An Australian business has raged at a social media juggernaut it says left them high and dry when faceless criminals threatened to sell its hacked accounts.
Contemporary fashion brand Suboo was launched in Sydney in 2012 and has cultivated a following of more than 130,000 people on Instagram, plus more on Facebook.
Beyond the odd pop-up store, Suboo operates almost exclusively online where it pumps huge money — about $120,000 per annum — into digital advertising to direct shoppers back to its website.
But the small business was left reeling on August 21 when its Instagram account was compromised and staff were locked out, leaving them helpless as cybercriminals took control of the page Suboo had built up over the last 11 years.
Shortly after the takeover, Suboo staff were inundated with WhatsApp messages and late-night phone calls from hackers threatening to ransom the business page unless they paid up.
Company founder and director Sue Di Chio never responded, but the chilling messages continued.
“Your account is very valuable and you have customers, they are constantly texting,” read one.
“Hello, we are going to sell your account to another customer. We are asking for the last time. Do you want to buy your account?” the hackers asked her in another.
When Di Chio did not reply to the extortion attempts, she was told the page she had worked so hard to grow was now gone.
“We sold your account to another customer. You can get it back within 24 hours, otherwise your account will be completely taken away from us,” read the text.
Suboo was sent threatening messages after their Instagram account was hacked. Credit: Supplied
Her Instagram account was eventually recovered on September 6 but the nightmare wasn’t over.
“They also hacked our Ads Manager account in Facebook, changed our ads and upped the daily spend from $30 a day to $10,000 a day,” Di Chio said.
Ads Manager, which is also tied to Meta, allows brands to buy and create Facebook ads.
Her account on that platform has since been disabled but Di Chio said the kicker in it all was that she had received a warning from Meta that her business had violated terms of service over “suspicious activity” — that being the hackers she was fighting to boot from her profile.
Suboo, which employs a small team of 10, has no idea who targeted the company and says the ordeal has left the business “unable to function” and “losing money daily”.
Di Chio estimates revenue has fallen 50 per cent in the last few weeks and is desperate to see the issue rectified ahead of the busy summer season.
“We’re a summer brand and it’s warming up. Right now we can’t capitalise on our busiest season,” she said, adding she felt “completely helpless”.
Di Chio said that as a client who spends big with Meta she was particularly angry with the way the technology conglomerate had offered her nothing more than an “automated generic responses” to her pleas for help.
“We spend over $120K a year with Meta on ads that run across Facebook and Instagram. What help have we received from Meta? Very little,” she said.
“We rely heavily on the community we have built on Instagram and Facebook since 2012. We also rely heavily on the ads we run to drive traffic and sales to our website which is supported by a team of in-house staff and external consultants and influencers.
“Businesses need to be made aware that the cost to build and run a digital business using Meta, Instagram and Facebook platforms comes at a huge risk.”
Meta did not reply to questions before publication but it is understood it has allocated resources to address the situation.
Cyber support service IDCare told 7NEWS.com.au it has fielded an increasing number of calls from small businesses in the same boat as Suboo, with more than 920 reports of compromised social media accounts made in 2023 alone.
“More than half of these instances occurred in the last three months, with more than a quarter of these instances occurring in the last four weeks,” a spokesperson for the not-for-profit said.
The spokesperson said business social media accounts were appealing targets for several reasons.
“It enables (criminals) to pose as the account owner or small business in order to propagate scams targeting access to identity credentials and/or money from unknowing customers and consumers,” they said.
‘Don’t comply with demands’
“It can also be used in an attempt to gain more information and access to associated business email accounts. This can result in business email compromise and false invoicing.
“Unfortunately we have also seen cases of extortion. We rarely see the accounts being handed back after payment demands are met. In most cases paying the criminals results in further demands for payment.
“We recommend not paying any extortion demands.”
Di Chio said she feels “completely helpless”, with her business’s troubles compounded by COVID and a cost-of-living crisis prompting shoppers to tighten their belts.
The business director is currently seeking assistance from federal authorities in relation to privacy breaches and avenues for potential monetary compensation.
What to do if your Meta accounts are hacked:
- If your account is hacked let your contacts know, and report the issue to Meta.
- Advise your banks if you notice suspicious transactions or suspect false invoicing.
- Advise your business clients of the process you will follow to communicate any changes to invoice payment processes. Advise your clients to ring and verify any requests for changes to invoice payments – especially requests to pay to a different account.
How to protect yourself from scammers:
- Establish two-factor authentication on all accounts where available. Don’t stop at social media accounts, turn on for email, bank accounts and government services accounts. Consider using a one time passcode via an authenticator app.
- Use a unique password for your social media accounts that is long and strong – ideally generated and managed regularly via a password manager.
- Regularly update your password and check that the security settings and contact details are as they should be. Check carefully. Criminals can replace your email contact address with one that looks very similar, varying only one letter or character that a quick check might miss.
- Be wary of communications received from the social media platform. Providing ID is a verification step used by Meta and this can be impersonated by criminals in an attempt to get your ID.