With so much of daily life happening over social media, it’s not surprising that small businesses are relying more and more on Instagram, Facebook and other platforms to spread the word about their business and sell products.
But there is one big catch: small business owners are at a big disadvantage on these platforms when it comes to cybersecurity.
Take it from Pat Bennett, an entrepreneur who sold granola in the Cleveland area and got about half of her sales through Instagram. The business was already under pressure from the rising cost and availability of sweeteners and oats when her business Instagram page, Pat’s Granola, came under attack.
The attack looked innocuous. Bennett received a message on Instagram from a small business owner she knows personally. Using a link, her acquaintance asked Bennett to vote for her in a contest. It was a legitimate contest, and it wasn’t unusual for Bennett to communicate with people on Instagram Messenger. As it turned out, it was an attack that went to everyone in her contact’s address book. Bennett lost control of her Instagram and Facebook accounts and hasn’t regained access, despite using all the channels Meta recommends.
With help, she was able to track the IP addresses to Europe, but that wasn’t enough to avoid a worst-case scenario. Bennett received a letter saying she could regain control of her accounts if she paid close to $10,000. She declined to pay the ransom and had to start all over again.
Bennett’s experience isn’t isolated. As it turns out, small businesses like Pat’s Granola are frequent targets of hacking rings. CNBC quarterly surveys of small business owners in recent years have indicated that many do not rate the risk of cyberattack highly, yet the FBI says that in recent years a wave of hacks has targeted small business. In 2021, the FBI’s Internet Crime Complaint Center received 847,376 complaints regarding cyberattacks and malicious cyber activity with nearly $7 billion in losses, the majority of which targeted small businesses.
Small business owners say social media giants such as Meta have done little to help them address the problem.
A Meta spokesperson declined to offer specific comment in response to small business owner concerns, but pointed to its efforts to protect businesses targeted by malware. The company has security researchers that track and take action against “threat actors” worldwide and has detected and disrupted nearly 10 new malware strains this year. Malware can target victims through email phishing, browser extensions, ads and mobile apps and various social media platforms. The links look innocuous and rely on tricking people into clicking on or downloading something.
Why Main Street is an easy target
With marketing and selling over Instagram and other social platforms being an attractive way for small businesses to reach and expand their customer base, it’s not surprising that criminal organizations have followed.
According to SCORE, a nonprofit partly funded by the U.S. Small Business Administration, nearly half of small business owners cited social media as their preferred digital marketing channel. Compare that to 51% who cited their company website and 33% who prefer online advertising. Moreover, 73% of business owners said they consider social media to be their most successful digital marketing channel, with 66% citing Facebook, 42% citing Alphabet’s YouTube and 41% Instagram.
“Criminals are in the business of stealing, so you’re going to go where you can make money and get away with it. And social media accounts of small businesses are like a gold mine,” said Joseph Steinberg, a cyber security privacy and AI expert, who sees small business social media accounts as “low hanging fruit.”
Bryan Palma, chief executive officer at Trellix, a cybersecurity company that worked with the FBI and Europol to take down Genesis Market, an “eBay” for cybercrime criminals, earlier this year, said he has been seeing a range of cybercriminals targeting platforms such as Instagram, YouTube and Facebook. Some are independent hackers, while others are larger, organized crime groups that target social media accounts with more than 50,000 followers.
Common online scams to watch out for
One common scam, Palma said, is criminals will create a fake Instagram page notifying the user that there’s a problem with their post, and they should “click here, and we’ll help you fix it.” The link redirects users to a fake site asking them to type in their Instagram credentials.
That’s similar to what happened to Cai Dixon, owner of Copy-Kids, which makes video content for kids. Dixon created an active online Facebook group with 300,000 followers and was getting as much as $2,000 a month in performance bonuses. In March, she got a message purporting to be from Meta, asking if she would like a blue badge verification. Because she was already in contact with Meta employees over Messenger, she believed the message and gave her private information.
Turns out, it was a phishing scheme. Almost immediately, Dixon lost control of the account and the Facebook group she had spent years cultivating. The hackers removed Dixon and all the other page moderators and started posting animal cruelty videos, videos of heavy machinery and fake content. When she finally talked to someone on Facebook, “they said the only thing I could do was to tell all my friends to report it hacked and then they could take it down.”
These common hacks for small businesses offer little recourse.
“It’s especially damning for a small business, which has a pretty minuscule security budget compared to a General Electric or GM, which are running the best tools,” said Greg Hatcher, founder of White Knight Labs.
Companies with 100 or fewer employees experience 350% more social engineering attacks than larger companies, according to Barracuda, a cloud security company. More than half of social engineering attacks are phishing, and one in five organizations had an account compromised in 2021.
Social media companies are aware of the problem, but fending off attacks on small businesses is time-consuming and expensive. It’s one matter when a large Fortune 500 company that spends millions on advertising or a high-profile individual encounters a hacker. But when it comes to small business owners, there’s less financial incentive.
“It is often better for social media companies from a purely bottom line to ignore small businesses when they have problems,” Steinberg said, adding that small businesses are generally getting the service for free or close to free.
Two-factor authentication and cybersecurity tools
Though the threat seems vast, cybersecurity experts said the most effective defense is fairly basic. Not enough people use the security features that social platforms already offer, like two-factor authentication. Entrepreneurs can also use business password managers, designed for multiple users who may need access to the same accounts.
“Small businesses don’t have to be completely hung out to dry. They can have good cyber hygiene, with a good password policy,” said Hatcher, emphasizing length, ideally 30-40 characters, over complexity as well as two-factor authentication.
Knowing what to look for and being wary of any links or requests for information can also go a long way. For the unfortunate who get hacked and lose access to accounts, the Identity Theft Resource Center is a nonprofit that can help victims figure out the next steps.
For now, the online world is still under-regulated and monitored.
Cyberattacks conducted through tech giants have caught the attention of the federal government’s main cyber agency, the Cybersecurity and Infrastructure Security Agency. In an interview with CNBC’s “Tech Check” in January of this year, CISA director Jen Easterly said, “Technology companies who for decades have been creating products and software that are fundamentally insecure need to start creating products that are secure by design and secure by default with safety features baked in,” she said. But the U.S. government has so far taken a cautious approach with support for small business specifically – a spokeswoman for the U.S. Cybersecurity Infrastructure Agency told CNBC in January that it doesn’t regulate small business software, instead pointing to a blog post with guidance aimed at helping businesses large enough to have a security program manager and an IT lead.
“There are a lot of people spending the majority of their time in the virtual world, but the resources are not as extensive. We still have more resources protecting streets,” Palma said. Some of the big online scams get addressed, but there are many “smaller issues” that are costing people and small businesses real money, but governments and companies aren’t equipped to deal with it. “I think over time, we have to shift that balance,” he said.