How to secure your Facebook account and avoid being compromized

I have been amazed (disappointed?) at how many of my Facebook friends have had their Facebook accounts compromised or locked out of in the last few months. A month rarely goes by that I don't see a post "My account was hacked, please disregard any messages from me." No doubt, many of you are nodding in agreement.

Most people have a Facebook account, and having it compromised is generally embarrassing. However, it can be downright devastating for some with large contact bases and active social media life, especially if your account is used for business or are a prominent individual.

Thus, I decided to write this article so that people in my network can review their current status and hopefully increase their account security. For this article, the instructions provided are based on a Windows 10 computer using a Web browser. These settings are all available via an Apple or Android app, but maybe in different locations. To access most of the settings I will discuss, click on the arrow at the top right and choose "Settings and Privacy" and then "Settings." Once on there, we can get to work. Also, note that I have my browser set to dark mode, so odds are that what you will see will be with a white background on your own computer.

Once in there, click on "Security & Login" on the menu on the right. This is the most important section.

1. Check the "Where you are logged in" section. This will show you all the devices currently accessing your account or that have accessed it recently. If you see any devices that are not familiar to you or that are logging in, for example, from another country, click the 3-dots to the right of the device and choose "log out."

2. Next, you need to set your password. If you have not changed it recently, it is a good idea to change it now. Make sure that 1) it Is not used elsewhere (e.g., your Google account) and 2) it is strong -> Not a simple word, has uppercase & lowercase letters, a few numbers, ideally one or two special characters (e.g., * % &) and 8 or more characters. Yes, this may be tricky to remember. That being said, I am a big fan of password managers, and you ideally should be using one. I wrote a tutorial a little while back on setting up the LastPass password manager if you need any help. Other good products are 1Password & Dashland. Note: These products all cost a few dollars per month, but are well worth the expense. I can tell you that most if not all Cybersecurity pros that I know use one. Here is the link to the tutorial if you are interested: https://www.dhirubhai.net/pulse/set-up-password-manager-two-factor-authentication-micho-schumann/

For the "save your login info" section, the security guy in me wants you to disable this. However, most of you will not want to do that. If you leave it enabled, make sure that the devices & computers where you log in to Facebook are your own and cannot be used by other individuals. If not, others may be able to use your Facebook account, so choose wisely.

3. Now, we arrive at two-factor authentication, also known as "2FA". What is 2FA, you ask? 2FA essentially means that you need two "things" to gain access to your account when logging in from a new device or computer. Generally, those two things are your username & password + a one-time code that you get on your smartphone.

If you are serious about the security of your account and do not want to have your account compromised, this is BY FAR the best thing you can do. So click on edit at the end of the Two-factor authentication section.

You will likely be prompted to provide your password to get to the next screen where the setup happens - this is normal.

You will now have the choice between three kinds of 2FA.

• Use a security key - unless you already have one (you would know ...), you can skip this for now.
• Use an authentication app. This is my suggested route. Good options are Microsoft Authenticator and Authy. I personally use Authy. You can download these in the App Store (Apple) or Google Play (Android)
• Text message (SMS). This method is not as secure, but if you are not keen on the app route, chose this one. This is also the simplest option. There is nothing wrong with starting with this option and moving to the app or key method later.

Whichever you choose, click on "Setup" next to the option and follow the instructions. Of note: You can have more than one option enabled. Personally, I have both the app and security key options enabled.

It is worth mentioning that you will only get prompted for 2FA when you log in with a new device, so this is not annoying. The idea is that if someone manages to obtain your username and password, the "second factor" will stop them cold when they try to connect to your account from their computer or phone.

4. If you have completed all of the previous items, congratulations. Your Facebook account is now significantly more secure. But. We are not done yet!

Still in the same security screen, now click on "Edit" next to "Get alerts about unrecognized logins." In essence, if something does happen to your account, you want to find out about it ASAP. Make sure your settings look like mine, and double-check your email or add one at the bottom. Then click on "Save changes."

5. The next setting is quite nifty, although it's not something I have ever used. It's the "Trusted contacts" option. The function works like this: You identify 3 to 5 "Trusted contacts" (i.e., close friends, spouse, etc.) who can help you if you get locked out of your account. If you get locked out, there is a way for you to have them gain access to a recovery code that will let you re-acquire your account. As you can see, I have added four persons who can assist me if ever I am locked out of my account. I hope never to use this, but I like the concept.

