'They Messed with the Wrong Gal': What to Do When Your Social Media Gets Hacked
This morning I spoke with a friend I met 10 months ago in Chicago at the first Next Global Impactor event. The event was a competition for impact-driven individuals from around the world. I was a team coach and speaker. Hunter won first place for her nonprofit organization Chemo Buddies For Life, a cancer support group that provides support for patients dealing with any variety of cancer. The organization provides support to patients and those who care for them during treatment and beyond.
A resident of the greater L.A. area in California, Hunter is a survivor of cancer. She’s also a survivor of abuse, having escaped 19 years ago from a bitterly unhappy marriage with her four children, now grown. Now re-married, she exudes a feminine energy. But she's also a force to be reckoned with, which the team of hackers who took over nine of her social media accounts this week learned the hard way
“It was like a scene out of ‘WarGames,'” she said as we laughed about the worst moment, as she battled a hacker in real-time to change the password on one of her three Facebook accounts faster than the hacker could keep on changing it back.
But what she’d dealt with in the 24 hours before our visit was no laughing matter. A social media hacking could happen to any of us, and potentially already has — a Harris poll by the University of Phoenix says that two out of three adult respondents with social media accounts report knowledge of their accounts being hacked) In fact, the Harris survey continued, more than 70 percent of hacks at the time of the survey (in 2016) were propagated manually, by social media users unwittingly sharing and forwarding posts that come with malware attached.
Most of us have already been victims. The increasing prevalence of #WFH makes us even more vulnerable as many remote workers who’ve been displaced quickly during the health crisis aren’t being sufficiently protected by home wireless when the protections from workplace firewalls are gone.
Hunter is especially vulnerable. Thanks to her showing in the Next Impactor contest, which was decided in large part by donation and votes, she’s amassed a massive following on her primary social media platforms of Facebook, Instagram and LinkedIn. All three were hacked. Worse still, she maintains not one but three separate accounts on each platform that represent her personally as well as two charitable organizations and initiatives she leads.
That’s nine accounts, all of which the hackers were weaponizing to steal her identity and information to collect money from the many people who trust her.
How did she stop them?
Hunter’s first clue came at “zero dark thirty” on June 24, 2020, when a key member of her team called to alert her to a LinkedIn message they’d received that was clearly not coming from her. She checked it out. Sure enough. Then the messages started pouring in from users on Instagram and then Facebook. It was a full-on assault.
Hunter is an especially appealing target to hackers since she has a large following, and a philanthropic profile, so is regularly inviting followers to contribute to different causes. In other words, a request for money wouldn’t be out of the norm.
But what could she do? There were three accounts on each platform, all being attacked. There were nine logins, and one of her.
What do you do when your social media is hacked?
Adrenaline kicked in quickly. Hunter’s first move was to change the passwords on each affected account, thus setting off the speed test with the hacker repeatedly changing them back. Pausing to breathe, she thought “What can I do right now that a hacker couldn’t?” Two things, it turned out — first, she could quickly request two-step authentications on every account, meaning any password change would need to be confirmed with a passcode the platform could send to her phone via text. Voila. With new passwords in place she could revert back to the single-step and the hacker was stopped. Second, she could do a live post to her followers, as her image and voice was something the hacker couldn’t replicate. Immediately, through a quick video, she alerted followers on all platforms about the hacking attempts, told them not to respond, and asked them to report any fraudulent message.
Stunningly, the hacker was brazen enough to be following her Instagram account from the phony Tamara Hunter account they’d created. The hacker was disguised as Hunter while watching her every step. So she blocked and reported the fake Tamara.
Finally, she reported the attacks on all three platforms. Reporting on Instagram was especially problematic as each time she submitted, she was able to get only partway through the report before the platform would drop her connection, requiring multiple attempts before the submittal would finally “take.” Then she alerted the FTC, with ample evidence in her hands at this point.
Twenty-four hours later, all three platforms have reacted and the fraudulent accounts on all three platforms are gone, with any longer-term remedy in the hands of the FTC. Thankfully, the hackers were thwarted without loss of funds for Hunter or any of her followers.
What would a hacker get by impersonating a charity?
Plenty, it turns out. According to Wired, one of the most typical approaches of hackers on Facebook is to use phishing attacks to learn a charity’s password and quietly install themselves through a phony account as an administrator to the charity’s page. From there they quietly sit until they deem the time is right to begin making posts that announce the charity is now “raising money for animals displaced by wildfires,” for example. They direct donations to an outside link, such as a fraudulent GoFundMe page. In the case the Wired article outlines, the entrepreneur unwittingly made things worse by simply deleting the fraudulent posts as they happened. This only served to embolden the criminal further. She was successful in getting the fraudulent GoFundMe page taken down and the $1,500 collected returned to its donors.
But the hacker continued to attack her charity pages again and again, under new identities. Months later, weary of the harassment, the entrepreneur finally quietly settled by meeting the hacker’s demand that she repay them the initial $1,500 they’d taken through an anonymous PayPal account.
In Hunter’s case, the hacker(s) were apparently seeking the phone numbers of her followers to make a bid that for a fee, they could obtain grants for the followers to help them create and succeed in their own philanthropic organizations. Because she has multiple accounts on each platform and many thousands of followers, all aligned in their philanthropic interests, she became a rich target.
So how did they obtain her information? Yes, it is possible a hacker was able to “sniff” her wireless access. But as research shows, the even higher likelihood is that Hunter or one of her team may have inadvertently clicked on a phishing campaign or shared a story or post infected with malware that allowed the hackers to obtain or guess the information they needed to log in. She was lucky. But given the prevalence of social media hacks, what should every entrepreneur know and do?
Consider the following:
- Carefully control who has admin rights on any of your business or charity pages and monitor frequently for the appearance of former employees or anyone you don’t recognize.
- Change your passwords frequently and use two-factor authentication for any password retrieval or change.
- Use different passwords on your various social media platforms (and perhaps even make them different for each of your multiple pages) to ensure that a hacker’s potential access to one of your pages doesn’t allow them to have access to all.
- If you are hacked, the first thing to do is change your password immediately, check your financial accounts for unauthorized transactions, and alert all of your followers, through video or voice message if possible, about the nature of the hack and what you suggest they do.
- Gather all evidence and report the hacker to the platform (but know that even with urgency, it may take them 24 hours or so to respond).
Finally, you can go to FTC.gov to view additional input on how to avoid being hacked and what to do in the event that it happens. If you determine anything has been stolen, you can report the theft and seek redress through the steps recommended at IdentityTheft.gov.