For Laura Cooper at one of Ashbourne’s favourite gift shops, Handmade Design, one momentary lapse of concentration almost gifted phishing scammers her hard-earned cash. In this 'Talk of the Town; Cyber Insiders' feature, she lifts the lid on the scam...
In this still relatively new ‘Talk of the Town: Cyber Insiders’ feature, we speak to small businesses - usually situated on the high street or in town centres - who have fallen victim to cybercrime. Most businesses are aware that cybercrime exists, but they might think that just because they’re a small business, it won’t ever affect them.
This feature lifts the lid on the murky world of cybercrime and tells how it very much does impact small businesses in the form of case studies.
Last autumn, EMCRC Comms Lead Phil Viles spoke to Laura Cooper, owner of Handmade Design in Ashbourne, Derbyshire, about an Insta issue which attempted to hold her to ransom...
“So basically, I was working from home and doing a million different jobs all at the same time and therefore wasn’t paying 100% attention, when I received an email which said that I needed to verify my Instagram account”, begins Laura, owner of Handmade Design, a gift shop in the heart of one of Derbyshire’s tourist hot-spots, Ashbourne.
Laura goes on to explain that one click caused a world of pain. She continues, “I clicked the link and it took me to a page that looked like Instagram. So I entered my login details but when I clicked nothing happened, so I thought ‘gosh, typical me, I have forgotten my password again’.
“So I clicked the forgotten password option but didn't get an email prompting me to do a password reset, which I though was odd. So I thought ‘I'll try another password’, but that didn't work either. So I checked my phone, went to Instagram and my business Instagram had just disappeared off the app like it never existed!”
What happened next?
“I got a phone call from someone with a very heavy accent so I really struggled to understand what he was saying, but all I heard was the word ‘Instagram’, so I was really polite and friendly because I thought it was someone calling me from Instagram to tell me that there was a problem with my account. Then he said, ‘I'll WhatsApp you’…and then he hung up!”
Did you get a WhatsApp message?
“Yeah I did, and it read: ‘Do you want your Instagram account back?’. At that moment my heart sank! I thought, ‘oh my God, I've been hacked!’. So I sent a text back saying, ‘yeah’, and his next message was simply ‘$600’ followed by ‘okay’ and a question mark. Oh and he said if it was too much we could negotiate!”
What happened next?
“From then on, I was getting constant phone calls. He was emailing me, he’d send WhatsApp messages all hours of the day, every time the same guy, the same context; emailing demanding money to get my account back”.
Did you contact the police?
“Yes I contacted the local police, but they said there was nothing that they could do as there was no transaction at this point. They said the only thing that I could potentially go after him for if it continued was harassment, but they also said he’s unlikely to be in the UK”.
“However, I have some very savvy friends and they tracked him. They said that he is potentially in London. They kind of tracked him through his phone number and all that kind of stuff. Eventually we discovered his name because he'd stupidly left his name on his WhatsApp!”.
So you now have his name and a contact number…what did you do next?
“I basically just kept contacting Instagram but in the meantime I created a new account. I was sending facial recognition to Instagram every day and it took me about two weeks...but I did get the original account back. Meta initially told me they couldn't help. I got a call from Germany and they basically said because he had hacked my Instagram account and not my Facebook as well, it was an Instagram issue, not a Meta issue. I thought that was interesting, and a little confusing, because everyone said ‘you'll never get hold of Meta and yet I got a phone call from them within the space of a few hours".
That’s interesting. But then you managed to contact someone at Instagram, too?
“Yes, there are different ways you can do it. I reported it via an official link and selected an option that said my account had been hacked and confirmed which account. The hacker had actually renamed the account, thinking that I couldn't see it, but it was still linked to my phone number. He linked it to his number as the primary contact, but I was still the secondary contact so I could actually kind of circumvent him and do the facial recognition thing....but it took a good couple of weeks for them to actually act on it and then I just got an email to say the had reviewed my account and they'd given it back.
"But actually, as the new account is up to nearly 1o,000 followers, I have kept that one as the business account even though I was successful in getting the original one back”.
So no one actually took any money from you. Is that right?
“No, he didn’t get my money because I thought if I pay, I become vulnerable because then this scammer or hacker knows they've got a target who is willing to pay”.
Laura didn’t pay the person who hacked her account. She was persistent in attempting to retrieve it and in the end - after a battle with Meta and Instagram - she got back what is rightfully hers. But how often are these scams happening? And how often are people paying what is essentially a ransom?
We’d like to thank Laura for her time and for sharing her story. By publishing case studies such as this, it is hoped that more similar-sized businesses read it and take note and understand that you don’t have to be one of the big players to be on the wrong end of cybercrime.
In fact, more than 40% of small businesses fell victim to a cyberattack in 2023, and a lot of those businesses don't have a big IT team or a financial cushion to deal with an attack, and these attacks are on the rise.
We offer advice and guidance via information packs and a community membership for small businesses which is free to download via our website. It’s hoped that with the information we can provide, businesses can better protect themselves against the prevalent risks and threats. Don’t ever think you’re too small: size doesn’t matter to criminals.
For more information on Handmade Design, visit their website or their now free-from-hackers Instagram account.
Reporting
Report all Fraud and Cybercrime to Action Fraud by calling 0300 123 2040 or online. Forward suspicious emails to report@phishing.gov.uk. Report SMS scams by forwarding the original message to 7726 (spells SPAM on the keypad).
Comments