Beware of scams on your business’s Facebook account

Facebook says it never sends direct messages to small businesses

(Image credit: © Aleksey Boldin / Alamy)

published 6 July 2022

How to fight cyber-crime in your small business Why hackers are increasingly targeting small businesses – and what you can do about it How to cash in on the fight against cybercrime

Running targeted ad campaigns on Facebook can be a great way to drive customers to your business. But while the social media giant’s enormous reach means it has become an important part of many business’s customer recruitment strategies, Facebook also attracts unsavoury users. A growing number of businesses have had their ad accounts hacked, and found themselves with a whacking bill run up by their attackers.

The story is depressingly familiar. Businesses that have set up legitimate advertising campaigns on Facebook – the cost of which depends on the number of views each advert gets – suddenly notice a jump in what they are being charged. Sometimes, the bill goes over the maximum spending limit they have set on their accounts; it may run into tens of thousands of pounds.

The explanation is that their account has been hacked. Fraudsters are using the business’s account to run ads of their own. They may also have access to the business’s settings, enabling them to change spending limits and other controls. This can also make it difficult to put a stop to the fraud, even after the business has spotted the problem.

Subscribe to MoneyWeek

Subscribe to MoneyWeek today and get your first six magazine issues absolutely FREE

Get 6 issues free

https://cdn.mos.cms.futurecdn.net/flexiimages/mw70aro6gl1676370748.jpg

Sign up to Money Morning

Don't miss the latest investment and personal finances news, market analysis, plus money-saving tips with our free twice-daily newsletter

A costly problem

Facebook won’t say how frequently this happens, but the number of small businesses reporting problems appears to be growing. And while the social media giant doesn’t necessarily demand payment when ad spending is run up by fraudsters, it won’t guarantee all losses are refunded. Besides, the true cost of fraud for a business dependent on its Facebook advertising activities may go way beyond the bill run up by the fraudster. It may be impossible to continue running genuine campaigns while trying to fix the issue.

As with most online fraud, there is no single vulnerability that enables fraudsters to attack Facebook ad accounts. Your business could be targeted in many different ways. Certainly, phishing attempts remain rampant – where fraudsters send out emails purporting to be from Facebook in order to send you to a fake website aimed at stealing your login credentials. If you use the same login details for multiple sites, the problem may also lie with a breach of security elsewhere.

However fraudsters are also becoming more creative. One common scam sees fraudsters posing as customers so they can send over documents to make an order. The document includes malware that installs on your computer and compromises your security.

The more people in the business with access to the ad account, the greater the risk of a compromise. Each user with admin rights to the account becomes a potential target for fraudsters. It therefore makes sense only to grant such rights to those who genuinely need them – and to delete privileges as soon as they are no longer required.

Facebook says some basic cyber-hygiene will offer a good level of protection. It urges ad account users to set up two-factor authentication. This requires users to provide both a unique code and a password to log into the account, and sends out an alert each time someone tries to log in from an unrecognised device. Small business owners can also enable “login request”, asking them to approve or deny request for access following these alerts.

Facebook also advises businesses to keep the phone number and email address linked to their device updated. This can allow customers to recover their account more quickly. It is possible to report questionable content and accounts by tapping the three dots above posts, or by reporting an account directly from its profile.

In addition, Facebook says it never sends small businesses direct messages; instead, it uses email. Therefore businesses should never respond to a message sent by an account claiming to be Facebook – it is likely to be a scam.

Securing your Facebook account

However, despite taking careful precautions businesses do run into problems. One difficulty is that getting support from Facebook can be difficult. The company is heavily dependent on user guides and help pages on its websites, and so finding a way to speak to someone at Facebook either by email or on the phone is not straightforward.

Some simple steps will help. If you know which admin account is being used to compromise your business, you can remove its access privileges via your settings pages. You can also use these pages to secure your account, even if passwords have been changed. Facebook’s Help services also give you a means through which to report a problem and to request support. This may be necessary to avoid being stung for charges or to get a refund if you’ve already paid out for ads that weren’t yours.

David Prosser is a regular MoneyWeek columnist, writing on small business and entrepreneurship, as well as pensions and other forms of tax-efficient savings and investments. David has been a financial journalist for almost 30 years, specialising initially in personal finance, and then in broader business coverage. He has worked for national newspaper groups including The Financial Times, The Guardian and Observer, Express Newspapers and, most recently, The Independent, where he served for more than three years as business editor.