How to avoid phishing scams on Facebook Messenger for Business

Phishing scams facebook messenger

Almost since its birth, Facebook has been an important tool for small businesses. It’s a low-cost way to sell your services, interact with customers and build a community around your business.

However, wherever small businesses gather in any number, so too do cybercriminals, like predators at a Savanna watering hole. Facebook for Business is no different. Over the past few years, the social media app’s messaging service has become a regular launchpad for phishing campaigns. And, unfortunately, the problem is only getting worse, with social media account takeovers increasing by over 1,000% in the past year

However, this doesn’t mean you need to avoid the app altogether (as we said, it’s a useful tool). With the right knowledge, you can get back to communicating confidently. So, here’s everything you need to know about Facebook Messenger scams – what they look like, the consequences of a breach, and how to combat them.

What does a Facebook Messenger phishing scam look like?

Like most phishing attacks, Facebook Messenger scams typically rely on social engineering. But, there are a few different approaches out there.

Complete cyber confidence doesn’t have to break the bank. Download our guide to protecting your business on a budget to find out more.

The classic Facebook scam

First of all, there is what we call the ‘classic’ Facebook messenger scam. This is a well-worn approach but don’t let that fool you. ‘Well worn’ doesn’t mean ineffective even if it lacks sophistication. A surprising number of businesses still get caught out by this tactic.

Scammers will usually pretend to be potential potential customers or partners and try to trick you into giving them sensitive information. It could be a prospective ‘partner’ who just needs some financial data before they can commit or it could be a customer who’s seemingly desperate for you to check out their website (don’t click the link!). 

The Facebook support team scam

Recently, we’ve seen a far more insidious scam on the platform. Scammers have begun posing as Facebook support or security teams.

This scam typically starts with a message claiming your business page is at risk of being banned or disabled due to violations. The message will seem urgent and official, often using Facebook branding and logos. There will be a link provided to supposedly “verify your account” or appeal violations. Unsurprisingly, this link doesn’t unlock your account or clear your business’s name, it’ll usually lead straight to a bogus site that’ll infect your device with malware.

Another potential avenue for this kind of scam is to claim your business needs to ‘top up’ the funds paid for ant on-site advertising you might be running. Once again, this will lead you to a spoofed Facebook page where you’ll be requested to enter sensitive financial details. If you’re unfortunate, like us, you might have received a flood of these messages in recent months, they usually look something like this:

Facebook messenger scam

What are the consequences of a successful scam?

The consequences of falling prey to one of these scams vary, depending on what the cybercriminals managed to persuade the victim to do. However, some of the most common outcomes include:

– Losing control of your business’s social media page to hackers who then use it to post malicious content or launch further scams

– Financial loss, either through the initial scam or a subsequent ransomware attack

– Compromised sensitive personal or proprietary data 

– Reputational damage from all of the above

All in all, being hit with a successful Facebook Messenger scam is something your business desperately needs to avoid. Let’s look at how…

How can you avoid falling victim?

Although the method of attack might be new, Facebook Messenger scams are still a form of phishing. This means that many of the principles that can be used to combat other types of phishing scams can be applied here.

1. Keep Facebook’s policies in mind

Remember that Facebook will never message you proactively about account issues. Any unexpected warnings about your page being banned are very likely scams.

2. Check the URL

Verify that any links come from an official or domain. If you’re unsure, you can hover over links to preview the URL before clicking.

3. Look for errors

Watch for poor grammar, spelling errors, and other typos. Scammers are rarely gifted writers and you’ll often find telltale slip-ups in their messages.

4. Verify who the sender is

Check out who a potential partner or customer is claiming to be before you engage with them or share any information over Messenger. A quick search of their name on LinkedIn and a check of the company website or its Facebook Business page should be enough to raise any red flags. And, if in doubt, don’t engage. 

5. Use MFA

Turn on multi-factor authentication (MFA) for your Facebook and Facebook Business accounts. This will make it much harder for a cybercriminal to gain access to your account even if they do steal your login credentials.

6. Don’t trust unusual requests 

Don’t trust any request for your login credentials, password, or MFA code that comes through Messenger. Facebook will never ask for that information through chat.

7. Prioritise privacy 

Keep your Facebook Business page set to the highest privacy and security settings. This alone should help keep you off most scammers’ radar.

8. Report anything fishy

Finally, report any suspicious activity to Facebook. Any examples you can provide are crucial to improving the platform’s security and rooting out malicious users.

