“Goldmine” phishing scams rob Main Street on social media like Meta
With so much of daily life taking place via social media, it’s no surprise that small businesses are increasingly turning to Instagram, Facebook and other platforms to promote their business and sell products.
But there’s a big catch: small business owners are at a big disadvantage when it comes to cybersecurity on these platforms.
Take it from Pat Bennett, an entrepreneur who sold cereal in the Cleveland area and got about half of her sales from Instagram. The company was already under pressure from the rising costs and availability of sweeteners and oats when their business Instagram page, Pat’s Granola, was attacked.
The attack looked harmless. Bennett received a message on Instagram from a small business owner she knows personally. Through a link, her friend asked Bennett to vote for her in a competition. It was a legitimate competition and it wasn’t unusual for Bennett to communicate with people via Instagram Messenger. As it turned out, it was an attack that affected everyone in their contact’s address book. Bennett lost control of her Instagram and Facebook accounts and has not regained access, despite using all of Meta’s recommended channels.
With help, she was able to trace the IP addresses back to Europe, but it wasn’t enough to prevent the worst case scenario. Bennett received a letter saying she could regain control of her accounts if she paid close to $10,000. She refused to pay the ransom and had to start all over again.
Pat Bennett, a Cleveland-based entrepreneur who sells cereal, says about half of her sales come through Instagram, but she fell victim to an Instagram Messenger hack that resulted in Bennett taking control of her Instagram and Facebook -Accounts lost and she has not regained access despite using all the channels recommended by Meta.
Source: Pat Bennett
Bennett’s experience is not unique. As it turns out, small businesses like Pat’s Granola are frequent targets of hacking rings. Quarterly CNBC surveys of small business owners in recent years have shown that many do not rate the risk of cyberattacks high, but the FBI says a wave of hacks have targeted small businesses in recent years. In 2021, the FBI’s Internet Crime Complaint Center received 847,376 complaints about cyberattacks and malicious cyber activity, resulting in losses of nearly $7 billion, most of which targeted small businesses.
Small business owners say social media giants like Meta have done little to help them deal with the problem.
A Meta spokesperson declined to comment specifically on small business owners’ concerns, but noted the company’s efforts to protect businesses affected by malware. The company has security researchers who track down and take action against “threat actors” around the world. This year the company has discovered and combated nearly ten new malware strains. Malware can attack victims via email phishing, browser extensions, ads and mobile apps, as well as various social media platforms. The links look harmless and are aimed at tricking people into clicking or downloading something.
Why Main Street is an easy target
Since marketing and selling through Instagram and other social platforms is an attractive way for small businesses to reach and expand their customer base, it’s no surprise that criminal organizations have followed suit.
Accordingly SCORE, a nonprofit organization partially funded by the U.S. Small Business Administration, nearly half of small business owners cited social media as their preferred digital marketing channel. Compare that to 51% who cite their company website and 33% who prefer online advertising. Additionally, 73% of business owners said they consider social media to be their most successful digital marketing channel, with 66% citing Facebook and 42% naming Facebook alphabet YouTube and 41% Instagram.
“Criminals’ business is to steal, so go where you can make money and get away with it. And small business social media accounts are like a gold mine,” said cybersecurity and privacy expert Joseph Steinberg, an AI expert who sees small business social media accounts as “low-hanging fruit.”
Bryan Palma, chief executive of Trellix, a cybersecurity company that worked with the FBI and Europol earlier this year to take down Genesis Market, an “eBay” for cybercriminals, said he has seen a number of cybercriminals targeting platforms such as Instagram, YouTube and Facebook. Some are independent hackers, others are larger organized crime groups targeting social media accounts with more than 50,000 followers.
Common online scams to watch out for
A common scam, Palma said, is for criminals to create a fake Instagram page and inform the user that there is a problem with their post and to “click here and we’ll help you fix it.” . The link redirects users to a fake website and asks them to enter their Instagram credentials.
Cai Dixon, owner of Copy-Kids, a company that creates video content for children, had a similar experience. Dixon created an active online Facebook group with 300,000 followers and received performance bonuses of up to $2,000 per month. In March, she received a message purporting to be from Meta asking if she wanted Blue Badge verification. Since she was already in contact with Meta employees via Messenger, she believed the message and revealed her private information.
It turned out to be a phishing program. Almost immediately, Dixon lost control of the account and Facebook group she had maintained for years. The hackers removed Dixon and all other site moderators and began posting animal cruelty videos, heavy machinery videos, and fake content. When she finally spoke to someone on Facebook, “they told me the only thing I could do was tell all my friends to report it hacked and then they could remove it.”
Cai Dixon, owner of Copy-Kids, a company that creates video content for children, created an active online Facebook group with 300,000 followers and received performance bonuses of up to $2,000 per month. But in March, a phishing attack caused Dixon to lose control of the account and Facebook group she had maintained for years.
Source: Cai Dixon
These common small business hacks offer little escape.
“It is particularly devastating for a small company that has a fairly small security budget compared to General Electric or GM, which have the best tools,” said Greg Hatcher, founder of White Knight Labs.
According to Barracuda, a cloud security company, companies with 100 or fewer employees are exposed to 350% more social engineering attacks than larger companies. More than half of social engineering attacks are phishing attacks, and one in five companies had an account compromised in 2021.
Social media companies are aware of the problem, but fending off attacks on small businesses is time-consuming and expensive. It’s one thing when a large Fortune 500 company that spends millions on advertising or a high-profile individual encounters a hacker. But when it comes to small business owners, there are fewer financial incentives.
“The bottom line is that it’s often better for social media companies to ignore small businesses when they’re struggling,” Steinberg said, adding that small businesses generally get the service for free or nearly free.
Two-factor authentication and cybersecurity tools
Although the threat seems enormous, cybersecurity experts believe the most effective defense is fairly simple. Not enough people are taking advantage of the security features that social platforms already offer, such as two-factor authentication. Business owners can also use business password managers that are designed for multiple users who may need access to the same accounts.
“Small businesses don’t have to be completely abandoned. You can have good cyber hygiene with a good password policy,” Hatcher said, emphasizing length, ideally 30 to 40 characters, over complexity, as well as two-factor authentication.
Knowing what to look for and being careful with links or requests for information can also go a long way. For the unfortunate ones who get hacked and lose access to accounts, the Identity Theft Resource Center is a nonprofit organization that can help victims figure out next steps.
The online world is currently inadequately regulated and monitored.
Cyberattacks carried out by tech giants have caught the attention of the federal government’s top cyber agency, the Cybersecurity and Infrastructure Security Agency. In an interview with CNBC’s “Tech Check” in January of this year, CISA Director Jen Easterly said: “Tech companies that have been developing products and software that are fundamentally insecure for decades need to start building products that are secure by design “Comes with built-in safety features as standard,” she said. But so far the U.S. government has taken a cautious approach to providing support specifically for small businesses – a spokeswoman for the U.S. Cybersecurity Infrastructure Agency told CNBC in January that it does not regulate small business software, but referred to one blog entry with guidelines aimed at helping companies large enough to have a security program manager and an IT director.
“Many people spend most of their time in the virtual world, but the resources are not that extensive. We still have more resources to protect the roads,” Palma said. Some of the big online scams are being addressed, but there are many “smaller problems” that cost people and small businesses real money but that governments and businesses are unequipped to deal with. “I think over time we need to shift that balance,” he said.
