Photo / Getty Images
Christchurch tech firm Swiftpoint is little known at home but has a nice line of business selling specialist computer mice - that go for up to $360 a pop - to the likes of business travellers, power gamers, radiographers and Hollywood film editors in the US.
It’s used crowdfunding sites as a vehicle for booking advance sales - totalling around 120,000 units - and recently ran a successful Kickstarter campaign for its new Swiftpoint Z2, raising $506,000. A follow-up campaign is under way on Indiegogo.
Swiftpoint chief executive Cory Mitchell told the Herald he was happy Swiftpoint had hit its Kickstarter target, and then some.
But there was one fly in the ointment. The firm couldn’t use Facebook’s promoted posts to publicise its Kickstarter campaign, which ran from February 26 to March 27 (or February 27 to March 28 NZT) because its Facebook business manager account had been hijacked by fraudsters.
The breach occurred on the morning of February 27. It took a few hours for Swiftpoint staff to realise they had been locked out of their own account. By that time the hijackers had bought $1200 worth of ads - which appeared to be pushing various scams - using the Swiftpoint company credit card tied to the Kiwi firm’s account.
Mitchell did not blame Facebook for the hack. (The exact cause has yet to be confirmed but appears to be related to a contractor to Swiftpoint having its system breached).
But, naturally, he wanted Swiftpoint to be given back control of its account as soon as possible.
A Swiftpoint staffer contacted Facebook support via a live chat option, then received further support messages via an email thread.
But while the scam ads were quickly blocked, Swiftpoint just could not regain control of its Facebook business manager account.
Mitchell says each time his firm contacted Facebook, it received an email reply that was a slight variation on “we’re still looking into it”.
The month-long Kickstarter campaign wrapped up without Swiftpoint making any headway.
Yesterday - six weeks after the hijack - Swiftpoint had yet to regain control of its account.
It was only after the Herald contacted Facebook owner Meta on Swiftpoint’s behalf that the tech giant swung into action. Last night, a Sydney-based Meta staffer contacted Mitchell and the process of transferring control of its account back to the Christchurch firm seemed under way.
Asked why it took Meta six weeks to respond, and what response time businesses and individuals could expect in the event of an account hijack, a Facebook Australia-New Zealand spokesperson offered only the general comment that, “We are currently reviewing this issue. Scammers present a challenge in any online environment, and social media platforms are no exception. We’re committed to safeguarding the integrity of our services, and dedicate substantial resources and technology solutions to protect our community from fake accounts and other inauthentic behaviour.”
Facebook has an online help and reporting section for hijacked or fake accounts here. Individuals and small businesses can also report a security breach to Crown agency Cert NZ.
Two other NZ small businesses approached the Herald about slow responses to Facebook account breaches but did not want to go on the record.
Individuals have also been frustrated by slow response to account hijackings or impersonations including, within the stable of Herald publisher NZME, Newstalk ZB host Kate Hawkesby and BusinessDesk podcaster Frances Cook. In both cases they had to watch on as crypto scammers preyed on their followers until publicity ultimately saw Meta gird into action.
Earlier this week, BusinessDesk columnist Peter Griffin wrote about how he tapped on his Facebook account in early March, only to discover he was now “Lily Collins”. He was locked out of his own account, and his profile pic had been changed to that of the Emily in Paris Netflix star (PC World magazine reported the Lily Collins attack, which seemed to hit thousands of Facebook accounts worldwide, was tied to a bogus “ChatGPT” Chrome web browser extension, which snooped on Facebook cookies - or tracking software that stores your logon details).
“I found myself in an endless digital loop of doom trying to deal with the social media platform in an effort to reclaim my account,” Griffin said.
He was directed to a form where he could upload an image of his passport to confirm his identity, but he could not do so because his account had been disabled. (Regardless, he had qualms about sharing his passport online - understandable after thousands of passports and driver licences were spilled in the Latitude breach).
After a fortnight or so of trying to redress the situation as a civilian, Griffin threw in the towel and asked Meta’s PR team for help - “Which worked wonders, but that outcome has been denied to many other Lily Collins hack victims still locked out of Facebook with no one to go to for help,” he said.
Griffin did see hope. He noted that Parliament passed the Digital Identity Services Trust Framework Bill last month, which “counts as one of the few significant policy developments in the digital space during the Ardern-Hipkins tenure”.
Well, hopefully, but there are two elements that give me pause.
One is that once the Trust Framework comes into force on January 1, 2024, key provisions will be voluntary. The second is the concern raised by NZRise founder Don Christie that NZ has a backfoot record in applying our regulations to multinationals.
Across the Tasman, the Government and regulators have generally taken a tougher line on social media.
In March 2022, following a series of scam ads linked to impersonator accounts, the Australian Competition and Consumer Commission (ACCC) took Federal Court proceedings against Facebook owner Meta, alleging it had engaged in false, misleading or deceptive conduct by publishing scam advertisements featuring prominent Australian public figures, including former NSW premier Mike Baird, businessman Dick Smith, TV presenter David Koch and mining magnate Andrew Forrest.
It also alleged that “Meta aided and abetted or was knowingly concerned in false or misleading conduct and representations by the advertisers”.
“The essence of our case is that Meta is responsible for these ads that it publishes on its platform,” then ACCC chairman Rod Sims said.
Sims maintained that Facebook did not utilise such protections in practice, saying that although it promised consumers “it will prevent bad behaviour on its platform, again that is not happening”.
“Meta should have been doing more to detect and then remove false or misleading ads on Facebook, to prevent consumers from falling victim to ruthless scammers,” Sims said. When public figures were involved they faced reputational damage. (The party that hijacked Swiftpoint’s account did not use its name in the scam ads it issued through the Christchurch company’s account).
“It is a key part of Meta’s business to enable advertisers to target users who are most likely to click on the link in an ad to visit the ad’s landing page, using Facebook algorithms. Those visits to landing pages from ads generate substantial revenue for Facebook.”
Earlier this week, an ACCC spokesperson said the case is set for its first Federal Court hearing in June.
The Commerce Commission says it’s keeping a watching brief.
Meta told the Herald it would not comment while the case was before the courts.
In March 2022, at the time of the Hawkesby scam, Meta’s head of public policy, New Zealand and Pacific Islands, Nick McDonnell, said it was against Facebook’s rules to scam people out of money.
“Impersonating others on our platforms is a clear violation of our policies, and we’ve removed this account for breaching our inauthentic behaviour policy. We have a dedicated team that’s tasked with detecting and blocking these kinds of scams,” McDonnell said.
“While no enforcement is perfect, we continue to investigate new technologies and methods of stopping these scams and the people behind them.”
Although there have been cuts to staff at Meta, Twitter and Google, there are still “excellent lines of communications,” NZTech chief executive Graeme Muller told the Herald earlier this week. NZTech is the administrator of the Aotearoa New Zealand Code of Practice for Online Safety and Harms, a self-regulatory code put together by Netsafe.
'I can imagine people being outraged that TVNZ signed a deal with me.'