As with all phishing attempts, Facebook Messenger for Business scams aren’t particularly sophisticated and can be avoided with a little vigilance. Follow the steps laid out above and you’ll be able to do business using Facebook safely and securely. 

Want to know more about the threats facing small businesses and how to guard against them? Check out our guide to protecting your business on a budget.

Cost of living CTA 2

IoT: The good, the bad, and the unsecured


As Black Friday and Cyber Monday approach, anticipation is growing for this year’s snips, steals and deals on Internet of Things (IoT) devices. However, amid the thrill of Black Friday bargains, it is crucial to exercise caution and consider the potential security implications associated with purchasing and deploying IoT devices. 

What is IoT?

The Internet of Things, commonly referred to as IoT, is essentially a web of gadgets that share information and the cloud.

The concept first came about in 1982 when Carnegie Mellon University students linked the department vending machine to their computer, allowing them to check if drinks were in stock and chilled.

However, this wasn’t the first true IoT device, as Tim Berners-Lee’s World Wide Web was still seven years in the future. That honour goes to a toaster created in 1990 by John Romkey. This bizarre device was equipped with a crane system for inserting the bread.

IoT has continued to expand from here and, based on the most recent data, around 15 billion IoT devices are currently connected. It’s anticipated that this number will nearly double, reaching 29.42 billion by 2030.

Want to protect your business but not sure where to start? Check out our free guide to protecting your business on a budget.

Where is IoT used  – The good, the bad and the bizarre

IoT is used in our homes, offices, manufacturing machinery, agriculture and more. More specifically, this includes smart home devices such as fridges and dishwashers, wearable technology like smartwatches, and medical devices, with pacemakers being a great example.

IoT has the potential to enhance our lives. For example, by facilitating independent living for the elderly with conditions like dementia. This is achieved through IoT technology that gathers atmospheric data linked to residents’ movements within their homes. Should the activity drop below a certain threshold, a device will immediately notify family members or carers of a potential emergency.

Whilst working as a detective in the police, I saw IoT employed for malicious purposes on many occasions. One such occasion was when following a recent relationship separation, the one-time couple had to maintain contact due to their young child. However, whilst Mum was out with her baby she would frequently bump into the child’s father. 

After months of this and other strange activities occurring, it was discovered that a tracking device had been placed in the child’s pushchair. This shared real-time location updates and allowed impromptu meets between father and child.

As you might expect, there are also many bizarre IoT devices out there, including smart egg storage devices that can track the age of eggs and send alerts when your egg stock is running low. Although some may say that is a cracking idea!

IoT security vulnerabilities

A security vulnerability within an IoT device could be several things, from insecure default settings to a lack of physical security. This could allow anybody to log into the device by not requiring authentication. Or, where there are log-in details required, using default credentials such as a username and password of ‘admin’.

Many of us will have IP (Internet Protocol) CCTV both in our homes and places of work. Vulnerabilities may exist in these too. Failing to ensure updates are applied to our CCTV could leave known vulnerabilities unaddressed, making it susceptible to exploitation. I have seen many cases of IP CCTV being hacked and people’s personal lives being streamed live on the internet for the world to watch.

What can we do to protect ourselves?

The first thing that we can all do before we click buy on that new device, is to ensure that we are buying it from a reputable company. There are so many devices available to us for comparatively little cost. But buyer beware, often a low price can mean poor security. 

Although we can’t all be expected to comprehend the intricate technical workings of our devices, we can develop a basic understanding of security best practices. This should help ensure that the IoT devices we bring into our homes or workplaces are safe.

So, what are some of the things you can do? In no particular order, here are some of the basic requirements for cybersecurity.

1. Change default passwords

Ensure that you’re using strong and unique passwords to access devices. If in doubt, use the NCSC’s ‘three random words’ approach.

2. Apply patches and updates

Security updates and patches are extremely important in fixing any vulnerabilities in the operating system or firmware installed on your devices. Without these patches, cybercriminals could easily exploit vulnerabilities to hack into your device. 

3. Configure your routers and firewalls to block external traffic

To keep IoT devices within your home safe, you must ensure that nothing outside your home network can connect to your device. By configuring routers and firewalls to block all external traffic you’ll prevent hacks.

4. Only purchase devices with high-level security protocols

Try and stick to devices with a connectivity protocol that is secure by design and uses a low data throughput such as LoRaWAN (long-range wide-area network). You should find these details in the specs of any reputable products.

