Department social media accounts are common targets for hackers and other malicious actors. Department social media managers must remain vigilant and take steps to decrease the likelihood of unauthorized access to official accounts.
Consider the following recent examples of phishing attempts directed at official Department Facebook pages:
- Meta will never communicate regarding page issues in your page’s inbox: Multiple posts have flagged a suspicious message in their Facebook page’s inbox. The message is from a profile named “Meta Business Suite.” It states your business page has been disabled and includes a link. This is not an official communication from Meta. It is instead from a false profile named Meta Business Suite with a profile image of a Meta logo.
- Meta will never communicate regarding page issues in your page’s inbox: Multiple posts have flagged a suspicious message in their Facebook page’s inbox. The message is from a profile named “Meta Business Suite.” It states your business page has been disabled and includes a link. This is not an official communication from Meta. It is instead from a false profile named Meta Business Suite with a profile image of a Meta logo.
Review the notification closely – in the screenshot above, a page named “Your post goes against our community standards so only you can see it” has shared a post from a U.S. embassy. At a glance, it is easy to miss this nuance. Clicking to view the post will result in another misleading message outlining false claims that your page violated Facebook’s community standards with a malicious link to click on to appeal the decision. Examples are below:
To prevent hacks, Department social media managers should:
- Use unique (not used for other accounts), complex passwords that are least 12 characters long with a mix of uppercase and lowercase letters
- Enable app-based multi-factor authentication (i.e. using a third party authenticator app like Google Authenticator or Microsoft Authenticator to generate codes)
- Turn on log-in alerts so you always know if someone is trying to gain access to your account.
- Review your logged-in sessions and ensure you recognize which devices have access to your account.
- Watch out for any red flags that might indicate the communication you are receiving is not official. These might include: spelling/grammatical errors, sent from a suspicious email address, links that don’t match what appears when you hover over it, cannot independently verify the issue by separately navigating to the social media site/app and checking for error messages, etc.
- When in doubt:
- Click on the page name in the notification (e.g. “Community Standards Violated” or “You can disagree with the decision if you think we got it wrong” in the screenshots above). If you see a Facebook profile or page similar to this screenshot, it is not a legitimate notification from Facebook:
- Visit your Facebook Page Qualityto verify if Facebook removed a piece of content from your Page.
- Click on the page name in the notification (e.g. “Community Standards Violated” or “You can disagree with the decision if you think we got it wrong” in the screenshots above). If you see a Facebook profile or page similar to this screenshot, it is not a legitimate notification from Facebook:
Additional social media security guidance is available on the Social Media Hub and on the Diplomatic Security Cyber Threat Analysis Division Sharepoint. For questions about account security for official social media accounts, email SocialMedia@state.gov.
