Business

Trusting third parties with our information

We’ve noticed a disturbing trend here at our startup in the past 12 months or so. We’ve been growing and adding new team members, and almost without fail, almost all our new starters are getting hit with a scam email within a few days of starting at our company. Here is one such example:

As you can see, the email appears to come from me, and is asking our team member to do a certain task, however upon closer inspection, the email address the request came from is not mine, and this email is obviously trying to phish for more information to organise some sort of deeper level scam.

Luckily, our team members are a really bright bunch, and so far, no one has fallen for this scam yet, but as we grow, this will become a bigger problem, so we have included a briefing about this on our onboarding flow for all new hires.

My view is that one of our third party providers is leaking or selling our email information to some nefarious party. The reason for saying this is that these are the following facts:

  • As a fully remote company, we use a lot of third party services to manage our support, documentation, project management etc. - all new hires have to sign up for about 5 or 6 different services using their newly assigned work email address

  • The main people being targeted are brand new employees with a brand new email address, and they are usually hit with these requests within 48 hours of starting with us

  • The only employee who wasn’t the subject of these spam emails was a contractor who used her own existing email and didn’t sign up for our other third party services at all

So someone, somewhere, is getting hold of new emails in our organisation, and targeting these team members knowing that they are fresh starters, and probably not familiar with the way we work here yet, and thus are more susceptible to falling for this trick.

We will shortly be setting up a ‘honeypot’ email and slowly logging on to third party services one by one over the course of several weeks to see if we can narrow down just who is leaking or selling our data to the wider internet.

Wrestling with the scammers

Photo by Dan Nelson on Unsplash

I guess one of the downsides of the rising popularity and profile of our HR startup is that it attracts the lowest online lifeforms to try and see if they can make illicit profit from it.

We have been getting the occasional trial user signing up and subscribing to our lowest plan, then posting fake job ads in the hopes of harvesting applicant email addresses, or even forcing them to pay certain fees to get ‘security approvals’ or other fake accreditation in the hopes of moving through the application pipeline.

Using our platform to swindle innocent people out of money (especially people desperate to try and land a job during difficult times) just makes me sick, and we try and do everything we can to try and stay on top of it all.

Recent Uptick

But this month, there seems to be an uptick in activity, and a more focused approach. We have had several new account signups, using different names and company names. In all cases, he/she uses the name of a larger corporation, but with the domain name fudged to appear that it has come from a legitimate company, i.e. using the domain ‘l0ckheedmartin.com’ to make it appear that they come from Lockheed Martin Corporation, but substituting the ‘o’ in ‘company’ with a ‘0’ (zero). Amateur hour stuff.

Each time we have detected this, we have immediately shut down the account, and refunded their money, and deleted all their data from our systems. We’ve also noticed them posting several job ads purporting to be from the actual company they are masquerading, in different locations around the US. Because these job ads are automatically also posted out to platforms like Indeed, Talent and Monster, they are using our app to multiply their fake ads out to a wider audience.

Let me reiterate again that in the above cases, we have refunded their money even though it costs us $$ in fees and our reputation with Stripe, our payment gateway provider.

Current Episode

Yesterday there was a sign up from a ‘<redacted>@thehersheyc0mpany.com’ - once again the amateurish spoofing attempt, so I decide to proactively reach out to them (giving them all the benefit of the doubt despite all the obvious signs that things were fake).

Here is the email I sent them:

(I have redacted the name they gave as it is obviously fake, and might in fact be (an innocent) someone who works at the real company that they are imitating).

Within minutes, came the response, which I now realise was purely designed to stall us while they loaded up a bunch of fake job ads in the background.

Still, I was giving them the benefit of the doubt (not sure why) and persisted with a civil discourse.

As you can read above in my last message to them, I had been doing some digging around in Stripe, and I realised that at least SIX previous fraud attempts in our system was done using the SAME debit card (they all had the same Stripe card fingerprint!).

(Once again I have obfuscated the names on the emails as they be of innocent, unsuspecting actual workers at these companies - no chance the cowardly scammers would be using their own names here).

Check out the spoofed company names in the domains there - some obvious, some not so obvious (like the extra ‘s’ in ‘dominionenergy’). I mean, why would a company like Northrop Grumman, with thousands of employees be signing up for our 25 employee plan? Hmm?

But still, I persisted with the polite path, even though I checked their website, to find a plain Wordpress holding page, and checked their domain on WHOIS to see that it had been registered the day before they subscribed (Hmm, red flags or what?!? LOL).

Notice how I stated above (multiple times) that if they couldn’t furnish the evidence, I would not be refunding their $54 and I would be using it to cover the many hours of administrative time taken up to cross check and verify everything. I also asked them NOT to post any job listings in the interim.

But when I checked their app job board a few hours later:

There were 30+ identical job ads all over the US for an obviously fake job, purporting to be from the ‘Hershey Company’. Here was the text of each ad (all exactly the same):

So I went ahead and deleted all the company data immediately to prevent them accessing any applicant information that may have already been uploaded.

But then ‘the crazies’ started up the next morning! I had really whacked the hornet’s nest here…

Oh the irony of a scammer using my app to defraud other people of their money calling me a fraud! I had to laugh out loud at this pathetic little theatre.

