With so much of everyday life happening over social media, it’s no surprise that small businesses are increasingly relying on Instagram, Facebook and other platforms to spread the word about their business and sell their products.
But there’s one big catch: small business owners are at a huge disadvantage on these platforms when it comes to cybersecurity.
Take it from Cleveland-area granola entrepreneur Pat Bennett, who gets about half of her sales through Instagram. When his business Instagram page, Pat’s Granola, was attacked, the business was already under pressure due to increased price and availability of sweeteners and oats.
The attack seemed harmless. Bennett received a message on Instagram from a small business owner he knew personally. An acquaintance of his used the link to ask Bennett to vote for him in the contest. It was a legitimate contest, and it wasn’t unusual for Bennett to interact with people on Instagram Messenger. Turns out it was an attack on everyone in his contact’s address book. Bennett lost control of his Instagram and Facebook accounts and has not regained access, despite using all of Meta’s recommended channels.
With its help, he was able to trace IP addresses to Europe, but that wasn’t enough to avoid the worst-case scenario. Bennett received a letter saying he could regain control of his accounts if he paid nearly $10,000. He refused to pay the ransom and had to start all over again.
Pat Bennett, a Cleveland granola entrepreneur, says about half of his sales come through Instagram, but he was the victim of an Instagram Messenger hack that lost control of Bennett’s Instagram and Facebook accounts and he couldn’t get them back. Access despite using all the channels recommended by Meta.
Source: Pat Bennett
Bennett’s experience is not isolated. Apparently, small businesses like Pat’s Granola are often targeted by hacking rings. CNBC’s quarterly surveys of small business owners in recent years have shown that many underestimate the risk of cyberattacks, but the FBI says a wave of hacking has targeted small businesses in recent years. In 2021, the FBI’s Cyber Crime Complaint Center received 847,376 complaints of cyberattacks and malicious cyber activity totaling approximately $7 billion in losses, most of which targeted small businesses.
Social media giants like small business owners say Meta they have done little to help solve the problem.
A Meta spokesperson declined to comment specifically on the small business owner’s concerns, but pointed to efforts to protect businesses targeted by malware. The company has security researchers tracking and taking action against “threat actors” around the world, and has detected and stopped nearly 10 new malware strains this year. Malware can target victims through email phishing, browser extensions, ads and mobile apps, and various social media platforms. Links look harmless and are based on tricking people into clicking or downloading something.
Why Main Street is an easy target
Since marketing and selling through Instagram and other social platforms is an attractive way for small businesses to reach and expand their customer base, it’s no surprise that criminal organizations are following suit.
According to SCORE, a nonprofit organization funded in part by the US Small Business Administration, nearly half of small business owners cited social media as their preferred digital marketing channel. Compare that to 51% who refer to a company’s website and 33% who prefer online ads. Additionally, 73% of business owners consider social media to be the most successful digital marketing channel, 66% to Facebook, and 42% to of the alphabet YouTube and 41% Instagram.
“Criminals are in the business of stealing, so you’re going to go where you can make money and get away with it. Small business social media accounts are like a gold mine,” said Joseph Steinberg, a cybersecurity privacy and privacy expert. An AI expert who sees small business social media accounts as “low-hanging fruit.”
Bryan Palma, CEO of cybersecurity firm Trellix, which worked with the FBI and Europol earlier this year to take down Genesis Market, an “eBay” for cybercriminals, said he has seen a number of cybercriminals targeting platforms such as Instagram, YouTube and Facebook. Some are independent hackers, while others are larger, organized crime groups that target social media accounts with more than 50,000 followers.
Common online scams to watch out for
According to Palma, a common scam involves criminals creating a fake Instagram page where they tell the user there’s a problem with their post, and they say, “click here and we’ll help you fix it.” The link redirects users to a fake site and asks them to enter their Instagram credentials.
This is similar to what happened to Cai Dixon, owner of Copy-Kids, a video content company for children. Dixon created an active online Facebook group with 300,000 followers and earned performance bonuses of up to $2,000 a month. In March, he received a message purporting to be from Meta asking if he wanted the blue badge verified. He believed the message and gave his personal information because he had already communicated with Meta employees on Messenger.
It turned out to be a phishing scheme. Almost immediately, Dixon lost control of the account and the Facebook group he had cultivated for years. Hackers removed Dixon and all other page moderators and started posting animal cruelty videos, heavy equipment videos and fake content. When she finally spoke to someone on Facebook, they said the only thing I could do was tell all my friends to let them know it was hacked and then they could delete it.
Cai Dixon, owner of Copy-Kids, a children’s video content company, created an active online Facebook group with 300,000 followers and earned performance bonuses of up to $2,000 per month. But in March, a phishing scheme caused Dixon to lose control of the account and the Facebook group he had cultivated for years.
Source: Cai Dixon
These common hacks for small businesses offer little appeal.
“This is particularly bad for small businesses that have extremely small security budgets compared to General Electric or GM, which run the best tools,” said Greg Hatcher, founder of White Knight Labs.
According to cloud security company Barracuda, companies with 100 or fewer employees experience 350% more social engineering attacks than larger companies. More than half of social engineering attacks are phishing, and one in five organizations will have their account compromised in 2021.
Social media companies are aware of the problem, but preventing attacks against small businesses is time-consuming and expensive. It’s one thing for a large Fortune 500 company or high-profile individual who spends millions on advertising to be hacked. But when it comes to small business owners, there are fewer financial incentives.
“It’s often better for social media companies to ignore small businesses when they have a problem,” Steinberg said, adding that small businesses generally get the service for free or for free.
Two-factor authentication and cybersecurity tools
While the threat may seem overwhelming, cybersecurity experts say the most effective defenses are fairly simple. Not enough people are using the security features that social platforms already offer, such as two-factor authentication. Business owners can also use business password managers designed for multiple users who need access to the same account.
“Small businesses don’t have to be completely hung out to dry. They can have good cyber hygiene with a good password policy,” Hatcher said, emphasizing length, ideally 30-40 characters, complexity and two-factor authentication. .
Knowing what to look for and being wary of any links or requests for information can also go a long way. For those unfortunate enough to have been hacked and lose access to their accounts, the Identity Theft Resource Center is a non-profit organization that can help victims figure out what to do next.
For now, the online world is still insufficiently regulated and monitored.
Cyberattacks carried out by tech giants have caught the attention of the Cybersecurity and Infrastructure Security Agency, the federal government’s main cyber agency. In an interview with CNBC’s Tech Check in January of this year, CISA director Jen Easterly said: “Technology companies that have built fundamentally insecure products and software for decades must start building products that are secure and reliable by design. Security features are baked-in standard,” he said. But the U.S. government has so far taken a cautious approach in supporting small businesses in particular — a spokesperson for the U.S. Cybersecurity Infrastructure Agency told CNBC in January that it does not regulate small business software, instead pointing to a blog post with guidance. helping businesses large enough to have a security program manager and head of IT.
“There are many people who spend most of their time in the virtual world, but the resources are not so extensive. We still have more resources to protect the streets,” said Palma. Some of the big online frauds are being solved, but there are many “smaller problems” that are costing people and small businesses real money, but governments and companies are not equipped to deal with them. “I think over time we have to change that balance,” he said.