Business pages on Facebook are recently getting a rash of realistic warnings saying the page is violating some unspecified term of service and is about to be taken down. The warnings say you must respond immediately by clicking an official-looking link. DON’T! It’s a scam.
How to identify a bogus warning message and how to protect yourself
- Facebook will never use the Messenger app or Business Suite messages to issue a warning. All warnings will be in a modal message box that’s part of the UI. That means the rest of the application is grayed out and locked.
- Legitimate messages will never address you as “Hello” or “User”. Facebook knows who you are.
- Multi-billion dollar companies don’t make spelling, punctuation or grammar errors in their messages.
- If Facebook wants you to click a link, the main part of the domain name will be facebook.com or meta.com. If the link is facebook-something.com, or has the name “facebook” in it elsewhere that isn’t the .com, the link isn’t legit.
What happens if you click?
The purpose of these links is to get you to enter your user ID and password so the scammers have it. It’s phishing. They will log in as you and immediately change your contact information, email address, phone number, alternate contacts, everything. So if you use Facebook’s automated services to regain access, it will fail. Confirmations will go to the scammer. Bonus is if you use the same ID and password on other services, the scammers might steal your identity there, too.
With full control of your account, scammers might send messages to your contacts asking for money (“Sorry to bother you but this is an emergency”), they might publish posts designed to harm your business or they will post wildly impermissible or illegal images designed to get your account banned. There is no recourse to this and you will lose all your years of posts, pictures, friend list, everything. Permanently.
There are no actual humans at Facebook available to talk to, so you can’t explain yourself to anyone. Remember: if you aren’t advertising on the platform, even if you’re a business user, you aren’t a customer. You’re using the system for free and they owe you nothing. If you are an advertiser, you might get a response if you have a problem with advertising, but if your account is banned for inappropriate content, they will have nothing to do with you.
How do you protect yourself?
Beyond the obvious don’t-click-those-links, set up 2-factor authentication (2FA) for logging in. In the main part of Facebook (not the Business Suite), click your profile picture, then choose Settings and Privacy. From the submenu, choose Settings. Now on the left panel under Accounts Center, click Password and Security. Again on the left, choose Password and Security. Now in the main part of the screen, you can change your password (good idea if you haven’t done this in a while) and enable 2FA. Your password doesn’t have to be a meaningless jumble of characters, but make sure it’s unique. Don’t use it anywhere else.
When enabling 2FA, the most secure option is to use an authenticator app on your phone. If you get a few choices, choose Google Authenticator. It’s free and you download it separately on your phone and set it up. Back in Facebook, allow it to use Google Authenticator and follow the instructions.
The way this works is that when you log in with your ID and password, it will ask for a 6-digit code. You get that code from the app. It’s only on your phone, so even if a scammer has your ID and password, they still can’t access your account. And the code changes every few seconds. Once all set up, log out on all devices currently logged in to Facebook. When you log back in, the authenticator will do its thing. You probably don’t log in every time you go to the site and that’s OK.