I could only avoid AI in my startup for so long before I actually found a use for it… How I used ChatGPT to make the life of my support team easier.
Trusting third parties with our information
Photo by Sergiu Nista on Unsplash
We’ve noticed a disturbing trend here at our startup in the past 12 months or so. We’ve been growing and adding new team members, and almost without fail, almost all our new starters are getting hit with a scam email within a few days of starting at our company. Here is one such example:
As you can see, the email appears to come from me, and is asking our team member to do a certain task, however upon closer inspection, the email address the request came from is not mine, and this email is obviously trying to phish for more information to organise some sort of deeper level scam.
Luckily, our team members are a really bright bunch, and so far, no one has fallen for this scam yet, but as we grow, this will become a bigger problem, so we have included a briefing about this on our onboarding flow for all new hires.
My view is that one of our third party providers is leaking or selling our email information to some nefarious party. The reason for saying this is that these are the following facts:
As a fully remote company, we use a lot of third party services to manage our support, documentation, project management etc. - all new hires have to sign up for about 5 or 6 different services using their newly assigned work email address
The main people being targeted are brand new employees with a brand new email address, and they are usually hit with these requests within 48 hours of starting with us
The only employee who wasn’t the subject of these spam emails was a contractor who used her own existing email and didn’t sign up for our other third party services at all
So someone, somewhere, is getting hold of new emails in our organisation, and targeting these team members knowing that they are fresh starters, and probably not familiar with the way we work here yet, and thus are more susceptible to falling for this trick.
We will shortly be setting up a ‘honeypot’ email and slowly logging on to third party services one by one over the course of several weeks to see if we can narrow down just who is leaking or selling our data to the wider internet.
Hanging on to 'stuff'
Like most families, we like to start the new year with a bit of a clean slate, which means moving on old pieces of furniture and belongings that are just cluttering our life and no longer needed.
But this is a surprisingly difficult task.
Almost every time we go to get rid of a major piece of furniture, we stop and look at all the emotional and social connections that are still attached to it.
For example, our bed was given to us by my parents when we moved into our current house, and they decided to downscale to a smaller place and when my father went into care and couldn’t sleep in a regular bed any longer.
Our dining table was given to us by close friends who asked us to ‘look after it for them’, when they found out we had nowhere to eat our meals, but they have since moved to a different city and have never mentioned the table again.
My sister in law ‘loaned’ us a bed for our son when she found out he was just sleeping on a mattress on the floor some years back, and when he finally bought his own bed with money he earned from his first job, she always changes the subject when we ask her if she wants the old bed back.
The big factor here is that a lot of these generous gifts were done out of the kindness of strangers many years ago when we were in major financial difficulties as I had just started a new business venture.
Our friends and family knew that we were too proud to ask for help, so their suggestions to let us ‘borrow’ stuff and never asking for it back was their gentle way to actually give us stuff to lead a normal life without impacting our dignity. I am grateful for that.
But it does mean that every time I look to move some of this stuff on, that I (a) remember the situation we were in, and become grateful for how far we have come since those days, and (b) we remember those friends and family and cherish their kindness and genorosity. Somehow, these things mean a lot more than normal, and getting rid of them doesn’t seem quite right or respectful.
Wrestling with the scammers
Photo by Dan Nelson on Unsplash
I guess one of the downsides of the rising popularity and profile of our HR startup is that it attracts the lowest online lifeforms to try and see if they can make illicit profit from it.
We have been getting the occasional trial user signing up and subscribing to our lowest plan, then posting fake job ads in the hopes of harvesting applicant email addresses, or even forcing them to pay certain fees to get ‘security approvals’ or other fake accreditation in the hopes of moving through the application pipeline.
Using our platform to swindle innocent people out of money (especially people desperate to try and land a job during difficult times) just makes me sick, and we try and do everything we can to try and stay on top of it all.
