Aami Mills has a love-hate relationship with social media.
The Queanbeyan-based young mum launched her reusable cloth nappy business in late 2020.
In doing so, she leveraged Meta-owned Facebook and Instagram, as well as TikTok, to build her brand and boost sales.
“Everything we did for the first little while was 100 per cent organic,” Ms Mills said.
“It was me in front of the camera; it was me providing value content education to our customers.
“Without those channels, we wouldn’t have a business.”
Her business, Mimi & Co, generated $125,000 in revenue ($50,000 net) in its first year, $305,000 in its second, and was forecast to reach $500,000 in 2023.
But the small business almost folded late last year, when hackers hijacked Ms Mills’s personal and business profiles on Facebook and Instagram and posted $10,000 worth of violent advertisements to her customers.
Ms Mills said she discovered the hack at about 4am on September 25, the same day Mimi & Co’s successful pitch to investors was due to feature in an episode of Network Ten’s television show, Shark Tank.
Her experience on the episode had helped her gain investors, and she was looking forward to it finally airing.
“You get a notification from Facebook, they’re like, ‘Hey, something’s going on in your account, we see some vulnerabilities’,” she said.
“And then you go to log in to that account and that’s when you realise you don’t have access anymore.
“I called our investors and I was like, ‘It’s over, we’re done for’.”
Ms Mills said cybercriminals found and exploited a vulnerability in how she secured her account.
“I didn’t have two-factor authentication on my personal profile account, only my business one,” she said.
A widely used extra security layer, two-factor authentication or 2FA, requires two actions from a user to verify their identity.
Text messages and apps are common forms of 2FA, while Facebook asks for a “special login code” or for confirmation of the login attempt on a different device.
Government service portal myGov has mandated 2FA, as has the Australian Taxation Office (for some of its digital service providers) and Australian loyalty programs.
But the Australian Cyber Security Centre has warned 2FA only “improves the security of your accounts” and “motivated criminals may persist and succeed in compromising them”.
In Ms Mills’s case, unauthorised access to her personal Facebook profile facilitated access to her business one and, after hijacking both, malicious actors used stored credit card details to post violent advertisements — or “malvertising” — to Mimi & Co’s customers.
“They had access to the money that was attached to those accounts and increased the ad spend,” Ms Mills said.
The business lost $10,000 in four hours.
“Not only do you feel vulnerable because someone has access to your profiles, but you have no idea how to get that access back,” she said.
“It’s not like you can go to the police and say, ‘Hey, someone’s in my Facebook account, can you get it back for me?’
“They were stealing money from my account, and I don’t know where to go, I don’t know who to turn to … there’s no Facebook police.”
Ms Mills drained her linked accounts so additional transactions “bounced”.
“That abruptly stopped the ad spend but it didn’t allow me access back into my accounts,” she said.
“In order to be able to recover [them], I needed resources [like] the Facebook avenues.
“But I knew from … the experience of other entrepreneurs that that can sometimes take months, between letting Facebook know that there’s a problem and gaining access back.”
With the episode of Shark Tank fast approaching, Ms Mills asked her “sharks” — otherwise known as her Shark Tank investor — for help.
The fraudulent ads were taken down before the episode aired, but not without some collateral.
“We lost our Facebook page entirely; I still don’t have it back,” Ms Mills said.
“We had to create an entirely new one.
“That was obviously huge for us because we had thousands and thousands of followers but it was something that we had to do.
“It’s kind of a consequence of me not having the right [cybersecurity measures] in place in the first place.”
Some small business owners with near-identical hacking complaints have said they also endured lengthy waits for a response from Meta, while others have said they have struggled to shut down multiple clone accounts posing as the real deal.
There’s no standalone independent advocate for that sort of dispute in Australia, so users seek help from Bruce Billson’s office, who is the Small Business Ombudsman, as well as his telecommunications industry counterpart and state and territory commissioners.
“Digital platforms have fundamentally changed the way small businesses connect and sell to their customers [but] when there is a problem, such as having your account shut down after being hacked, solving it can be a nightmare,” Mr Billson said.
His office has handled 144 cases about digital platforms over the past six months, more than double the number in July 2022.
Most involve accounts being “compromised and closed” and some relate to fraudulent spending from the hacked accounts.
According to research from the Council of Small Business Organisations of Australia (COSBOA), a cyber-attack is reported every six minutes in Australia and the average cost to a small business is $46,000.
“In too many cases, when there is a problem, the digital platform providers require a time and resource-poor small business to navigate the most elaborate maze of dead ends and blockages,” Mr Billson said.
He said his office “has been active in directly seeking resolutions for small and family businesses but some of the delays … have lasted many months”.
Ms Mills accepts she’s responsible for the 2FA vulnerability but “social media has its own part in all of this”.
“We are calling for digital platform providers to implement clear, appropriate and standardised procedures for small business dispute resolution with clear escalation points and a real person to talk to,” Mr Billson said.
The federal government has been aware of the growing problem for years.
In 2017, the Australian Competition and Consumer Commission (ACCC) was directed to inquire into the impact of digital search engines and social media platforms; and its final report, issued in 2019, recommended a new ombudsman scheme for dispute resolution.
The University of Technology Sydney’s Centre for Media Transition (CMT) researched options in 2022 and concluded an expansion of the Telecommunications Industry Ombudsman’s (TIO) remit, or a new “clearing house” for social media complaints, were the most viable.
Three months ago, the government was drafting a new mandatory code for social media companies, including scam protection obligations.
Communications Minister Michelle Rowland said the federal government was committed to ensuring consumers and small businesses had access to pathways to voice their concerns and resolve issues they may experience on digital platforms.
“In many cases, digital platforms do not have adequate processes in place for consumers to raise issues and concerns — which is simply not good enough,” she said in a statement.
“The government is working to strengthen dispute resolution requirements and has called on industry to develop voluntary internal dispute resolution standards this year.”
Ms Rowland said the government was actively monitoring industry-led efforts to develop voluntary internal dispute resolution codes and would consider further steps if necessary.
Since the hack, Ms Mills said cybersecurity was “always ticking over” in her mind.
She said she was always wondering “how secure is this and how can I make it more secure for our business?”
“I was a bit naive prior … I always had this thought that ‘I’m way too small to be valuable for anyone to hack’,” she said.
She said a “micro-credential” from Cyber Wardens, a free cyber safety e-learning course, had helped.
Developed by COSBOA with Commonwealth Bank, and backed by the Australian government, Cyber Wardens teaches sole traders and small business owners practical strategies to protect themselves against hackers and cyber threats.
According to COSBOA research, about half of Australian small businesses (45 per cent) believe cyber security is little to no risk, and 4 in 10 are not prepared for a cyber-attack, or able to recover from one.
“It’s designed for the small business owner, who’s juggling a range of issues on their plate at any given time,” COSBOA chief executive Luke Achterstraat said.
More than 1,500 small businesses have participated since the program launched last November, learning about or upskilling in potentially risky cyber behaviour and bad habits.
Ms Mills said with rapid developments and changes in technology and cybersecurity, “sometimes it feels difficult to keep up”.
“I think that that’s where the responsibility of social media platforms comes in because they’re the ones that are changing it,” she said.
“They need to be able to provide resources to keep us safe … but at this time, the onus is really on the business owner.”
At the time of writing, Meta had not responded to the ABC’s request for comment.
Posted , updated