5. Check your privacy settings

We’ve already mentioned passwords, but there are a few other things you can do to improve your privacy and security. First of all, set up multi-factor authentication (MFA) on all IoT devices, whether that’s biometric authentication (such as fingerprint or facial recognition), a one-time passcode, or security questions. 

MFA makes it much, much harder for any would-be hacker to gain access to your device even if they manage to find it on a network.  

Finally, the single most important thing that we can all do when it comes to security is to keep ourselves updated and aware of new and emerging threats. So, if you’ve read this far, well done.

Cost of living CTA 3

What are the basic requirements for cybersecurity?

basic cybersecurity

Ideally, no business only does the bare minimum for their cybersecurity. But it’s understandable that many small or medium businesses are limited by their budget. If this is the case for yours, you need basic cybersecurity measures that are effective yet affordable.

Here’s how you can ensure your business is protected and secure, without breaking the bank.

5 basic cybersecurity measures for businesses

Cybersecurity mustn’t slip under the radar for small businesses. 43% of all data breaches involve small businesses, with 60% of these businesses filing for bankruptcy within six months of an attack. 

Luckily, the cybersecurity landscape is full of many great solutions to secure your business, ranging in complexity and price depending on the levels of protection you need. And it can be helpful to go back to basics in tough economic times.

You can do this without sacrificing security by following the control areas of Cyber Essentials. We’ve outlined them, and what they mean for small businesses, in this blog.

Here are some examples of the basic cybersecurity measures that any small business can take to maintain a good level of protection against cyber threats:

1. Make your business internet connection secure

There’s always a risk to your business network and equipment when you have a broadband connection. Think about it – it’s always on – so there’s always a window of opportunity.

Luckily there’s no need to fret. Instead, ensure that you’re using a business broadband package. They’re more comprehensive compared to a home broadband package and include proactive security measures.

For example, many business broadband options are equipped with higher-grade security software. You should look for features such as a VPN, firewall, and the ability to filter content. With this functionality, you don’t need to spend more on additional solutions because your key security features are built in.

Need help finding the right cybersecurity accreditation for your business? Check out our guide.

2. Switch on secure settings for business devices

Business equipment and software often come with the manufacturer’s default settings. This is useful to set things up quickly. But did you know that it’s easy to ‘upgrade’ your devices to a more secure setting?

Secure settings provide a greater level of protection against security vulnerabilities. Simply check the settings of your business equipment and take a critical look at its features and services. For more explicit advice, the National Cyber Security Centre provides free, trusted security guidance for businesses across a wide range of platforms.

You can also implement measures like multi-factor authentication across devices as an additional level of security. Or set up a locking mechanism across devices that require either biometric, password or PIN access.

3. Manage data access in your business

Check that only the right people have access to the data they need in your business. 

For example, only certain team members might need to access sensitive data, so they are the only ones that need permission. 

A ‘least privilege’ policy is the best method of managing data access in your business. It only allows users to have the minimum level of access or permissions needed to perform their jobs. This creates a safer environment for your data and reduces the risk of harmful, or accidental, actions. 

4. Protect against malware and viruses

Antivirus software is a basic cybersecurity measure for all businesses. It’s a type of software product that detects, quarantines, and blocks malware from running on your business devices. These are malicious programs that can impact your data, alter, or hijack functions, or monitor end-user activity.

If your budget is tight, you don’t necessarily have to spend a lot of money on antivirus software. There are free and built-in anti-virus solutions for most popular business platforms. If you’re looking for something a little more robust, read our blog that highlights our top 10 antivirus products.

5. Keep software and devices up to date

Manufacturers release regular updates for software and equipment like new features or bug fixes.

The programs, software, devices, systems, and tools you use every day will require updating every now and then. And if you’re using an old version of them that isn’t up-to-date, it leaves your business open to vulnerabilities. Ironically, even outdated antivirus software could be exploited by bad actors.

Regularly patching your software and devices avoids these problems. Making sure every tool in your business is running the latest version helps you create a safer working environment. 

Always cover the basic cybersecurity principles

Implementing these basic cybersecurity measures is a simple, straightforward, and affordable method of keeping your business secure. 

And for small or medium businesses looking for extra security qualifications, these steps are part and parcel of qualifying for a Cyber Essentials certification – a government-backed qualification that proves to customers and partners that your business protects itself from cyberattacks.

Still unsure about what the ‘must haves’ are when it comes to your business’s cybersecurity? Then check out our guide to cybersecurity on a budget.