I checked our Software Advice page, and the first time, I could see there was (1) next to the 3 star, 2 star and 1 star reviews, but they were greyed out because they were pending internal verification, and when I checked back a couple of hours later, they were gone, because Software Advice seems to be a reputable site that recognises fake ‘revenge reviews’ and discards them without our prompting. Maybe they recognised that we have always had 4 and5 star reviews only, and that this current spate was a bit of an ‘outlier’ (Thank you Software Advice!).

So, as of the time of writing, we are at a sort of standoff situation. I have held off from refunding their money for now, but Stripe (who have also been great throughout this ordeal) have said that the only way we can prevent this card from being used again is to process a refund and mark the transaction as ‘fraudulent’ which will automatically block the card from being used again on their platform.

So perhaps I will just refund them and block the card just to stop another cheap attempt. It is only USD$54, which is less than 0.08% of our monthly revenue.

This has certainly been a fun ride.







Founders - Don't just build another job for yourself

I was having pre-Christmas lunch with Paul*, one of my best friends from middle school a couple of weeks back. However, as soon as he sat down at our table and I asked him how he was, he surprisingly announced that he would be closing his business at the end of the year.

I was taken aback to hear this news. Paul was in his mid fifties like me, and had been running a really successful tree lopping and landscaping business for many years now. I used to frequently see his trucks around town doing their important work, and things seemed to be going well.

Or were they?

Our group of middle school friends catch up every few years for a special activity, and I remember 5 years ago, when we were all kayaking up the beautiful, world famous Nitmiluk Gorge, we had in depth conversations about our respective businesses while camped under the stars at night. (Odd to think that nearly all of us in the group had the entrepreneurial mindset and were running our own businesses or startups).

During those conversations, Paul would always lament that he could never get proper time off to enjoy these activities we planned, as he felt he could not leave his staff to just carry on the work, and that he had to be there to manage them and ensure that they got the job done.

Now I know that the sort of work Paul did was important, and had a lot to do with safety and ensuring that dangerous trees were removed without damage to property or human life, but he also mentioned at the time that he had an out of work commercial pilot working for him as part of his crew.

Now, as a former commercial pilot myself, I knew that someone who had been through such training would likely have good judgement and sense of responsibility, and could appreciate danger and risk mitigation and would be able to carry out jobs like pruning or removing trees quite well, however Paul felt that even someone who had gone through such training would not be able to do things as well as he could, unsupervised.

I remember sitting there under the clear Southern night sky on the sandbank next to gorge 6, looking at him across the campfire and saying “Paul, you haven’t built yourself a business. You’ve just created a job for yourself”.

He seemed surprised at that, but all the others in our group readily agreed with my sentiments.

You see, when we started our businesses, we all had the dream of being ‘independent’, and ‘free’ and all the other things that business owners wanted when we break free from our dead end, monotonous ‘jobs’.

Now I know that things don’t always go to plan, and we have all struggled with the concept of working ON the business rather than working IN our business, but ultimately, the end goal is to be able to step away from our creation and let it carry on without our day to day micromanaging and input.

As I grow my current startup, I am conscious of stepping back more and more as our team grows, and in fact, I am regularly surprised by what the team achieves these days with very little, if any, input from me. For instance, our customer success team runs regular webinars with our customers and prospective customers without me having to lift a finger, and they work better that I could ever expect.

I remember the days when I used to have to organise every aspect of such events, from setting up a booking website, configuring our webinar software, creating the presentation scripts, sending our reminder emails and running the event, doing post-production on the video and follow ups to questions etc. But now, my co-founder and the team just do this, and all the processes are documented in our internal Wiki so we can reproduce things even if a different team should do it next time.

This is startup nirvana for me. It is all still hard work that takes skill, but everything is broken down into repeatable steps and improved over time.

This is what Paul didn’t have. It is not that he wasn’t able to replicate such a process in his business, as I believe that almost any business can do this. It was just that he seemingly didn’t want to.

I guess for Paul, micro managing every aspect of his business gave him some sense of control and the feeling that the business was still ‘his’. He couldn’t see how his mental model of how he thought a business should run was being constrained and restricted by his thinking.

So when he announced over that lunch that he was closing, I asked him if there was a trigger factor involved, and he said that he had been training is daughter’s long time boyfriend as the person to take over the business when he (Paul) eventually retired, but his daughter had just broken up with the boyfriend, who was thinking of leaving town over Christmas as a result.

Thus, the potential heir that was being groomed as the successor was essentially out of the picture, and that left Paul with a business that could not run without him, and was unsellable. So the only recourse was to get rid of various assets and simply close the doors. Paul himself didn’t want to keep running the business because he was in the same later stage of life as I was, and the years of working under the gruelling tropical sun had taken its toll on his health.

I wish Paul all the very best in his retirement, and I am sure that he will do well, because as I mentioned, his business actually did quite well when he ran it, and he has a good nest egg put away. It was just his method of running things that I think was problematic. Paul could have had more freedom to travel and enjoy life while building and running his business, if only he had uncaged the belief that his business could not function without him there.

Whenever you hear someone complain about their job, it is usually because they feel locked into a set framework of working hours, or doing unpaid overtime, or expected to show up during holidays and be restricted in the amount of time that they can take off. These are usually the same set of conditions that most people who start a business say they will overcome by being their own boss - but sadly, like Paul, a lot of people will simply build the same restrictions around themselves in quick fashion.

In short - NEVER forget why you started your business or startup. Embrace the opportunity to dictate your own freedoms, and always make it a priority no matter what. Don’t ever build just another job for yourself that you will grow to resent over time.

* - Not his real name