Navigating Facebook’s account access and permissions options can be complicated, but it’s important to get it right because it can save you a lot of trouble in the long run!
Using Facebook Business Manager to control access to your Facebook assets, like your Facebook page, ad account, and pixel, is the recommended way to ensure that you don’t lose your assets due to employee turnover, and that you can control permissions on a granular level. This means that you can grant access to employees and marketing partners, with any permissions needed, and only the permissions needed.
Basically, you’ll create a Business Manager, move your assets under it if they already exist, or create them under the Business Manager, and then add your employees to your Business Manager with the appropriate permissions. The assets “belong” to your Business Manager, as opposed to individual(s). Your Business Manager can have as many admins as you choose (it’s good to grant full admin permissions to multiple trusted people in your organization).
This is the alternative to adding each employee’s Facebook profile to edit or admin your page, ad account, pixel, or other assets, and having to remember to add new employees and remove old employees on each individual asset. You can handle this in one step through Business Manager.
There is also the ability to add a partner through Facebook Business Manager, which is how you should grant access to marketing partners. This gives the agency access to run ads for you, while maintaining your ownership and access to the assets.
When correctly set up, your employees will sign in to Facebook using their own login (whatever they normally use to sign in to their own Facebook profile), and have access to whatever you’ve granted them through Business Manager.
One of the most important features of Facebook Business Manager is the Security Center, which has a setting that you can use to require all users in your Business Manager to use 2 factor authentication in their own Facebook login.
This means that every time a new device attempts to sign in to that employee’s Facebook profile, they will have to use an additional method like a security code to complete the sign in, making it very unlikely that a hacker will be able to access your Facebook assets through an employee’s Facebook login.
Another good thing to have employees keep an eye on is the security settings in their individual Facebook profiles. Periodically checking “where you’re logged in” and “authorized logins” will catch any old devices that need to be signed out, and any authorized devices that are no longer used. Authorized devices don’t ask for the authorization code at sign in, so if they aren’t actually used, they should be removed!
When a company adds Izell Marketing Group as a partner through Facebook Business Manager, they can be confident that our Business Manager is secure. We require 2 factor authentication for all users in our Business Manager, and we update our passwords regularly.
Why is this so important?
There are hackers and scammers out there who will hack Facebook accounts, and if that employee has access to ad accounts, they will change passwords, remove everyone else’s access, and then use the credit card on file to fund scam ad campaigns that are essentially phishing scams to steal consumers’ personal information. They use devious tactics like setting the daily budgets extremely high and targeting widely to get the most clicks and steal the most data. This happened to one of our clients recently, and their account spent almost $500 in 45 minutes. Since the scammer had removed their access to the ad account, their only option was to cancel the credit card that was on file with Facebook to prevent any more spend.
Beyond the financial hit, this can result in the loss of your Facebook assets. If you can’t recover access to your page and ad account (and Facebook support can be less than helpful), you will lose access to your historical data, not to mention having to go through the trouble to set it all up again correctly. If you lose access to your Facebook page, you’ve lost your followers, and possibly your reputation has been impacted negatively as well especially if the hacker uses your page to post spam and malicious links.
What should I do first?
This is definitely one of those situations where an ounce of prevention is worth a pound of cure, so please
- check on the structure of your Facebook assets as soon as possible
- get set up with Business Manager
- enforce 2 factor authentication for your employees
- educate them on best privacy practices, like using a password manager and 2 factor authentication
- set expectations on what to do immediately if one of their devices are lost and stolen
What if I’ve already been hacked?
If you’ve noticed suspicious spend in your Facebook ads account, try to identify whose Facebook account has been compromised, and remove their access as soon as possible, before the hacker can remove your access and change recovery email addresses. You can add them back once their account is secure.
Don’t delete the spam campaign, but disable it so you don’t spend any more. Keeping the campaign in your account is important so that you can work with Facebook to refund the spend. Contact Facebook support at this link if you need further assistance getting your assets back.
And once you have your assets back, lock them down with Facebook Business Manager! Reach out to us to learn more about how we can help you get your accounts in order and set up for success.