UPDATED – Facebook & Instagram Hacking – how to minimise damages or prevent it altogether

A couple of days ago one of our clients rings us with “Mate, I think I stuffed this up… I’m locked out of my page”.

They have 100k+ followers and we assist them with their marketing and web, so naturally, we were all over it immediately. 18 hours of chaos, clean ups, testing, numerous password resets, we got it all back. We are also glad that no time was wasted – the invading party had very little time to cause damage.

Following this event, we have put together this handy list of tips to keep your business account safe.

1.”Help me recover my account” method – exploits rush and impulse response

You might get a message looking a bit like this

Preying on those with trust and perhaps limited knowledge of what is possible, this method takes advantage of phone numbers linked to the Instagram account. 

The hacker, often impersonating a friend will send a very real sounding message via Instagram and tell a sad story how they locked themselves out and need your help to recover their account. The instructions usually include “Just send me a screenshot and don’t click on any links”. 

The moment you send this screenshot you have given them a full access to your account. A well organised hacker will will change your password, associated email, and will also set up a two-factor authentication, which will be near impossible to break. 

Instagram has limited real-person support and makes these recoveries extremely difficult. 


Recommended action – ignore the message and report the user ASAP. 

2. Links in emails are the weakest spot

Scammers and hackers will often send emails that do look very authentic, and links may direct you to pages that look a lot like Facebook or Instagram.

You can assess these links by hovering your mouse over them (the actual link destination will come up in the bottom of your window or next to the link). Don’t click, just hover… You cannot do this on touch screens, so unless you are 100% sure, don’t click it.

The emails will also have questionable sender. It could be something like [email protected] or something completely unrelated.

The only safe way to go about this at the moment, is to NOT click on the link, and open the facebook or instagram app, or meta business suite, and get the notification there. No matter what it is, it will be there, especially if Facebook wants you to see it.

If you cannot find the notification, but think that the email might be legitimate, we advise our clients to call us and take it from there.

3. Wait

No facebook or instagram warning requires action immediately (unless it is asking whether it was you logging in from a particular location). I you receive an email insisting to do something straight away, you should ask yourself it if makes sense and assess the situation. Scammers exploit the sense of urgency they have deliberately created, so the easiest thing you can do is wait.


4. Don’t put your passwords in!

If facebook sent you a legitimate email and you clicked on the link, it should open your browser or app that you are already logged in.


5. Use two-factor authentication

They can feel cumbersome, but we promise – they are way less cumbersome than spending hours and hours cleaning up illegal content from your page.

You should use multiple means of two factor authentication as well, don’t rely on your phone only.

Authenticator apps are great, we use Google Authenticator.

You should also get an email from Facebook about a new log in telling approximate location and device. If it is NOT you, select the option “It was not me”, this will force a password reset and should be done immediately.

6. If your personal account gets hacked, your business account can get hacked too. 

There is a difference between someone impersonating you and someone hacking your account. If your friends are getting requests from another account that looks like you, but is not you, it is an impersonation. It is annoying, but is less problematic than an actual hack.

If you see a piece of content in your account or your business page that you didn’t post, and/or you cannot edit it or remove it, it is often a clear indicator that something is going on.

First point of call is to change your password.
Second point of call is to log out all devices and browsers that are currently logged into your account.
This is only possible if you still have some access to your account.

If you cannot get into your account at all, the process will be a lot more complex, and you will definitely need the Meta team to help you out.

Social Media platforms are not that dissimilar to real world – you don’t have to talk to everyone, and not everything you see out there is true. Unfortunately, there is little regulation and protections, and ill-meaning individuals are constantly evolving their methods and discover new weaknesses.

So to keep your business assets safe remember this:

  1. Prevention – 2 factor authentication, strong password, no clicking on links without triple checking.
  2. Wait – almost all requests from social media platforms can wait, often hours and days.
  3. Be vigilant where you enter your password.
  4. If something looks wrong, act immediately – change passwords, log everyone out, and get in touch with us if you need help.