Cost of living CTA 2

5 tips to improve your cloud security

Cloud computing is everywhere. You probably don’t think about it all that much, but most of the platforms and software you use will be hosted in the cloud. However, while cloud-based platforms are generally the safest around, there are extra steps you can take to protect your business. Here are our top 5 tips for improving your cloud security.

1. Use Multi-factor authentication 

Multi-factor authentication (MFA) is an authentication tool that requires you to provide two or more verification methods to sign into an application. Rather than just asking for a username and password, MFA adds some extras. For example,  a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information only you know.

You’ve probably already used MFA plenty in your day-to-day life. Many applications now require it and we’re well on the way to it being a near-universal security tool.

This is happening for a very good reason. Strong passwords are important, but they aren’t infallible. A well-orchestrated brute force attack could still find a way through. In contrast, MFA is incredibly difficult for a cybercriminal to crack without access to your phone, fingerprints or deeply personal information.

Moreover, under the new Cyber Essentials requirements, MFA should always be used for accounts connecting to cloud services. 

Want to know more about the cyber threats small businesses face? Check out our guide.

2. Manage user access carefully

It’s likely you’re already doing this with some of the cloud-based software you use. After all, who pays for licences they don’t need? However, as a general rule, it’s important to give your staff access to all the resources and data necessary for their roles, and no more.

There are two key reasons for this. Firstly, it reduces the risk of someone editing or deleting important information by accident. But, more importantly, it protects you from hackers who have stolen an employee’s credentials.

Practising proper segregation of user accounts limits the damage any successful breach can cause. To learn more about how to do that, check out our blog on admin users

3. Create a comprehensive off-boarding process

It’s never nice when a colleague leaves, especially if it’s not on good terms. But however staff leave, you need to make sure they no longer have access to cloud platforms, systems, data and customer information.

Of course, it’s unusual for employee off-boarding to go dramatically wrong, but that doesn’t mean you shouldn’t take precautions. Too many businesses leave the process weeks or even months after an employee has left, or forget altogether. 

This is a big security risk. By failing to cull access permissions for former employees, you’re losing control over who can access your systems and data, and potentially giving cybercriminals an easy route into your business.

To prevent the worst, you’ll need a systematic process for ensuring all access rights are revoked. This can be tricky as most employees will have access to a range of applications and platforms. So, to make it a simpler process, keep an up-to-date list of who has access to what. And, if you don’t have the bandwidth to do so in-house, there are plenty of tools available to automate the process.

4. Consider a cloud-to-cloud backup service

As we’ve mentioned, a direct breach of any cloud platform you use is unlikely (though not impossible). Nevertheless, the risk to your data from human error is high. Some 90% of all breaches start with some form of human error.

The problem is, should a cybercriminal corrupt your data or an employee delete something, most cloud platforms will only keep backups of deleted data for a specific period. This can range from days to months. So as well as checking with the provider what its policy is, it could be worth having a reserve option.

Many providers offer regular cloud-to-cloud backup services. And, it’s an option well worth considering for particularly important or sensitive data. 

5. Provide regular security training for employees

If you’ve read any of our blogs before, you’ll know we really hammer home the importance of staff training. Cloud platforms typically have very good defences, meaning the most likely way a hacker will bypass them is by stealing employees’ login credentials. This will usually happen through a social engineering attack, such as phishing.

The best way to counter this is with regular security training. That way, your people will be able to recognise potential threats and avoid them. There’s no such thing as one-size-fits-all security training. What the training looks like will depend on your staff and their knowledge gaps. 

However you do it, keep it regular, useful, and engaging. For more on how to get started, we recommend reading our blog on security training.

To find out more about the threats facing businesses, read our guide, The State of UK SME Cybersecurity. It’s full of useful insights into the risks small businesses face and what can be done to counter them. Get your copy here.

State of SME cybersecurity

What is multi-factor authentication?

What is multi-factor authentication

When you sign in to an online account, you’re asked to prove your identity (a process we call authentication in the cyber world). Usually, you’ll do so via a username and password. The trouble is, it’s not a very safe way to do it. Usernames can be guessed and many of us use the same, simple passwords for everything.  

So it’s been clear for some time we need something better. Enter Multi-factor authentication (MFA). But what is it? And why should you use it?

What is multi-factor authentication?

MFA is an authentication method that requires you to provide two or more verification methods to sign into an application. Instead of just asking for your username and password, MFA adds some extras, like a randomly generated pin code sent by SMS, a thumbprint, or a piece of memorable information known only to the user. 

