Durban - Entrepreneurs who conduct most of their business transactions through Instagram have been warned to implement all available security measures or risk falling prey to hackers.
Several business owners have been left reeling after hackers took control of their accounts, leading to massive losses in revenue and customers.
Instagram allows users to share photographs and videos and many businesses use it to post pictures of their products.
The Independent on Saturday spoke to a number of small business owners who fell victim to phishing attacks through fraudulent messages seeking their passwords and login details. These business persons lost thousands of rands when their Instagram accounts were hacked and they were not able speak to their clients or followers, sometimes for several months.
Alarmingly, the accounts contained all their personal information like credit card details, telephone numbers and home addresses, which the site often requires as verification from business people.
Just over a year ago marketing manager Casey Davies and her husband started decor business Stone Sloth, which manufactures premium concrete candles.
Davies said at the time she wasn’t too familiar with social media and it took about a year to build up a good following on Instagram.
“I was very proud that we finally got to about 1 800 followers. And because we sell a product, I do reach out to people and people do reach out to me,” said Davies.
She said it wasn’t unusual for prospective customers to ask her for more personal details, like her cellphone number, if they wanted to discuss products.
On October 31 she received a message from a potential client. Davies said the person asked for her cellphone number and promised to be in touch.
At the time she thought the manner in which the message was phrased seemed weird but she shared her number anyway.
Almost immediately she received notifications via the Instagram direct messaging service saying, “there has been suspicious activity on your account”.
Another message followed: “This is Instagram, put in this code so that we can stop the suspicious activity.”
She said the prompt to put in the code was a fake, but it looked very “professional” and was sent to her cellphone number.
She tried to log into her account and a message said she no longer had access to it.
Davies soon received messages from followers telling her that the hackers had posted photographs of her on the account with messages saying she had made lots of money by trading in Bitcoin.
The one saving grace was that although the hackers could access her credit card details, the card had expired and was no longer valid.
She said they manufactured the candles at her home in Assegaai and worked with several big retailers and influencers.
Davies was worried that by hacking into the Stone Sloth account, the people and companies she worked with would also fall prey to the hackers who never made any demands for money or contacted her personally again.
She has still not been able to regain control of her account, despite sending countless messages to Instagram and parent company Facebook for help.
“Other people got messages saying pay us and get your account back. We were never been contacted by the hackers and they didn’t make any demands. But we also never got our Instagram account back,” she said.
Finally, someone at Facebook told them to “cut your losses” and move on.
Davies said they had lined up a few contracts through Instagram which they no longer had access to and this would have an impact on their future sales.
She said she would go back to using email advertising because it was more secure.
“There was no help from Instagram and no response to any of our emails. It is so easy for them to hack your account and so hard for you to get your account back,” said Davies.
She stressed the importance of using the two-step verification available on Instagram to protect your account.
“Unfortunately Instagram hacking is on the rise and I have heard of quite a few instances where people paid to get their accounts back,” said Davies.
Greyville coffee shop owner Amy Gardiner said she was taken by surprise when she received an email from Instagram one Sunday morning, asking her to enter her name, email and username.
It was a busy morning and despite thinking it was an odd request, Gardiner, who owns Humble Coffee, said within seconds of inserting her details, she no longer had access to her account.
“I couldn’t see my account. The hacker had removed it from the platform. It was almost in sleep mode,” she said.
And then the demands started rolling in.
The hacker wanted a $1 000 and contacted her via Instagram direct message at least three times a day, demanding to know when the money would be sent and asking if she didn't want her account back.
They posted messages in Turkish on her page and her investigations proved that the origin of the messages was Turkey.
“You feel so violated because the person has all your personal information,” said Gardiner.
She ended up negotiating with the hacker and brought the amount he wanted down to $500. She also tried to get help from Instagram and Facebook but to no avail.
Gardiner said it had taken her five years to build up a following of 10 000 people and she used her account to promote her shop’s specials.
Gardiner said while she had a business which people frequented, the instagram account had a major influence on sales because it was the only way she could keep in touch with clients.
Her account was “missing” for almost three months and she felt a definite impact on sales.
“If it happens to you, persistence pays off because it took me two-and-a-half months to get through to Instagram,” she said.
Her account was restored, without paying the hacker, and she now uses the two-step verification on Instagram.
“These guys are seasoned professionals. This is a career for these people,” she said.
Lauren (who asked that her surname be withheld) runs an online vintage, antiques and collectables store called WTF Vintage Furniture from Durban North, said it took a “friend of a friend of a friend” who knew someone who worked for Meta, which owns Instagram, Facebook and WhatsApp, to help her regain control of her hacked Instagram account.
She said in July when her account was hacked she had almost 8 000 followers and the hacker tried to blackmail her into buying it back.
“What they do is hack other accounts through your account,” she said.
When Lauren was hacked she thought she was talking to a yoga teacher in Kloof but said the hacker was obviously using that person’s account to get to her. She said about a week before this happened she had received an advert from the yoga account and so she was slightly familiar with it.
Lauren said the “yoga teacher” claimed that their Instagram account had to be verified and wanted Lauren to help by taking a screenshot of a link sent to her via Instagram direct message and sending it back to the yoga account.
“I remember thinking this is very odd, how come this person has no other friend to ask, and I thought oh shame, it’s going to take three seconds of my life, let me just quickly help them out.”
Seconds after she sent the screenshot, her Instagram account went missing.
“This person got quite clever because I had posted something seconds before he stole my account and so he started direct messaging my clients,” she said.
Then the hacker took random furniture pictures, posted them on her account as if it was for sale and provided alternative bank details on the site.
“I don’t think there is any specific target unless you have a lot of followers and they know it’s important to you,” said Lauren
She said it was terrifying because her business relied on Instagram. She reported the matter to the police but they had no clue what to do or even how Instagram worked.
“As I left the police station the hacker called me and said for R6 000 I will give you back your account, but don’t do anything stupid.”
She said the hacker, who sounded “foreign”, was persistent and kept messaging her for the money. She tried to hire private investigators she found online, to help retrieve her account but some of these people turned out to be part of a scam.
She never paid and, after numerous attempts, someone who worked for Meta finally helped her get the account back.
IT expert Dr Colin Thakur from the Durban University of Technology, said typically the attacks on Instagram accounts could be traced back to Turkey and Russia because of the telephone numbers used by hackers.
He cautioned against sharing any details with strangers or assisting anyone who had a “problem” with their account.
He said the lesson with Instagram was that the two-factor authentication was essential to protect your account because it made it almost impossible to hack your account. In addition any OTP received should never be shared with anyone.
Thakur said the latest challenge for Instagram users was that in the past few weeks people had been “scouring” accounts in search of picture copyright infringements.
He said generally people tended to share pictures without knowing who it belonged to, and in many cases photographers and media houses were not acknowledged or paid for a picture that went viral.
However, the people who demanded money for copyright infringement could be hackers and so it was important not to click on any links received or to pay up because it could be a scam, he warned.
The Independent on Saturday