How We Keep Our Technologies Safe and Secure for Businesses

As cybercrimes and scams become more sophisticated across the internet, it’s crucial to stay a step ahead of those trying to harm businesses and people on our technologies. More than 200 million businesses connect with their customers through Meta, and our proactive security measures help protect those valuable relationships.

To help ensure that businesses can safely connect with people, we make security a fundamental part of everything we do. We are continually improving through the development of new tools, technologies and teams to detect and mitigate security risks. Today we have 40,000 people working on safety and security, and we have invested more than $13 billion in teams and technology in this area since 2016.

Our approach

Meta employs a “defense in depth” approach to security, layering multiple levels of protection to help prevent and address vulnerabilities through 3 key areas: promoting authentic connections, increasing account security and delivering accountability. Through our proactive measures, we restrict the vast majority of attacks, but it’s not possible to stop every incident before it occurs. For those attacks that aren’t caught upfront, we have processes in place to tackle and resolve them quickly.

Promoting authentic connections

People want to know that the brands they interact with on our technologies are legitimate. We rely on a variety of tools, including our verification process, to protect legitimate businesses and stop entities that want to do harm, thus enabling people to form authentic connections with businesses they can trust.

We require many businesses to undergo verification to confirm the identities of the business and its representatives before they can use certain tools or features. We’ve designed our systems and verification requirements to reflect the varied sizes, complexities and audiences of the businesses and organizations that use our technology.

Verification requirements include activities such as:

• Confirmed Page Owner: verifies the authenticity of people or organizations who manage Pages with a large audience.
• Business Verification: required for business app developers who want to use certain APIs.
• Authorization Process: verifies the identity and location of advertisers who run ads about social issues, elections or politics, which are also required to include a “Paid for by” disclaimer.

Increasing account access security

Our second major focus is on increasing account security protections to help prevent unauthorized access to businesses’ accounts.

Two-factor identification
We require all large global business users to use two-factor authentication to access our business products such as Meta Business Suite, which includes Pages Manager, Ads Manager and Business Manager interfaces. This is intended to help mitigate the risk of unauthorized activity like someone else adding or removing users or creating ads. Businesses have 3 options for enabling two-factor authentication on an account: security keys, third-party authentication apps and text message (SMS) codes. To further protect business accounts, we limit the ability to take actions in Business Manager—such as adding or removing users, accessing credit lines or creating ads or pixels—when two-factor authentication is not enabled.

Machine learning detection
Our systems also use machine learning detection to proactively flag signs of suspicious behavior—such as unusual spend changes in advertising campaigns and unusual logins from unexpected Internet Protocol (IP) addresses, devices or physical locations—to our teams for further investigation.

In instances where we detect suspicious activities, our teams use streamlined recovery processes so businesses with a suspected compromise experience the shortest possible downtime. Additionally, we continue to automate security best practices in our systems, such as setting up automatic account logouts triggered with inactivity.

Easier account management for businesses
For an added layer of security, businesses routinely tell us they are looking for access to our business products through separate credentials from their personal Facebook accounts. For this, we’re building Work Accounts, which will allow business users to log in and operate Business Manager without requiring a personal account. Businesses will be able to manage these accounts on behalf of their employees and have access to features like integration with a company’s existing single sign-on capabilities, giving them more control over the security of their employees’ accounts. After an initial round of product testing with select businesses, we are currently investing in product improvements ahead of a launch for all clients.

Delivering accountability

We also hold everyone on our technologies accountable through a comprehensive set of measures to monitor for and enforce penalties against policy violations through our standard ad review process.

We monitor businesses’ activities on our technologies at both an account and transaction level for suspicious behavior. In addition, we have tools that help identify malicious activity that may extend beyond our platform—such as links embedded in ads that may lead to fraudulent websites or other bad experiences (“click-to” products or experiences)—using mobile app integrity and landing page review tools. When violations are found, our teams consider a variety of actions including disapproving violating ads, disabling malicious accounts, working with local law enforcement or taking legal action against scammers. We also use various machine learning systems and models that help us determine the likely risk of businesses violating our policies based on past activities and engagement, and we can then monitor high-risk situations more closely.

We are continuously upgrading our systems to monitor activity and enforce our policies. This includes our efforts to deliver more trustworthy shopping experiences for people and businesses through commerce policies and safety measures.

Businesses can also play a role in keeping their accounts protected. Business owners looking for proactive ways to strengthen security can review our best practices for businesses guide for help with safeguarding personal and business accounts. This includes recommendations on enabling two-factor identification and other account protections, turning on notifications to be alerted to suspicious activity and monitoring ads and spending through a weekly report. Together, we can protect the valuable connections our partners have made with their customers on our technologies.

Ready to face future challenges

We know that security work is never finished. Scammers will develop new techniques—and we’ll continue to innovate and address evolving threats. This includes ongoing work to improve our security features and detection mechanisms to identify and prevent malicious activity before they affect a business’ connection with customers.

As we move into an increasingly complex digital landscape, we will continue to prioritize security while building trustworthy environments for the future of business.