You’ve probably already experienced this if you used online or signed into a Google account recently. In fact, it’s well on the way to being commonplace for most applications.

The idea behind MFA is very simple. The more locks you have on the door, the harder it is for an intruder to break in. Think of it as adding a cyber deadbolt, a door chain lock, and maybe some cameras for good measure to keep the bad guys out. 

Why does your business need it?

Again, the why is delightfully simple. Using MFA can dramatically reduce the chances of a successful cyberattack on your business. 

Passwords and user credentials are important, but they’re vulnerable to brute-force attacks and can be stolen by hackers. In contrast, an MFA method like a thumbprint or one-time PIN is very difficult for even the most dedicated cybercriminal to crack. 

On top of the obvious security benefits, you’ll also need some form of MFA to complete Cyber Essentials certification. Under the new requirements, MFA should always be used for accounts that connect to cloud services. 

What types of multi-factor authentication are there? 

Broadly speaking, there are three neat categories of MFA:

  • Information you know, such as a password, security question, or PIN
  • Objects you possess, such as a smartphone – this is where one-time PINs come in
  • Things you are, think biometrics like thumbprints or voice recognition

2FA or MFA? 

At this point, you could be forgiven for wondering whether using MFA is overkill. After all, you probably already use two-factor authentication (2FA) for things like your business banking or office suite (Microsoft 365 or Google Workspace). Do you need the extra authentication factors? 

Remember the old maxim, beloved by school teachers and parents, ‘it’s better to be safe than sorry’? Well, it really does apply when it comes to cybersecurity. 2FA is hard for cybercriminals to crack and it’s far safer than using just a password. However, it’s a no-brainer to make the risk even smaller by adding extra layers of authentication. The harder it is for cybercriminals to breach your business, the less likely they are to succeed. 

Protecting your business on a budget is tricky. Calling in the experts or investing in the latest tools is expensive. So what can you do? CyberSmart Active Protect secures your business around the clock with no need for costly consultants, tools or an in-house team. Try it today.

Active Protect CTA

Practices for maintaining cyber security every business owner should know

As the span of regulations, risks, and budget evolves and your business grows, the maintenance of cyber security shouldn’t just be an afterthought – it should be part of the bedrock of your organisation.

The Cisco 2020 CISO study demonstrated that cyber security remains a high priority among executive business leaders, with an increase in investment for security automation technologies as the scale of complexity increases. 

While it’s helpful to have an automated security team in place to combat cyber attacks, there are several steps you can take as a business to protect yourself:

Strict access control (Zero Trust)

Zero Trust is a holistic information security framework and an essential component of cyber security. Rather than assuming all people and systems operating within a secure setting should be trusted, it relies on constant verification before granting access. 

This can be implemented through a series of steps. Firstly, data access should be managed by a multi-factor authentication (MFA) system. Only 27% of businesses are making use of an MFA system. 

Secondly, employees should be prompted to update devices to combat existing vulnerabilities, and user access to data management applications should be managed through central policies.

The Cisco report demonstrated that more than half of respondents noted that mobile devices are becoming an increasing challenge to defend. It suggests a zero-trust strategy as the best way to remedy this.

Updating regularly

This report showed that 46% of organisations were faced with incidents as a result of unpatched vulnerabilities. This means that a software provider issued an update in response to an issue but an employee failed to run the update.

Breaches to data management environments can cause hefty losses of data, and when patches are rolled out it is crucial to apply them immediately to limit the timeframe in which the vulnerabilities can be exploited.

Monitoring implementations

When cyber security practices are being continually developed and regulated, it becomes important to regularly monitor connectivity on the network or data applications to review how well the security measures are faring. 

Detection utilities should always be managed and routinely updated so that when incidents do arise, they can be properly investigated. Many small and medium-sized businesses have found CyberSmart’s monitoring app helpful for this purpose. It can be installed on any device and up-to-date information on every device’s security status is available through a centralised dashboard.

Centralise security essentials

The biggest factor in the growing challenge of propagating adequate cyber security is the level of complexity as a business scales. When an organisation utilises multiple security solutions, centralising them in an integrated platform reduces the complexity which makes it easier to manage, update and review security essentials. The benchmark found that 42% of respondents were more inclined to give up on maintaining adequate cyber security due to its complexity.

CyberSmart offers several ways for the cyber security of even smaller businesses to thrive, and our Cyber Essentials and Cyber Essentials Plus certification takes complexity into consideration and simplifies the process.