Protect your team’s Facebook page – and other lessons in information security

Hooded person watches over Facebook on a computer monitor

What if your account has been hacked? If you’re an administrator on a University Facebook group then that channel is also at risk.

Facebook is now ubiquitous in the University, whether used by students to support their studies and social lives, or by staff to further the University’s mission for outreach and public engagement. Yet, as we all should know, engaging in social media carries with it the risk of our personal accounts being hacked – and, worse, the University Facebook pages which we manage or to which we contribute. This article is a salutory reminder to beware of friend requests on Facebook and draws your attention to some forthcoming talks on information security as part of the IT Learning Programme.

Although we may think we can recognise a fake message (a ‘phishing’ attack) when we see one, it’s alarmingly easy to be fooled, as a member of Academic IT Services recently found out when he received a Facebook friend request from a colleague. He tells us:

I happily clicked ‘confirm’ to add the new friend, probably pleasantly surprised that this person had reached out to me. But there was something not right: maybe I thought I was already friends with her, maybe the ‘about’ looked too bare, or maybe the spelling on the follow-up ‘thank you’ message was too shabby. Fortunately, I contacted her via another channel (not via Facebook) to double-check and she regained control of her account.


Report hacked accounts to Facebook.

Hacking is serious enough when it happens to an individual’s account, but the implications will be magnified if it happens to a person managing the Facebook presence for a department or project team. The social media experts in Academic IT Services have these recommendations for people who manage such Facebook pages in the University:

  • Ensure that more than one person has ‘administrator’ rights.
  • Ensure that each person with ‘administrator’ or ‘editor’ rights does the following:
    • sets up 2-factor authentication (also called ‘Login Approval’ on Facebook);
    • uses a different strong and unique pass-phrase for each account. This must be different from their University account;
    • sets up ‘Trusted Contacts’ to help if their Facebook gets hacked; and
    • makes their ‘Friend List’ invisible.

These settings only go so far, so be careful when you next receive an apparently innocuous friend request. Get in touch with them by another means (outside Facebook) before you click the ‘confirm’ button.

Security and privacy online

Trinity Term sees more free sessions in the ‘Security and privacy online’ series provided by the University’s Information Security team. Book now through our ITLP course pages.

Lunchtime sessions – 12.30-13.30, Old Road Campus:

Half-day course – 9.15-12.15, Banbury Road:

Image credit: CC0 via

Posted in Engage, IT Learning Centre courses, Social media | Tagged , | 1 Comment

One Response to “Protect your team’s Facebook page – and other lessons in information security”

  1. […] page. And that each person with ‘admin’ or ‘editor’ rights follow these recommendations for every user of social media (including […]

Leave a Reply