How to protect your small business from a new Facebook Messenger scam

4 mins
February 15, 2024

4 mins
February 15, 2024

Topics:

Explainer, Phishing, Social media

Most of us have received a text message or email that looks a bit dodgy. Something along the lines of: URGENT invoice to be paid TODAY!! Click this link here! Sound familiar?

While we’re learning more about spotting scams in our inboxes and phones, cyber criminals are always on the lookout for new ways to target people.

One of the latest tricks they’re trying is on Facebook Messenger.

Just like the suspicious emails or texts, they’re asking your business to act quickly and preying on your uncertainty.

Trying to decipher the real from the fake messages can feel overwhelming — that’s where Cyber Wardens comes in. We’ll help you spot the red flags and easily share the knowledge with team members who manage your social media accounts, and fellow small business owners.

What is the latest Facebook Messenger scam?

First up, it’s important to know there are various scams spread on Facebook. They include everything from romance scams, to messages claiming you’ve won the lottery, or someone pretending to be a celebrity. This new Facebook Messenger threat is mostly known as the “Business Services” or “Meta Services Support” scam. The main aim is to harvest personal information like usernames and passwords to gain access to online accounts. Unlike other scams, it is directly targeting small businesses.

How does the Business Services scam work?

The Business Services scam is another example of phishing where cyber criminals pose as a person or entity to trick you into sending money, downloading malware or sharing sensitive information.

Users will pretend to be Facebook, Meta (Facebook’s owner) or an associated support service and claim your Facebook page is in danger of being shut down. The message might use one of these reasons (a lie!) to explain what your page has allegedly done wrong:

Not complied with their “Terms of Service”;
Infringed upon a trademark;
Violated terms and conditions; or
Shared prohibited or offensive content

Just like other phishing scams, they will encourage you to click on a link to “request a review” or “confirm your account” to prevent your page from being deactivated. This link clicks through to a convincing fake login page controlled by hackers ready to steal your username and passwords.

How can scammers use my credentials?

Your password is like the key to your digital world for scammers. Once they have your login, they take control of your personal and business pages plus all the data, friends and connected accounts.

What can happen when my Facebook Business Page is hacked?

Once your account is hacked, cyber criminals can change your password and block your access. They can use your account to:

Spread malware (dangerous software);
Run more phishing scams, impersonating you or your business and asking your friends and customers for money;
Post inappropriate content to damage your business’ reputation;
Access connected email or financial accounts;
Steal your identity to use for other scams;

If you re-use the same password, scammers will have the key to access more of your accounts. This is an example of ‘credential stuffing’. It’s a good reminder to use different, strong passwords (or passphrases) across your accounts so if your social media page is compromised, it doesn’t impact anything else.

Red flags to look out for in the Business Services scam

Facebook (or Meta) won’t contact you on Messenger

This is an easy giveaway and will help you feel more confident about spotting a fake message.

Facebook advises they will send any security communications to you via email not Messenger.

Facebook also keeps a list of any emails they have sent you in your account. To find these emails, follow these given by Facebook.

Spelling errors and mistakes

Scammers are getting smarter and using artificial intelligence (AI) to help them write their messages, but they’re still often riddled with spelling and grammar mistakes. Review their messages carefully for this warning sign.

The website address isn’t official

Any communications sent from Facebook or Meta will link to one of their official domains (e.g. “https://facebook.com. The website address might look real in the link sent, but after taking a second look, you can pick up minor differences. It might have a spelling mistake or something that looks similar but isn’t exactly the same like: facebooksupport.com

Scare tactics!

The threatening messages in the Business Services scams are used to panic people into acting quickly. Think words like: Important, Urgent and even an emoji ⚠️ If you’re a small business, your Facebook page can be an important channel to advertise your goods and services and connect with customers. Of course you don’t want to lose it. But, don’t let their tactics get to you. Scammers often try to create a sense of urgency or threaten you with a big loss. Take time to ask questions and think it through.

What should I do if my Facebook account has been hacked?

Visit the Facebook Help page to recover your account. Facebook will guide you through the steps to change your passwords and protect it for the future.
Update your password across all important company accounts including your email, invoicing and payroll, banking, website login, and share portfolio
Visit the official Facebook Hacked Accounts page to make a report and for further advice. Most people who are victims of a cyber crime don’t report it. They might feel alone or ashamed but remember — it can happen to the best of us. By reporting the scam, Facebook and other entities can shut it down and stop it happening to other people.
Keep an eye on your Facebook Page. If hackers have gained access to your account, they might post strange content or send messages to your customers. In this case, it might be good to get on the front foot and let your customers know to be cautious of any suspicious activity they see on your account until it’s been resolved.

How do I prevent my Facebook Page from being hacked?

There’s no way to stop these messages from being sent to your account but there are some simple steps to get ahead of online criminals: Educate your team and anyone who has access to your social media accounts about these scams (why not send them this article?).

Turn on Facebook’s two-factor authentication, which is like adding a deadbolt to your accounts. Next time you try to login and enter your password, Facebook will send you a unique code to enter on another device. You’ll also be alerted every time someone tries to access your Facebook account from a different device. Double-check you have a unique and strong password for your social media accounts and that they’re not used anywhere else!