Returning home on the tube after a night at the cinema, fabric dealer Noel Chapman received a text from his friend in Italy.
“Look at your Instagram, there’s something funny going on,” it read.
In between windows of Wi-Fi connection at each stop, he was able to piece together what it meant – that his business Instagram account of 9,000 followers had been hacked.
“At 8.05pm I received a message from Instagram that the account’s email address had changed,” he said. “Three or four subsequent messages said the password had changed and a two-factor authentication had been implemented.”
When Noel contacted Instagram, however, he found regaining access to his account more difficult than he envisaged.
“I immediately went to Instagram’s help centre which went in a loop until 1.30am.
“When I reported it as a hack or imposter, nothing. It’s the time you waste trying to get help. They haven’t even shut the account down – the hackers are still impersonating me and I’m still getting the fallout from it.”
Noel started another Instagram account but with 230 followers the businesses doesn’t have the same reach.
“I had over 9,000 followers. I lost them all. Not all were customers but some of them were. The messages, the contact details… it was an address book for me. Five to six years of business and I’ve never regained access.”
A similar episode happened in February to Cornish Italian restaurant and deli owner Ugo Massabo. He had finished his shift in the kitchen when he clicked a spam link purporting to be Instagram’s application for a verified blue badge.
He then received a message saying he would have to pay a ransom of £350 to regain control over the account.
“I felt violated completely,” he said. “It’s my business, my images, my stories – completely taken away for ransom.
“And above all you feel powerless because nobody helps you.”
“I received a message from Facebook saying sorry but my situation in particular is out of their scope.”
Facebook and Instagram were approached for comment and said they would be investigating these cases further.
I’ve been hacked – what do I do?
The two business owners are not alone, though. A 2021 report from the Cyber Resilience Centre for the West Midlands (WMCRC) found £3.8m was lost due to unsecured social media and email accounts within 12 months.
If your business social media account has been hacked, the best thing to do is go into full lockdown mode. Suspend all accounts and change the login details for them with strong passwords. Not just on your social media account, but everything else which holds private data, too.
It may not have been the social media account that was hacked initially, but via an email address linked to the company. That’s a gateway towards changing login details on other platforms.
The chances are, hackers gained control via a malware attack – a dodgy link which could have been opened by an employee. Check for malware across all company computers.
Notify the social media provider, then enable two-factor authentication.
Once and if you have regained access to the account, it is a good idea to inform your customers and the public about the episode and apologise for the content they would have been exposed to.
You can also report the hack to Action Fraud.
How can I prevent attacks to my social media accounts in future?
The threat to small businesses from hackers is rising, with 39 per cent of businesses reporting cybersecurity breaches over the last 12 months.
#1 – Use two-factor authentication: Limit the number of users with access to social media accounts and switch on two-factor authentication. this will send a SMS message to the phone of the account admin whenever a new IP address is attempting to log in to the platform.
#2 – Use different passwords for each platform: Ensuring strong passwords are used for different websites stops the spread of hacks infiltrating elsewhere in the business. You can use password managers to create unique, secure passwords.
#3 – Be careful with links: the biggest weak link in any business when it comes to security is the employees and human error.
#4 – Review social media security settings: Through settings, you can turn on log in notifications and secure browsing.
Since publication, Noel Chapman’s Instagram account has been restored thanks to Facebook.
Further reading
Three threats to your company Twitter account – and how to avoid them