I should have known better, but I got caught anyway—a dumb, embarrassing mistake I kind of can’t believe I’m admitting to. Except for this: I don’t want it to happen to you.
And really, it was all so 2020.
I was trying to catch up on work. The first day of school had been delayed while the district scrambled to meet pandemic guidelines. My kids were running in and out of my tiny home office, interrupting every two minutes when I was already trying to do too many things at once. In the mess of windows open on my laptop screen, the inbox for my professional author page on Facebook displayed an unread message, which looked to be an internal communication from Facebook itself. Someone had reported me for violating community standards with a post on my business page. There was stern language reiterating the importance of not using copyrighted images without permission and the like—things I’m careful to never do. Things that I, as an author, take very seriously. Did I want to appeal?
In that moment of distraction, I clicked.
And the hackers were in.
In the panicked days that followed, I heard from four professional author friends—people I know in real life—who recently had the same thing happen to them: indicative of how widespread, targeted, and sophisticated these attacks have become. Of the five of us, two wisely evaded the message. Two of the three victims, me included, mercifully had our pages retrieved, after some headaches and tears. One lost the entire contents of her page—years of platform building—for good.
Of course, we all should have known better. These days too many of us are working in the midst of unprecedented distractions—and these attackers know it. First things first: Here is how to check if a message or email you receive is actually from Facebook. You can always report strange messages to [email protected]
Beyond that, here are some more tough lessons learned on how to protect yourself, and what you’ll want to know in the unfortunate event that it happens to you. To be clear, for the purposes of this post I’m referring to a professional, public FB page, not a personal account.
Enable two-factor authentication on your FB account.
The most unsettling thing about this hack, for me, is that I did have my two-factor settings locked down—but it didn’t stop the breach. Neither did instantly getting a bad feeling about my erroneous click and immediately changing my password. Within moments I’d been removed as admin on my own page and saw nothing but a “page not found” error message on my FB URL.
Still, while I’m sorry to report that this extra security step is not foolproof, it’s one of the only defenses you have. So use it.
Get your page verified if you qualify to do so.
No one really knows the mysterious ways behind the scenes at FB, but anecdotally I was told that complaints about hacked pages carry more weight if you’ve gone through the steps to have your page verified—securing that trustworthy blue checkmark meaning you’ve already proven to FB who you are. Here’s how to request a verified badge on Facebook.
Here’s what I know for sure: The hackers, once they had made themselves admins, attempted to change the name of my page to suit their purposes, and were denied. Facebook recognized that the new name did not reflect the original verified purpose of my page and thus prevented them from moving ahead with their plan (to change it to … a scam storefront? one can only guess). That safeguard would not have slowed them down had my page not been verified.
If you have a publisher, assign a contact there some sort of “role” on your page.
This is someone besides you who might still be able to access your page even if your admin privileges are removed. My publisher had previously accessed my page for marketing/advertising purposes, and while these hackers were savvy enough to remove my publisher’s privileges too, my pub team had something I didn’t: a contact at Facebook.
Trying to navigate Facebook’s help center—when you’ve just seen years of outreach to your audience simply disappear—is frustrating at best. I spent literally hours getting nowhere. I got an error message every time I tried to report the hack through the appropriate channels. Every other menu option ran me in circles, with no way to reach out to a human who could help.
Without my publisher’s willingness to step in and advocate for me, I very well might still be waiting for my case to be resolved.
Know what credit card you have used in your FB account to boost posts or use any other paid services.
The first thing you’ll want to do if you’re hacked is cancel this credit card and report it stolen. But if you can no longer access the page, you’ll need to know without looking what card you had stored there. Otherwise? You’re going to have to cancel them all.
Periodically download a backup of your FB page.
I had no idea you could do this, but I know now: Just follow these instructions. It will come as a surprise to no one at this point that I’m not the most tech-savvy person and this is by no means a deeply researched roundup of guidelines: Merely teachable, sharable moments based on my own experience, author to author. So while I’m not sure how functional the backup would be, should you ever need to rebuild a page from scratch, it must be better than nothing.
And the obvious: Don’t be too quick to respond to messages.
In addition to the better known ways you can spot a phony message: I’ve noticed in the past—when I’ve been smart enough to sidestep these sorts of phishing attempts—that sometimes it takes Facebook’s mysterious algorithms a little time to get wise to suspicious messages and move them into the spam inbox where they belong. If you’re not sure about something and simply wait, it may vanish: Problem solved. If it’s legit, it will stay.
Have a cautionary tale of your own to share? Visit Career Authors on Facebook (we know, we know!) to join our discussion. And if you’d like to hop on over to my author page while you’re there, I’d be so grateful if you’d like or follow (or just say hi!). I’m still so very glad to have it back.