A Tauranga business owner fuming after a “hacker” gained access to her Meta advertising account and made more than $9500 in unauthorised transactions is sharing her story to warn others.
The incident is being investigated by Meta, ANZ and the police, while the Banking Ombudsman says financial scams involving socialmedia are on the rise.
Jorgi Lee said she and her father jointly owned Shape Studio in Brookfield and regularly used an advertising account with Meta, which owns Facebook, for the business over the past 18 months without incident.
On April 20, however, Lee’s father went to pay bills online and noticed several large unauthorised transactions to Meta totalling $9578 had come out of the business’ bank account on April 19 and 20.
These included five separate $1250 payments on one day and $781.60 worth of Meta invoice payments pending.
Lee said they discovered a hacker had somehow managed to bypass a two-factor authentication process to access their Meta account and added themselves as a user. The intruder then created a fake advertising campaign with a “ridiculous” large daily spend on it.
Lee said the pending payments were also for the bogus advertising campaign.
“I don’t know how the hacker was able to do this. We took all the precautions recommended to us so in reality, this should not have happened.”
Lee said neither Meta nor their bank, ANZ, notified her about any suspicious activity on their accounts as it was happening and it was fortunate her father checked their account when he did.
She believed if the transactions had been discovered even just days later, the amount taken could have “easily been $40,000 or more” before they could disable the Meta account.
After contacting her bank and Meta about the theft, as of Tuesday $8750 had been restored to their account by their bank and Meta had wiped the $781.60 in pending charges, leaving only $46.83 still missing.
Lee, who had also reported the incident to the police and to Netsafe, said she was speaking out to warn other business owners to be vigilant.
“The vast majority of business owners use social media platforms such as Facebook (Meta) and Instagram to advertise their businesses because of the huge audiences they reach.
“Having our Meta ad account disabled for two weeks as well as all the stress of trying to get this sorted out has had a huge impact on us and our business.
“For small business owners like us, $9578 is a lot of money. I’m worried this could easily happen again, if not to us, to someone else.”
Lee said the person she spoke to at her bank reassured her that ANZ had their backs and told her the investigation could take up to 10 days to complete.
“ANZ has been beyond helpful with our case, and for that, I am so grateful. They have been proactive and very supportive throughout this process.
“We will be investigating ways to ensure something like this doesn’t happen again.”
A Meta spokesperson said it was reviewing the complaint to establish what had happened.
“Scammers present a challenge in any online environment, and social media platforms are no exception.
“We’re committed to safeguarding the integrity of our services, and dedicate substantial resources and technology solutions to protect our community from fake accounts and other inauthentic behaviour.”
In 2021, Meta partnered with Netsafe, NZ Police and Cert NZ to launch an education campaign called Scam Gallery to help people spot scammers and protect themselves from common scams.
Meta also invested “substantial resources” into detecting and preventing fraudulent activity, it said in a statement.
Users were encouraged to report suspected scams or profiles impersonating people to Meta so it could take action.
An ANZ spokesperson said, like other banks, it was seeing an increase in scam activity and it sympathised with Lee’s “stressful” situation.
“The customer did the right thing by contacting us as soon as they noticed unusual activity on their account.
“We are following our dispute process and a credit will be applied to the account while we investigate further. It is a reminder that we all need to be careful with confidential personal and financial information and regularly monitor bank accounts for any unusual activity.”
Its message to all customers was to monitor their accounts, stay vigilant when people reached out of the blue with strange or urgent requests, and contact the bank immediately about any suspicious behaviour or if they thought they were the victim of a scam.
A police spokesperson confirmed that Lee had lodged a complaint on April 27 and said its inquiries were ongoing.
Banking Ombudsman Nicola Sladden it was a “very distressing” situation.
“We have tremendous sympathy for customers who are caught in scams, as the financial and psychological impact can be significant.
“Year on year we see an increase in fraud and scam cases. The complexity of scams, as well as the value of the losses, continue to rise. We have been seeing more and more scam cases involving the use of social media.”
Sladden said banks were required by the Code of Banking Practice to reimburse unauthorised transactions, provided the customer has complied with the bank’s terms and conditions and also had taken reasonable steps to protect their banking.