6. So the main security aspects are now taken care of. We now need to address some privacy matters. I think this is important since criminals & other malicious individuals who may target you and your organization will likely check out your Facebook page to stalk you out. It's creepy, but that is the world we live in. So let's restrict who has access to your pictures, profile, etc.

To get to the screen you see below, you need to go to your settings, choose "Settings and Privacy," and then "Profile and Tagging" on the left side menu.

Your setting should ideally look like this. Check each one individually. The idea is that only you or your friends should be able to see your stuff. Pay special attention to the first item as well as the "Reviewing" section. I suggest you always review & approve anytime someone tags you. That way, you can block, for example, if someone tags you in something controversial, political or embarrassing.

Note the "Review what other people see on your profile" and click on "View As." This will show you your public profile. (aka what someone who is not a Facebook friend can see in your profile). What you want to see here are only your profile and cover pictures. Your family vacation, personal pictures, etc., should NOT be visible. If they are, go back to the beginning of this section and review the settings.

7. Now for the last step. Go to your settings, choose "Settings and Privacy" and then "Privacy checkup." This will identify if anything was missed and does a great job of completing everything we have done so far.

First, start with "Who can see what you do." Check the settings here and change any you feel should be tightened up. Below, I suggest that only friends can see who you are friends with. Also, I choose to restrict viewing of whom I follow. If someone is stalking me or planning a cyberattack against me (e.g., phishing), knowing my groups & interests would be very useful.

Next, make sure the following options are set to "friends" and click on "Limit" at the bottom. This option will make all of your past public posts only available to friends. The first two options should be set to "friends."

Per Facebook support site: "If you'd like to limit who can see all of your past posts at one time, you can?Limit Past Posts?in your account settings. This will change all your past posts visible to more people than just your friends (example: posts shared with?Public) to be visible to only your?friends."

So if you have made a lot of public posts in the past or have no clue and want to be sure, click on the "Limit" button (it should be blue).

Once done with this section, go to "How to keep your account secure." If you have followed this tutorial, this should be quick, and it will confirm that you are all set :-)

Lastly, click on "How people can find you on Facebook." By now, I don't expect any long-lost friends to track me down. To that effect, I have restricted friend requests to friends of friends. This will limit spam-type requests or requests from individuals I have no connection to. Yes, I may block some long-lost friend, but that's sometimes I can live with since, at the point, it's unlikely.

Next, your email & phone numbers. Set that to "only me." Your close friends and family already have those. No point in letting others have access to them.

That's it! If you made it this far, your Facebook account should now be much more secure and private.

A few last things. There has been a LOT of fake accounts on Facebook recently. Essentially malicious individuals create a new account with the profile picture of someone you may know. Then, they send friend invites to the friends of the person they are impersonating and try to send them a file with a malware/virus or the likes. If this happens to you, the best course of action is to report the account. Go to the profile page and choose to report is as you can see below. In my experience, Facebook takes action very quickly for fake accounts.

Last two pieces of advice. These pertain to your use of Facebook, not settings.

First: DO NOT participate in quizzes or questionnaires where personal information is asked. These are, for example. "Name the city where you were born," "Your punk rock name is your middle name and your first car," etc.

Do those sound familiar? Well, they are often the secret questions you are asked when logging into your bank account online and the likes. The information you provide can also be used against a targeted email phishing attack against you. See the example below. Note how many people answered it. That is a wealth of information for the bad guys.

Second: Ignore contests where the prizes are big, and all you have to do is share & like. The below is an excellent example of a fake contest. Other examples are cars, yachts and other costly items being given away.

As a rule of thumb -> If the prize is not from a local company you know (beware of fake company pages that look like the real site - The below example is a FAKE Maldives page ...) and/or the prize is above 500$ in value. If so, there is a high probability that the contest is a scam.

What can happen is that the scammers will contact you in private to tell you that you "won." They then ask for personal information, upfront "administration fees," etc. By sharing and liking these, you are exposing your friends and family to these scams.

So that's it! :-) I hope you found this guide practical. If you did, please share with your friends and family members.

Stay safe online.

Any feedback on this article is welcomed.

#Cybersecurity #infosec #facebook #2FA

Usual disclaimer: As with any Cybersecurity advice, please be careful with any settings you change. When in doubt, please consult with your internal Cybersecurity resources or a hired professional.