Could Meta do more to protect us from cyber scams?

NPR.

This is the indicator from Planet Money.

I'm Darian Woods.

And back with me for a second day in a row is friend of the show, Stephen Bissaha, from the Gulf States Newsroom.

Good to be back with you, Darian.

And today, I have a very different story for you about small businesses, like the Little House.

it's this neighborhood bar in new orleans the kind of place where you can sip wine while surrounded by taxidermied alligators and chicken feet we're swamp chic if you will swamp chic i had heard that one before that is the bar's owner hillary hanning i mean you look around we've got taxidermy and all kinds of stuff but it's like encompassed with this very bougie-esque really cool boutique wine selection and fun cocktails and stuff it's struggling to death but we're having fun.

Now, the real reason we're here is the source of some of that struggle.

Hillary's been dealing with a problem that's harmed thousands of small businesses and caused many to shut down.

We're talking about cybercrime.

Hacks at big companies like Sony and Equifax get plenty of attention, but small businesses fall victim to cybercrime way more often than big ones.

So on today's show, we hear about the scam that threatened this New Orleans neighborhood bar and the case for why tech giants should take on more of the responsibility for cybersecurity, not mom and pops.

Let's zoom back to November last year.

Hillary was planning a fundraiser for a winery, North Carolina devastated by Hurricane Helene.

On a busy day before opening the bar, Hillary got a Facebook message.

It looked to be from Facebook's support team and it said there was fraudulent activity on her account.

Yeah, if you don't think this is correct, you can appeal it, whatever.

So of course, in that knee-jerk moment, I hit appeal

and it all

started to fall apart after that.

Hillary started getting these unusual calls from friends.

They were asking about these strange products being sold on her Facebook page.

Golf carts, televisions, a truck that they were trying to fake sell.

Like, and I'm just

in Atlanta traffic.

I swear I almost died like 20 times.

The social accounts for Hillary's bar were stolen and the fraudster was now trying to use them to defraud others.

And again, Hillary is far from the only business owner to get scammed like this.

Verizon recently released an analysis of its data on cyber attacks.

It found there were about four times as many small businesses that fell victim as large ones.

Now, Verizon defines small business as having fewer than a thousand employees.

So it's a pretty big range between that and your neighborhood bar.

Verizon also said one reason there are more small business victims is likely due to the fact that there are just more small businesses in general.

Still, we are talking about thousands of victims, and this comes with serious consequences.

MasterCard did its own survey and found nearly half of the small and medium-sized businesses that they asked also experienced a cyber attack.

And nearly 20% of them either filed for bankruptcy or had to close their doors.

Small businesses are often targeted because they have worse security, which, you know, makes sense.

Owners are often stretched pretty thin.

They often have to be their own janitors, their own accountants.

Michael Daniel is the head of the Cyber Threat Alliance, and he says expecting those owners to also be their own cybersecurity experts is asking a lot.

People who are running them are often quite busy wearing 17 hats, so they are more vulnerable often.

Yeah, it's hard to add an 18th hat to be your own cybersecurity expert.

Absolutely.

Frankly, we shouldn't expect them to.

I asked a few cybersecurity experts like Michael how small businesses can protect themselves.

And honestly, it's probably what you already heard.

Use two-factor authentication.

Be careful with who you share your password with.

Maybe turn on a firewall.

Nothing too fancy or even expensive.

Yeah, cybersecurity advice is like the basic of good diet cliches.

Eat your veggies.

Everything in moderation.

Don't reuse passwords.

But But just like dieting, these things all sound simple, but in the rush of everyday life, they can be hard to follow.

Right.

And this is what Michael means when he says we shouldn't expect small businesses to have to be their own cybersecurity experts.

Instead, Michael says more of that responsibility should be on the tech companies.

We've pushed the cybersecurity burden out to the edge of the network.

And that means small businesses.

It means individuals.

it means your mom, my mom, right?

You know, everybody's grandmother is like responsible for their own cybersecurity.

And that's kind of crazy when you think about it.

Putting that responsibility on tech companies means things like Instagram requiring two-factor authentication, not leaving that choice to an elderly shop owner.

Or like those warnings when you access your account from a different location asking if that's really you.

Yeah, two-factor authentication, I use it, but it is annoying.

Yeah, and I totally get that.

It's probably why these companies aren't actually making that a requirement.

But Michael says companies like Meta can be much more assertive about doing these things to protect their users.

I will say that I know people at Meta that work on their security programs, and they are actually very concerned about the level of fraud.

It's just that...

we haven't sort of structured the market to really demand that these platforms operate in a certain way that is more secure by default.

So when we say the market is not structured for this, a good way to understand this is to compare the tech industry to banking.

A bank is much more likely to be proactive on fraud that targets its customers because the bank is also at risk of losing money too.

Of course, there are also laws in place that require banks to refund you in certain circumstances when you didn't authorize the payment.

On Facebook, these accounts are free.

So its parent company, Meta, doesn't have a lot to lose that would push it to be more aggressive here.

But the rest of us, we still have plenty to lose here.

Like last year, more than $16.5 billion in losses were reported to the FBI's Internet Crime Complaint Center for all internet crimes.

That same year, 41 state attorneys general demanded Meta take action to protect customer accounts.

We reached out to Meta, and in an email, spokesperson Erin Logan said the company works hard to keep scammers off its platforms and invests in new tech and solutions solutions to stop them.

She added that tackling scams requires everyone to do their share, from governments to banks to law enforcement and other tech companies.

Now, when it came to Hillary Hanning's hack, she seemed to catch a break about three weeks into the whole ordeal.

A friend called her and said he managed to get someone from Meta on the phone.

She ended up spending four and a half hours talking and following instructions to download things, all under the hope of getting her accounts back.

He's like, Ms.

Hanning, this is just a way to verify and work around and whatever.

And then

you realize that your mother's bank account has been depleted.

Yes, it was another scammer.

Meta does not have a 1-800 number to call.

Her friend likely found a fake account with a number pretending to be with Meta Customer Service.

And this new scammer got about $10,000.

I mean, the guy even like, I had to go pick up my three-year-old in the midst of all this because, like I said, I was running errands.

Oh, that's okay.

I don't want you driving while you're talking to me, so I'm going to put you on hold, and you just let me know when you come back.

I mean, like,

great customer service.

You know, you have to laugh at some point.

She's keeping her sense of humor in the darkness.

Yeah.

Hillary covered that by borrowing money, which meant more debt on top of what she already had to keep the bar going.

And then you're just humiliated.

And you're disappointed in yourself because

you fell for it and you put people you love very much in a harder situation than they needed to be in.

We asked Michael Daniel about this and he said business owners like Hillary should not blame themselves for falling for a scam.

You know, actually, I started to try to avoid using that.

using that terminology, falling for.

It's natural that you would have those feelings, but I don't think that someone should beat themselves up because the entire deck is stacked against you hillary spent months trying to get her facebook and instagram accounts back after we reached out to meta they said they'd look into her case and within hours hillary's accounts were back

This episode was produced by Julia Ritchie with engineering by Neil Rauch.

It was fact-acted by Cyril Juarez.

Keikin Ketta edits the show and The Indicator is a production of NPR.