Editor’s note: Adapted from a post on Toti’s personal blog. Toti is our CEO. We thought this one was worth bringing into the artist section because most musicians we know have a Facebook page running ads, an Instagram tied to a manager’s phone, and exactly zero plan for what happens if either gets compromised.

A Meta business account — your Facebook page, your Instagram, and the Business Suite that ties them together — is one of the highest-value targets a scammer can find. Get in, run a few thousand dollars of crypto ads on your dime, and walk away. By the time you notice, the budget is gone and the page is full of garbage your fans are seeing.

Most artists don’t get serious about this until it happens. The good news is the basics are cheap and take an afternoon.

1. Two-factor authentication. Everyone. No exceptions.

This is the single highest-leverage thing on the list. Every single person who has access to your business account — you, your manager, the merch person, the social media intern, the friend who “helps with posting” — needs two-factor authentication on their personal Facebook account. One unprotected account is the back door, and back doors don’t care whose they are.

To turn it on: Settings & Privacy → Settings → Security and Login → Two-Factor Authentication → Edit. Pick one of three:

  • Authenticator app — Google Authenticator, Microsoft Authenticator, or Duo. The right answer for almost everyone.
  • Security key — a YubiKey or similar physical key. Most secure option there is. Worth it if you’re at a scale where compromise would be ruinous.
  • SMS — better than nothing, but SIM-swap attacks are real and getting more common. Treat as a last resort.

If you can’t get a collaborator to turn this on, they shouldn’t have access to the account. Full stop.

2. Manage access like you actually mean it

Open Meta Business Suite → Settings → People and look at the list of who can do what. Then ask three questions:

  • Does this person still need access? (Former managers, ex-bandmates, agencies you stopped working with — remove them today.)
  • Do they need this much access? Most people don’t need Admin. Most don’t even need Editor.
  • If this account got hacked through their login, what’s the worst they could do?

Meta’s roles, ranked by how much damage a compromised account can do:

  • Admin — full access. Can do anything, including locking everyone else out. Give to as few people as possible. Ideally one or two.
  • Editor — can post and publish. Reasonable for the person actually running content.
  • Advertiser — can spend money. Reasonable for the person running ads, no one else.
  • Analyst — read-only. The right answer for anyone who just needs to look at numbers.

If you have someone who “just wants to check stats,” they’re an Analyst. Don’t make them an Admin to save five minutes.

3. Cap your ad account before someone else does

The ad account is the prize. A compromised page is annoying; a compromised ad account is a five-figure invoice.

  • Set a spending cap. Ads Manager → Payment Settings. Daily, monthly, whichever — pick a number that’s higher than your real spend but lower than the disaster scenario.
  • Remove old payment methods. That credit card from 2021? Take it off. Fewer cards stored = smaller blast radius.
  • Skim ad activity weekly. Look for ads you don’t recognise. Crypto, dropshipping, anything with broken English in the headline — that’s not you.
  • Turn on notifications for unusual spend. They’re in there if you go looking. Meta won’t volunteer them.

4. Phishing aimed at Meta accounts is a whole genre

The scammers who target business pages have a small library of pretexts they cycle through. Once you’ve seen them, they’re obvious. Until then, they look terrifyingly real.

  • “Your account will be suspended in 24 hours.” Click the link, log in, give them your password. Classic.
  • “Copyright violation — verify your account.” Same scam, different wrapper.
  • “Get verified — apply for the blue badge.” Particularly nasty because verification is something artists actually want.
  • A message from “Facebook Support” via Messenger. Meta does not contact you through Messenger. Ever. About anything.

Real Meta notifications show up in Settings → Account Quality or your Support Inbox on facebook.com. They don’t arrive as DMs. They don’t have urgent timers. When you’re unsure, type facebook.com into your browser by hand — never click the link in the email — and check your notifications there. If the warning is real, it’ll be in the actual Meta interface.

5. Audit who’s already logged in

Twice a year, take ten minutes and do this:

  • Settings → Security and Login → Where You’re Logged In — review every active session. Log out of anything you don’t recognise. Old phones, old laptops, the hotel computer you forgot about.
  • Settings → Apps and Websites — review every connected app. The Spotify integration from 2017 you haven’t used since? Revoke. The “free band promotion tool” someone signed up for? Especially revoke.

Old sessions and forgotten apps are the most boring way to lose an account, which is why they’re so common.

6. Turn on Facebook Protect when offered

Meta runs a program called Facebook Protect for accounts with significant reach — meaning, a lot of artist pages qualify. It enforces 2FA and adds extra monitoring. If you get the invitation, take it.

But — and this is the trap — only enable it through settings on facebook.com. Never through an email link. The phishing version of “Enable Facebook Protect” is one of the most effective scams currently in rotation, because the real thing exists and people are expecting it.

7. Have a plan for the day it goes wrong

If you do get breached, every minute matters. Decide now what the steps are, so you’re not Googling them while watching your ad budget hemorrhage:

  1. Change the Facebook password. Right now.
  2. Log out of all devices.
  3. Open Ads Manager. Pause every active ad you don’t recognise.
  4. Open Business Suite → People. Remove any admin you don’t recognise.
  5. Go to facebook.com/hacked and follow the recovery flow.
  6. If a card was stored on the account, call your bank. Yes, today.
  7. Tell your fans. A short post saying “we got hacked, ignore anything weird from us in the last 24 hours” is much better than silence.

Print this list. Put it somewhere your manager can find it at 2am.

The short version

Two-factor auth on every account that touches the page. Minimum permissions for everyone. A spending cap on the ad account. Healthy paranoia about anything claiming to be Meta. A login audit twice a year. A plan for the bad day.

A bad afternoon of setup buys you years of not having a much worse afternoon. Worth the trade.