top of page

Why cybercriminals target business Facebook pages - and what to do about it

Whilst on patrol with Derbyshire Constabulary officers as part of Safer Business Action week this month, we heard two accounts from two separate businesses who were victims of Facebook page takeovers by cyber criminals. But why are they targeting Facebook? And what can you do about it?


ree

Facebook business pages are more than a place to post promotions - they’re a brand channel, an ad wallet, a customer trust anchor, and sometimes an admin gateway into other parts of your digital life. That combination makes them an attractive target for attackers.


Below we walk through the main motives behind attacks on business pages, show the data that proves this is a growing, practical threat, offer concrete mitigation steps you can apply today, and advise how you can report an incident.


Firstly, why do cyber criminals attack Zuckerberg's most prized asset?

 

1) To steal or siphon advertising budgets

 

Attackers who gain control of a business page can access Meta’s ad controls (or create ads from a hijacked Business account) and run fraudulent ad campaigns that charge the company’s payment methods. These ads often promote scams, malicious downloads or fake crypto/raffle pages - generating direct monetary gain for the attacker while leaving the business on the hook for the bill and reputational damage.


Recent campaigns have shown criminals creating shell Facebook Business pages and abusing the Business invitation/notifications features to push phishing that leads to ad fraud and credential theft.


2) To propagate phishing, malware and credential-harvesting


A compromised page with an established audience is a powerful vector for scams: a single post or a livestream can reach thousands or millions of followers. Attackers post seemingly legitimate “policy” notices, giveaways or urgent account alerts that contain links to credential-collection pages or malware.


Security researchers have documented campaigns where criminals set up fake business pages and used the platform’s own messaging/notification features to deliver extremely convincing phishing messages at scale.


3) To sell or resell pages and audiences on underground markets


Pages with followers or strong engagement have market value. Cybercriminal marketplaces and dark-web brokers buy and sell social accounts and pages, which are then repurposed to push scams, counterfeit goods, phishing, or laundering schemes.


Even mid-size pages can be monetised by renaming them, switching the content to fraudulent promotions, and reselling the follower base. Law-enforcement and security posts repeatedly cite “page theft” and resale as an explicit motive.


4) To enable larger frauds and identity attacks


Access to a business page can be a stepping stone: the same credentials or reused credentials often give attackers access to other services (email, ad accounts, payment processors).


Account takeover (ATO) is widespread - industry reports show almost all monitored organisations are targeted and a substantial portion experience at least one takeover - making social account compromises part of broader fraud campaigns. Once inside, attackers can harvest internal links, customer data in messages, or use the page to social-engineer employees and suppliers.


5) To damage reputation or silence a brand


For politically sensitive organisations, NGOs, public services, or businesses with controversial customers, attackers sometimes deface pages, post inflammatory content, or take the page offline to cause reputational harm, spread disinformation, or intimidate.


High-profile incidents - including government-affiliated pages and aid organisations - have shown that the impact goes beyond lost sales: it can create misinformation cascades and public safety risks.


ree

The scale & trends - why the risk is rising


Account takeover and social-platform-focused fraud are increasing. Industry reports show very high targeting rates for ATO attempts and rising numbers of successful takeovers year-over-year. Reuse of passwords and credential stuffing remains a core enabling factor.


Large, automated phishing campaigns are being run through fake or shell pages and business-suite features; security firms have flagged campaigns delivering tens of thousands of targeted phishing messages. These campaigns often exploit platform features to increase legitimacy (e.g., notifications that look like they came from Facebook).


Concrete steps to reduce your risk (a checklist)


These are practical, prioritised actions backed by security guidance and recent incident responses.


1.      Enable strong account protections


Acquire multi-factor authentication (MFA) for all accounts with admin roles on the page - use an authenticator app or hardware key where possible. MFA dramatically reduces account takeover risk.


2.      Tighten admin access and use least privilege


Audit page roles monthly. Remove former employees and don’t use personal accounts for shared admin duties - use a centralised business admin model (e.g., Meta Business Manager) with named, role-based access.


3.      Lock down payment and ad settings

 

Use separate ad billing methods from page admin accounts where possible and monitor ad spend alerts. Use dedicated payment instruments and review ad account users.


4.      Train staff on social engineering & phishing


Regularly train marketing, customer-service, and leadership staff to spot fake “policy” emails, unexpected business invitations, and lookalike domain phishing. Simulated phishing exercises work well, as does our fully-funded Security Awareness Training which covers social media best practices amongst other important online awareness measures. Take a look here: Security Awareness Training.


5.      Monitor for impersonation & fake pages


Proactively search for spoof pages or lookalike accounts and report them. Many attacks begin with shell pages created to build legitimacy for phishing - report and takedown speeds matter.


6.      Log and alert on unusual activity


Enable logging/alerts for unusual page posts, ad creations, or role changes. If your team has SSO or identity logging, integrate alerts for credential changes or MFA resets.


7.      Plan a playbook for compromise


Have a documented incident response plan: steps to freeze ads, rotate payments, contact the platform, notify customers, and restore control. Rapid, clear action reduces damage and billing exposure.


Reporting


To report a hacked or taken-over Facebook page or account, you should first report it directly to Facebook's help center. If you are a victim of fraud or cybercrime in the UK, report it to Action Fraud or call 0300 123 2040 in England, Wales, and Northern Ireland, or 101 in Scotland. You can also report specific content through Facebook's reporting tools on the site/app.


Closing thoughts


A business Facebook page is an asset that combines reach, perceived authority, and - sometimes - direct billing instruments. That mix makes it worth attacking. The good news is that many of the simplest, most effective protections are operational - strong MFA, strict access hygiene, staff training, and active monitoring. Combine those with a tested incident playbook, and you reduce both the chance of takeover and the fallout if it happens. 

Reporting

Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).


 
 
 

Comments

The contents of blog posts on this website are provided for general information only and are not intended to replace specific professional advice relevant to your situation. The intention of East Midlands Cyber Resilience Centre (EMCRC) is to encourage cyber resilience by raising issues and disseminating information on the experiences and initiatives of others. Articles on the website cannot by their nature be comprehensive and may not reflect most recent legislation, practice, or application to your circumstances. EMCRC provides affordable services and Trusted Partners if you need specific support. For specific questions please contact us by email.

 

EMCRC does not accept any responsibility for any loss which may arise from reliance on information or materials published on this blog. EMCRC is not responsible for the content of external internet sites that link to this site or which are linked from it.

bottom of page