scammers

Trusting third parties with our information

We’ve noticed a disturbing trend here at our startup in the past 12 months or so. We’ve been growing and adding new team members, and almost without fail, almost all our new starters are getting hit with a scam email within a few days of starting at our company. Here is one such example:

As you can see, the email appears to come from me, and is asking our team member to do a certain task, however upon closer inspection, the email address the request came from is not mine, and this email is obviously trying to phish for more information to organise some sort of deeper level scam.

Luckily, our team members are a really bright bunch, and so far, no one has fallen for this scam yet, but as we grow, this will become a bigger problem, so we have included a briefing about this on our onboarding flow for all new hires.

My view is that one of our third party providers is leaking or selling our email information to some nefarious party. The reason for saying this is that these are the following facts:

  • As a fully remote company, we use a lot of third party services to manage our support, documentation, project management etc. - all new hires have to sign up for about 5 or 6 different services using their newly assigned work email address

  • The main people being targeted are brand new employees with a brand new email address, and they are usually hit with these requests within 48 hours of starting with us

  • The only employee who wasn’t the subject of these spam emails was a contractor who used her own existing email and didn’t sign up for our other third party services at all

So someone, somewhere, is getting hold of new emails in our organisation, and targeting these team members knowing that they are fresh starters, and probably not familiar with the way we work here yet, and thus are more susceptible to falling for this trick.

We will shortly be setting up a ‘honeypot’ email and slowly logging on to third party services one by one over the course of several weeks to see if we can narrow down just who is leaking or selling our data to the wider internet.

Wrestling with the scammers

Photo by Dan Nelson on Unsplash

I guess one of the downsides of the rising popularity and profile of our HR startup is that it attracts the lowest online lifeforms to try and see if they can make illicit profit from it.

We have been getting the occasional trial user signing up and subscribing to our lowest plan, then posting fake job ads in the hopes of harvesting applicant email addresses, or even forcing them to pay certain fees to get ‘security approvals’ or other fake accreditation in the hopes of moving through the application pipeline.

Using our platform to swindle innocent people out of money (especially people desperate to try and land a job during difficult times) just makes me sick, and we try and do everything we can to try and stay on top of it all.

Recent Uptick

But this month, there seems to be an uptick in activity, and a more focused approach. We have had several new account signups, using different names and company names. In all cases, he/she uses the name of a larger corporation, but with the domain name fudged to appear that it has come from a legitimate company, i.e. using the domain ‘l0ckheedmartin.com’ to make it appear that they come from Lockheed Martin Corporation, but substituting the ‘o’ in ‘company’ with a ‘0’ (zero). Amateur hour stuff.

Each time we have detected this, we have immediately shut down the account, and refunded their money, and deleted all their data from our systems. We’ve also noticed them posting several job ads purporting to be from the actual company they are masquerading, in different locations around the US. Because these job ads are automatically also posted out to platforms like Indeed, Talent and Monster, they are using our app to multiply their fake ads out to a wider audience.

Let me reiterate again that in the above cases, we have refunded their money even though it costs us $$ in fees and our reputation with Stripe, our payment gateway provider.

Current Episode

Yesterday there was a sign up from a ‘<redacted>@thehersheyc0mpany.com’ - once again the amateurish spoofing attempt, so I decide to proactively reach out to them (giving them all the benefit of the doubt despite all the obvious signs that things were fake).

Here is the email I sent them:

(I have redacted the name they gave as it is obviously fake, and might in fact be (an innocent) someone who works at the real company that they are imitating).

Within minutes, came the response, which I now realise was purely designed to stall us while they loaded up a bunch of fake job ads in the background.

Still, I was giving them the benefit of the doubt (not sure why) and persisted with a civil discourse.

As you can read above in my last message to them, I had been doing some digging around in Stripe, and I realised that at least SIX previous fraud attempts in our system was done using the SAME debit card (they all had the same Stripe card fingerprint!).

(Once again I have obfuscated the names on the emails as they be of innocent, unsuspecting actual workers at these companies - no chance the cowardly scammers would be using their own names here).

Check out the spoofed company names in the domains there - some obvious, some not so obvious (like the extra ‘s’ in ‘dominionenergy’). I mean, why would a company like Northrop Grumman, with thousands of employees be signing up for our 25 employee plan? Hmm?

But still, I persisted with the polite path, even though I checked their website, to find a plain Wordpress holding page, and checked their domain on WHOIS to see that it had been registered the day before they subscribed (Hmm, red flags or what?!? LOL).

Notice how I stated above (multiple times) that if they couldn’t furnish the evidence, I would not be refunding their $54 and I would be using it to cover the many hours of administrative time taken up to cross check and verify everything. I also asked them NOT to post any job listings in the interim.

But when I checked their app job board a few hours later:

There were 30+ identical job ads all over the US for an obviously fake job, purporting to be from the ‘Hershey Company’. Here was the text of each ad (all exactly the same):

So I went ahead and deleted all the company data immediately to prevent them accessing any applicant information that may have already been uploaded.

But then ‘the crazies’ started up the next morning! I had really whacked the hornet’s nest here…

Oh the irony of a scammer using my app to defraud other people of their money calling me a fraud! I had to laugh out loud at this pathetic little theatre.

I checked our Software Advice page, and the first time, I could see there was (1) next to the 3 star, 2 star and 1 star reviews, but they were greyed out because they were pending internal verification, and when I checked back a couple of hours later, they were gone, because Software Advice seems to be a reputable site that recognises fake ‘revenge reviews’ and discards them without our prompting. Maybe they recognised that we have always had 4 and5 star reviews only, and that this current spate was a bit of an ‘outlier’ (Thank you Software Advice!).

So, as of the time of writing, we are at a sort of standoff situation. I have held off from refunding their money for now, but Stripe (who have also been great throughout this ordeal) have said that the only way we can prevent this card from being used again is to process a refund and mark the transaction as ‘fraudulent’ which will automatically block the card from being used again on their platform.

So perhaps I will just refund them and block the card just to stop another cheap attempt. It is only USD$54, which is less than 0.08% of our monthly revenue.

This has certainly been a fun ride.