongoing.
For instance, we’ve had a number of clients get messages via Facebook Messenger receive official looking messages informing them that their business page has been disabled due to their account being in violation of Facebook’s terms and conditions. The message often comes from a Facebook user with a profile name of something like “Facebook Security”, “Meta Security”, or something similar, and the message itself looks like it could be legit. Check out the example below:
The URL appears to be a legitimate Facebook URL, but this author would caution against clicking it still… just in case. We know one thing for certain about this message: it did NOT come from Facebook.
When the above message was received, the user’s profile picture was that of a shield and, as mentioned above, had the username of “Facebook Security” (though, again, the username they change their profile to could be any variation of Facebook or Meta’s security, etc.). In the span of just a few days, the profile had been reported to Facebook and has since been removed, which is why the profile picture in the screenshot is blank.
Other known phishing attempts we’ve seen in recent weeks is that profiles, similar to the one who sent that direct message, using a name similar to “Facebook Security” will tag your business page on Facebook with an official looking image and text saying your company was in violation of terms and conditions, etc. Facebook will NEVER tag your business in a post that tells you your page was in violation.
DO NOT click on any links if your business is tagged in a similar post!!!
Now that we’ve covered the scary parts, let’s talk about what you can do to protect your account.
Here are some things you can do to protect yourself from phishing on Facebook:
Stay Vigilant: Be cautious when clicking on links or opening messages from unknown sources, even if they appear to be from friends. ALWAYS check that you know the sender!
Verify URLs: Check the URL in the browser’s address bar to ensure it’s the official Facebook website (https://www.facebook.com) before entering your login information.
Use Two-Factor Authentication (2FA): Enable 2FA for your Facebook account to add an extra layer of security. This one is crucial to the security of your account. We encourage ALL clients – and users of Facebook – to set up two-factor authentication immediately on your account.
Keep Software Updated: Ensure your browser, operating system, and antivirus software are up-to-date to protect against known vulnerabilities.
Report Suspicious Activity: If you suspect phishing or come across a fraudulent page or message, report it to Facebook immediately.
Setting Up 2FA on Facebook
Setting up two-factor authentication (2FA) on Facebook is a simple yet effective way to enhance the security of your Facebook account. Here’s how you can set up 2FA on Facebook using a desktop computer:
Log in to Your Facebook Account: Open your web browser and go to the Facebook website (https://www.facebook.com). Log in to your account if you’re not already logged in.
- Access Security Settings:
Click on the downward-facing arrow in the top right corner of the Facebook page.
From the dropdown menu, select “Settings & Privacy,” and then click on “Settings.”
- Navigate to Security and Login:
In the left-hand sidebar, click on “Security and Login” to access the security settings.
- Set Up Two-Factor Authentication:
Under the “Two-Factor Authentication” section, you’ll see an option that says “Use two-factor authentication.” Click on “Edit.”
- Choose a 2FA Method:
Facebook offers several 2FA methods. You can choose from:
Text Message (SMS): Facebook will send a verification code to your mobile phone when you log in.
Authentication App: You can use a third-party authentication app like Google Authenticator or Authy to generate codes.
Security Key: This is a hardware device that provides an extra layer of security.
Select your preferred method and click “Next.”
- Follow the On-Screen Instructions:
Depending on the method you selected, Facebook will provide instructions to set up 2FA. If you chose SMS, you’ll need to enter your phone number and verify it with a code sent via SMS. If you choose an authentication app, you’ll need to scan a QR code or manually enter a key provided by Facebook.
- Confirm 2FA Setup:
Once you’ve completed the setup, Facebook will ask you to enter a code from the authentication method you chose to confirm that 2FA is working correctly. Enter the code and click “Next.”
- Save Backup Codes (Optional):
Facebook will provide you with a set of backup codes. It’s a good idea to save these codes in a safe place. If you ever lose access to your 2FA method, you can use these codes to regain access to your account.
To recap, we will never attempt to reset the password to your personal profile without your prior knowledge. There are widespread, malicious threats circulating Facebook right now, so remain vigilant and report any threats to Facebook directly. And if you haven’t already, set up two-factor authentication as soon as you can. Should they gain access to your personal profile, they would have access to any/all pages that you have admin access to, in addition to any payment profiles (ad accounts). Any and all of that could result in you losing access to your personal profile, your business page and having fraudulent charges made to your bank account. We can’t stress enough the importance of setting up 2FA. So, please do yourself a favor and set it up if you don’t have it. If you think you have it, we recommend that you still just verify that it’s enabled on your profile.