Facebook’s recently released Business Manager is a God-send for any social media manager or strategist or even security department desiring to manage multiple Facebook Page admins among dozens (to even hundreds or thousands) of Facebook Pages and Ad accounts. With just a few clicks you can know exactly who has access to your Facebook Pages and Ad accounts, and remove that access within just a click. As an agency, this is a dream come true! But there’s one element of security marketers and businesses need to be aware of, and it could compromise their entire Business Manager access if they’re not careful.
The problem I’m referring to is social engineering. The fact is it’s pretty easy to duplicate or copy another person’s Facebook account. I saw it happen just today – a fraudster finds the friend of someone influential, copies the account of that friend, and starts friending the same people the original person was friends with. If they can make it far enough, the account can look pretty authentic! And if you’re onto them they’ll just block you so you can’t report them (more on that later).
So what happens when a Facebook Page admin, or Business Manager admin is the target? The fraudster just needs to send a request from Facebook Business Manager to one of the owners of the Facebook Page as someone that looks like a legit admin of that account, and if that admin is not paying attention, before they know it, they’ve been removed from the Page, and the new owner is posting on their behalf with basically whatever they want. It could be a Social Media manager’s nightmare!
So how do you protect yourself? Here are a couple tips:
- Email or call the person sending you a request. This is probably the easiest way to protect yourself. Don’t trust their Facebook account, as it could be hacked. However, sending them a separate email or even better a phone call or walking over to their desk, ensures that you’re messaging them at a guaranteed communication channel. If they respond and say it was them, you’re good to approve the request!
Also, don’t trust an email from someone that says they sent you a request – it’s easy to spoof the “from” line of an email. Always make sure you directly email them (not in a reply), and ask them if you must use email.
- Turn the management of your Facebook Page and Ad Account access over to your security team. Marketing teams may hate me for this one, but it truly is the safest means. Your security team is trained to watch for stuff like this (and if they aren’t, have them contact me and I can get them trained!). A good security team will both watch out for your security, ensure only those that need access to your accounts have access to them, and also empower you as a marketing team to get as much done as you need to get done. A good security team will never be a hinderance, but also protect your online presence as a company.
- Only give the requesting party the access they truly need to your page or ad account. This is important. It’s so easy to just give “admin” access to just anyone, which means that individual can completely remove other admins making it a nightmare to recover your Facebook Page. Some times if it’s an agency, and you don’t have the experience to manage your page, admin access is appropriate. But make sure your agency (such as Fit Marketing, the company I work for – your security is something we have experience with, and are good at) understands how to keep your account safe, and make sure you email them to know it’s them sending the request. Beyond that, ONLY give access to people what they need! Hopefully your agency is following this as well (many agencies don’t, so be careful).
- Develop a contingency plan. Most companies don’t have one of these. A contingency plan can help your organization prepare in the event someone does compromise your Business Manager access. It can also ensure employees are educated and following best practices to make your company as secure as possible. Companies such as Fit Marketing and myself can help you develop a solid contingency plan for your business.