Recent Uptick
But this month, there seems to be an uptick in activity, and a more focused approach. We have had several new account signups, using different names and company names. In all cases, he/she uses the name of a larger corporation, but with the domain name fudged to appear that it has come from a legitimate company, i.e. using the domain ‘l0ckheedmartin.com’ to make it appear that they come from Lockheed Martin Corporation, but substituting the ‘o’ in ‘company’ with a ‘0’ (zero). Amateur hour stuff.
Each time we have detected this, we have immediately shut down the account, and refunded their money, and deleted all their data from our systems. We’ve also noticed them posting several job ads purporting to be from the actual company they are masquerading, in different locations around the US. Because these job ads are automatically also posted out to platforms like Indeed, Talent and Monster, they are using our app to multiply their fake ads out to a wider audience.
Let me reiterate again that in the above cases, we have refunded their money even though it costs us $$ in fees and our reputation with Stripe, our payment gateway provider.
Current Episode
Yesterday there was a sign up from a ‘<redacted>@thehersheyc0mpany.com’ - once again the amateurish spoofing attempt, so I decide to proactively reach out to them (giving them all the benefit of the doubt despite all the obvious signs that things were fake).
Here is the email I sent them:
(I have redacted the name they gave as it is obviously fake, and might in fact be (an innocent) someone who works at the real company that they are imitating).
Within minutes, came the response, which I now realise was purely designed to stall us while they loaded up a bunch of fake job ads in the background.
Still, I was giving them the benefit of the doubt (not sure why) and persisted with a civil discourse.
As you can read above in my last message to them, I had been doing some digging around in Stripe, and I realised that at least SIX previous fraud attempts in our system was done using the SAME debit card (they all had the same Stripe card fingerprint!).
(Once again I have obfuscated the names on the emails as they be of innocent, unsuspecting actual workers at these companies - no chance the cowardly scammers would be using their own names here).
Check out the spoofed company names in the domains there - some obvious, some not so obvious (like the extra ‘s’ in ‘dominionenergy’). I mean, why would a company like Northrop Grumman, with thousands of employees be signing up for our 25 employee plan? Hmm?
But still, I persisted with the polite path, even though I checked their website, to find a plain Wordpress holding page, and checked their domain on WHOIS to see that it had been registered the day before they subscribed (Hmm, red flags or what?!? LOL).
Notice how I stated above (multiple times) that if they couldn’t furnish the evidence, I would not be refunding their $54 and I would be using it to cover the many hours of administrative time taken up to cross check and verify everything. I also asked them NOT to post any job listings in the interim.
But when I checked their app job board a few hours later:
There were 30+ identical job ads all over the US for an obviously fake job, purporting to be from the ‘Hershey Company’. Here was the text of each ad (all exactly the same):
So I went ahead and deleted all the company data immediately to prevent them accessing any applicant information that may have already been uploaded.
But then ‘the crazies’ started up the next morning! I had really whacked the hornet’s nest here…
Oh the irony of a scammer using my app to defraud other people of their money calling me a fraud! I had to laugh out loud at this pathetic little theatre.
I checked our Software Advice page, and the first time, I could see there was (1) next to the 3 star, 2 star and 1 star reviews, but they were greyed out because they were pending internal verification, and when I checked back a couple of hours later, they were gone, because Software Advice seems to be a reputable site that recognises fake ‘revenge reviews’ and discards them without our prompting. Maybe they recognised that we have always had 4 and5 star reviews only, and that this current spate was a bit of an ‘outlier’ (Thank you Software Advice!).
So, as of the time of writing, we are at a sort of standoff situation. I have held off from refunding their money for now, but Stripe (who have also been great throughout this ordeal) have said that the only way we can prevent this card from being used again is to process a refund and mark the transaction as ‘fraudulent’ which will automatically block the card from being used again on their platform.
So perhaps I will just refund them and block the card just to stop another cheap attempt. It is only USD$54, which is less than 0.08% of our monthly revenue.
This has certainly been a fun ride.