Hackers attacking small business social media
August 18, 2022 |
In my professional experience cyber attacks are not predominantly made on large organisations or businesses. Those attacks get most press because they commonly involve a large number of people whose personal information was accessed. Attacks on small businesses are frequent and often crippling. This is highlighted in a recent Age report Hackers target small businesses’ social media accounts. Small businesses tend to have a smaller IT spend, a lack of knowledge about cyber security practices and less diligence in maintaining proper cyber security, for example by patching regularly. Phishing attacks on small businesses are particularly prevalent.
The article provides:
Fitzroy boutique owner Lyndsey Spark was watching her son play basketball when she felt her phone vibrate in her pocket. On the screen was a WhatsApp message from an unknown toll-free number asking her a single question.
“Hello, would you like to access your Instagram account again?”
The message was an attempt from hackers to extort Spark in exchange for handing the account back.
Earlier that day, the boutique owner had received an email purported to be from Instagram asking her to verify her page and had unknowingly given her personal information to the hackers, who had locked her out of the account.
Spark contacted Instagram and reported the hack but did not hear back from the platform. Defeated, she abandoned her attempts to get the account back and created a new profile.
“The most frustrating thing is you put so much effort into setting up the account — you give them money and time and then when something goes wrong you get nothing in return and you have to start again,” she said.
Nigel Phair, enterprise director at the Institute for Cyber at the University of NSW, said social media giants were falling short in supporting users.
He said platforms such as Facebook, Instagram and Twitter should be compelled to provide help through a staffed helpline if they wanted to operate in Australia. Meta does not have a support phone number, and users in strife often have no option but to contact the company through a bot.
“If you look at the platforms they don’t put anywhere near enough effort into supporting their users because it’s just a cost to them and they like making profits,” he said. “We’re failing at every level when it comes to micro and small businesses, who rely on these channels.”
Phair said it was relatively easy for platforms to reclaim hacked accounts, but they were unwilling to resource the teams required to do it.
The phishing emails are often sent during the early evening and on weekends when the recipients are likely to be less vigilant.
For Michelle and Craig Tindale, the operators of True North Candle Collective, based in Noosa on Queensland’s Sunshine Coast, the message came as they were preparing to go out for dinner.
Like Spark, Tindale had clicked on a link in an email pretending to be from Instagram that claimed her business page had violated copyright laws.
A spokeswoman for Meta said users could verify emails by accessing a support inbox, which contained all of Meta’s official correspondence about their account.
“Online phishing techniques are not unique to Meta, and we will never request your password via email or direct messages,” she said.
Cybersecurity expert Guy Yunghanns said users failing to secure their online accounts were collectively “fuelling this global criminal industry”.
Social media platform Instagram has made a major change to its app to keep young users safe.
Australians lost almost $300 million in scams since the beginning of the year, with phishing through messages and phone calls being the most widely reported scam nationwide, according to data from the Australian Competition and Consumer Commission.
In a bid to address rising rates of online crime, AFP last year established Cyber Command, a specialised unit that investigates matters such as compromised business emails and ransomware attacks.
AFP Assistant Commissioner Justine Gough said the unit had prevented millions of dollars from falling into the hands of criminal syndicates but added that ransomware attacks were probably underreported.
Gough said that in the same way that people needed to lock their doors and windows, they also needed to take steps to protect information online.
“The reason phishing scams are so prolific is that that’s a way to open a door to obtain personal banking details and steal money,” she said. “We really do need to ensure that we’ve got the hygiene or the discipline in the use of our devices and technology.”
This includes backing up files, using sophisticated passwords, and enabling multifactor authentication – an electronic verification method that needs two or more pieces of evidence of users’ ties to the account – on devices.
Other ways to avoid becoming the victim of a phishing scam include logging onto social media platforms using the app or typing the URL into a browser.